IETF Logo Mail Archive

Re: [jose] [COSE] Multiple Suffixes with JOSE and COSE media types

Orie Steele <orie@transmute.industries> Wed, 19 July 2023 23:04 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFA07C151717 for <jose@ietfa.amsl.com>; Wed, 19 Jul 2023 16:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZAlqAvHkhaU for <jose@ietfa.amsl.com>; Wed, 19 Jul 2023 16:04:34 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03DABC15E406 for <jose@ietf.org>; Wed, 19 Jul 2023 16:04:24 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-4fdb3f66fd6so224078e87.3 for <jose@ietf.org>; Wed, 19 Jul 2023 16:04:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1689807863; x=1690412663; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PNhcYOYfoCQnJ842YVXB3aOTmgPSb+YYD0ohfa/q5YI=; b=Moe2QborejAyc/wCPBdYv0K9Sfe/2RXpkkPl5LBpntIyj9E4sn7rz8aAOWFq7D0LR1 Z4acNvGNvnxxE14uvgtkJwQ5Aq6Q8/mt00eFv89EC9IaBW1k2BuKOxG/JiJ64+0pemaE AtwvuKF1wLLFrtotdtgKF20Ywkam4yonpQrUjDUBiszQ3FFGMlUrC2C2I89ZtS9ogTzb pkcG5NSkEF1lIC3VqlFj2hGsqpKI0fAQzvTgHK4se6MyjkIcipWD6kPtUrcGkX7DhZkE dk1qmiWCk1XUhB66/+JNMQp1TXoIa43314Dp7S/ElWsNB+B4kO7kK/P1h11UlRTIkxcT yJFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689807863; x=1690412663; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PNhcYOYfoCQnJ842YVXB3aOTmgPSb+YYD0ohfa/q5YI=; b=ckHdmGT2BcAdvi0PZqCTN17i4VU0MindIh7+XezaSENrliOVpAIiwm/xgSkQYfzteM LmCCO8c3i4gtpQwWEdGcZg23aEJCFuMT5ZKYvk5xCzsTLPJfdvoiyBZH5h0rHrZOvDm6 URtvCj20r4IHa3+Nj5kcbTBxWDBT893ui99oXk0wxAadC2FykIcRmT4XYl4og70uVAAB zOOxHZ2otH/VWYc3nRghWP16dd80QbAG1KdnOBMSSchCvmo3fLf7C2kQNUAvPURlFaYf Sap6PnY65BVJZmeH/Q8hvrQiVSi2XpeLehuEL1406BQJZ4OPLRTqn46QKfH8qtAVHiA1 fRCg==
X-Gm-Message-State: ABy/qLZe+ODGFCCCoUxV1vZF8m4BWqne6+7II84B/WVBTSV4I/rj4hmb 6hu3448AE8A+RGdhnIyVuvlJXog6YnJBxYsgy8u8/g==
X-Google-Smtp-Source: APBJJlFpknVee5W6lRfg6j4XrOq3V7W4mxD1z5mx1k1JglemeIX3IHh1bL4fqFENDjOznrJnXney+rQNwDMCgxGFQjA=
X-Received: by 2002:a05:6512:36c5:b0:4f8:6d53:a692 with SMTP id e5-20020a05651236c500b004f86d53a692mr802350lfs.61.1689807862463; Wed, 19 Jul 2023 16:04:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_JWY35sVKWH2Ly85c30_zHJuBLP9kO21MJfSFaMOv4PYQ@mail.gmail.com> <29331.1689803277@localhost>
In-Reply-To: <29331.1689803277@localhost>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 19 Jul 2023 18:04:11 -0500
Message-ID: <CAN8C-_+_t-oLwFZf-X9jupwbmG_jMgiN54ToJ4PrG2bvZrUT=w@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Manu Sporny <msporny@digitalbazaar.com>
Cc: media-types@ietf.org, JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000061969c0600df0d3a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/P5Pp-cJJH42R8j9OJwuRwW1L7Uw>
Subject: Re: [jose] [COSE] Multiple Suffixes with JOSE and COSE media types
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2023 23:04:39 -0000

Inline:

On Wed, Jul 19, 2023 at 4:48 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Orie Steele <orie@transmute.industries> wrote:
>     >
> https://github.com/w3c/vc-jose-cose/pull/123#pullrequestreview-1537381740
>     > Summarizing for folks who won't read the above link.
>
> Yeah, that discussion seems allover the place :-(
>
>     > The include:
>
>     > https://github.com/w3c/did-core - requests `did+ld+json`.
>     > https://github.com/w3c/vc-data-model - requests `vc+ld+json`.
>
>     > Also a quick note that the W3C Tag has an open issues related to this
>     > topic: https://github.com/w3ctag/design-principles/issues/239
>
>     > The problem we are having is that it is not clear how multiple
> suffixes
>     > apply to envelope formats, like JOSE and COSE.
>
> Agreed.
>
>     > For example:
>
>     > Should it be `application/vc+ld+json+jwt` or `application/vc+ld+jwt`
>     > (because JWT always secures a JSON claimset and a JSON header).
>
> I'm not even sure I know what the "+ld" part is supposed to imply or
> permit.
>

https://w3c.github.io/json-ld-syntax/#application-ld-json

TLDR; JSON-LD is a syntax for RDF that is both JSON and RDF.

+ld+json is a structured suffix for saying that some JSON is also JSON-LD.


> Are there VCs which are *NOT* LD, but are also still JSON (JOSE)?
>
>
Depends on who you ask...
Speaking for myself and friends who I work with on this stuff at W3C, IETF
and OIDF.... Our answer is YES.

- https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt
- https://datatracker.ietf.org/doc/draft-terbu-oauth-sd-jwt-vc
-
https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-2
-
https://openid.net/specs/openid-connect-userinfo-vc-1_0.html#name-userinfo-vc-verification


>     > Similar question for COSE, should it be
> `application/vc+ld+json+cose` ?
>
> Typo for vc+ld+cbor+cose?  What would the LD mean here?
>
>
It doesn't mean anything today, but it might mean:

https://digitalbazaar.github.io/cbor-ld-spec/

...in the future, which is basically a semantic compression on JSON-LD that
exploits RDF to transform JSON-LD into CBOR.


> To me, there are two things that the media types need to convey.
>
> a) to some tool looking at content from the outside.  Debugger, wireshark,
>    (including humans pasting stuff at each other through chat during an
>    online interop session).
>
> Do I know how to decode this stuff in a useful way?
> For +gz (and a few others) there is a very strong utility here.
> The computer can decompress the content easily, and the human (looking a
> hex-dump or equivalent) can *NOT*.
> {I used to be able to read 6502 machine code in hex, and I know people who
> still can, but I can't decompress anything in my head}
>
> That +jwt is useful because it means that the human being aided by a
> competent debugger can easily see which parts are the signature, and which
> parts are the different headers, payloads, and which need to have their
> base64url encoding removed and reparse.  I don't see any other use.
>
>
Yes I agree, +jwt lets intermediate processors consider the header and
claimset as JSON...

even if they don't know what a "vc" or "dpop" is... see also
https://www.iana.org/assignments/media-types/application/dpop+jwt


> b) Accept: headers tell the responder what kinds of things the requester is
>    willing to accept. Again here, the +gz is very easy to add and cope with
>    at a generic level.
>    The +jwt isn't: you either know you are signing the VC, or you don't
> know
>    what a VC is.
>
>
Not sure I agree, consider an API that issues tokens that comply with
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp-07#section-3.11

POST /token/issue
--content-type application/json
--accept application/dpop+jwt
--accept application/vc+jwt
--accept application/at+jwt

The server might apply different validation to the post body depending on
what the client requested...
for "dpop" it might require "cnf"...
for "vc+ld+json+jwt" it might require `@context` (a JSON-LD thing)...
for "vc+sd-jwt" it might NOT require an `@context` (not all VCs are JSON-LD)
for "vc+ld+json+sd-jwt" it might require an `@context` ... etc...

The content type going in is always application/json...  (or sometimes
application/ld+json)....
...but 400 errors come out when the json is not capable of supporting the
normative requirements associated with a more specific token type...

For example:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/406
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/415
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/422


> Again, I don't what information "+ld" is conveying. That's probably on me
> though.
>
>
+ld by itself is not conveying anything (unless it was registered)... but
`+ld+json` would convey that the JSON is also some encoding of RDF, see

- https://w3c.github.io/json-ld-syntax/#interpreting-json-as-json-ld
- https://w3c.github.io/json-ld-syntax/#relationship-to-rdf


> Regardless, ANIMA is having similar difficulties as we could easily build
> multiple + into our media-types, and our documents are basically all in
> WGLC
> (because of circular dependancies), and this topic is holding us up.
>
>
IMO, if it's possible to avoid multiple suffixes, it should be avoided...

+sd-jwt could have been +sd+jwt... but there have been a lot of open
questions on multiple suffixes,
I think they made the right call
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-05#name-structured-syntax-suffix-re

The outermost thing is also "debatably" not a JWT, because of it using ~
character in its encoding...

We'd sure like media-man to make some progress.
> There might not be time or the right constituency at IETF117 to do this, so
> maybe a virtual interim and/or wide-ranging design team meeting is in
> order.
>
>
I know @Manu Sporny <msporny@digitalbazaar.com> has been doing most of the
work on this, with pretty limited feedback...
I've been trying to raise awareness because of the related work at W3C
which depends on multiple suffixes.

I don't know if his other co-authors are active on the draft, but I agree
that it would be nice to accelerate the development pace if possible.


> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email