Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers

Laurence Lundblade <lgl@island-resort.com> Tue, 08 March 2022 17:07 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD993A1039 for <cose@ietfa.amsl.com>; Tue, 8 Mar 2022 09:07:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sEFAaMP-k15z for <cose@ietfa.amsl.com>; Tue, 8 Mar 2022 09:07:41 -0800 (PST)
Received: from p3plsmtpa09-07.prod.phx3.secureserver.net (p3plsmtpa09-07.prod.phx3.secureserver.net [173.201.193.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1F193A101E for <cose@ietf.org>; Tue, 8 Mar 2022 09:07:40 -0800 (PST)
Received: from [192.168.1.4] ([75.80.148.139]) by :SMTPAUTH: with ESMTPA id RdJCnq7lFtOvYRdJDn2NFz; Tue, 08 Mar 2022 10:07:39 -0700
X-CMAE-Analysis: v=2.4 cv=XdVMcK15 c=1 sm=1 tr=0 ts=62278d5b a=qS/Wyu6Nw1Yro6yF1S+Djg==:117 a=qS/Wyu6Nw1Yro6yF1S+Djg==:17 a=pGLkceISAAAA:8 a=NEAV23lmAAAA:8 a=2WIpINz01oCQ8NUPD1IA:9 a=QEXdDO2ut3YA:10 a=JQMc0q4Xmx1bdNtOLOEA:9 a=dgXcGolUOold_1Er:21 a=_W_S_7VecoQA:10
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <9D98038E-E44B-4B99-851A-A52CF12A7C89@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E47DA0F9-DED3-41EA-87FD-3BC63354C33F"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Tue, 8 Mar 2022 09:07:38 -0800
In-Reply-To: <634f9e86-499d-5510-c96c-493ff81f953c@gmail.com>
Cc: Carsten Bormann <cabo@tzi.org>, "cose@ietf.org" <cose@ietf.org>, Mike Jones <Michael.Jones@microsoft.com>, Hannes Tschofenig <hannes.tschofenig@arm.com>, Tobias Looker <tobias.looker@mattr.global>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
References: <SY4P282MB1274BCAC469DFE3B7284DFB29D039@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM> <DBBPR08MB5915A5EE40B555A4953E7BA0FA039@DBBPR08MB5915.eurprd08.prod.outlook.com> <SJ0PR00MB10050EBE6EAB4E80584A31B9F5039@SJ0PR00MB1005.namprd00.prod.outlook.com> <280EEA8E-67E4-4E7A-94A6-8C0A60048F81@island-resort.com> <36e34eb7-ee20-3644-4383-1c3f72279fc3@gmail.com> <DBBPR08MB59154C935195F0ADEFD0EC4BFA049@DBBPR08MB5915.eurprd08.prod.outlook.com> <SJ0PR00MB10051A6A8F8D3C9F87896899F5049@SJ0PR00MB1005.namprd00.prod.outlook.com> <f4dd91ee-b6e1-2dd4-abaa-21e75b3106b1@gmail.com> <9E9D10FB-54D6-499C-918B-DA6E7D9E1CF1@tzi.org> <634f9e86-499d-5510-c96c-493ff81f953c@gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfG1Y020DKj6yw9zBTVahfidxASvt16Q64F/OX0R4hvP9/t0q+YLtePjMH/rXc2akaOPw4WT31PPAosyGLePpOJf4vc7jPkIzY9xgS5nxCaSBGmziGrW+ 7iL1j4cZB9p7ZKSHPhzZv9yeGbmukLGkgInV+9bL0+hUBsa6C2oa30KpYkWXZVx3t8dN1k62W1pSUVOQcNjwhw91JYx35XY7XXSbaAogqgdhts7cbjQ9M/ya lgkcgE/4nc2wGhdAFb5qbUY9HwZfcowU39owWQmqXhtuTvrciieHRVO068RTsv7dLGEaVgGX8BYXc0jjHS5wA8ShMLmvc5cmfhGHH98Xe67z6BLh/Y48dqxn OjlQwwUxjslxGaGQ36b3o5QU2So1jg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/tM_oydeLzmZjM3H7MJnPBrmI9So>
Subject: Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2022 17:07:43 -0000

> On Mar 7, 2022, at 9:23 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> On 2022-03-04 8:08, Carsten Bormann wrote:
>> On 2022-03-04, at 07:54, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>> 
>>> - Collect key and algorithm data from the authorization signature object.
>>> - Save and Remove FIDO "authenticatorData" and FIDO "signature" from the CBOR container.
>> This is what we called the “transform” in the beloved XMLDSig.
>> The complexities of this step can be the basis of interesting vulnerabilities (or interoperability failures).
> 
> Since I had not worked with low-level encoders and decoders, I spent a couple of days in the lab (kitchen actually).
> 
> To not be dependent on my own stuff (which of course works flawlessly since it was from the beginning designed with FIDO in mind), I applied the more universal CSF (CBOR Signature Format) to Laurence's excellent QCBOR library.  This is what I came up with:
> https://github.com/cyberphone/D-CBOR/blob/main/verify-demo/csf-verifier.c

Your code accesses private QCBOR data structures to make this work, but no fear because 1) this part of QCBOR is not going to change and 2) I’m working on a PR to allow access to encoded maps and arrays <https://github.com/laurencelundblade/QCBOR/pull/117>. (I’m  bit bogged down on QCBOR PRs these days)

> The actual transform part is performed by FOUR LINES of C.  This was a surprise even to me.
> 
> Carsten, you should be proud; CBOR is the by far best data interchange format for blending with cool cryptographic constructs!
> 
> Could wrapping your precious data in bstr just in order to sign it, be headed for obsolescence? :)

I suspect not because decoders in other languages won’t be so easy to modify for this.

LL