IETF Logo Mail Archive

Re: [jose] [EXT] Re: [COSE] Multiple Suffixes with JOSE and COSE media types

Orie Steele <orie@transmute.industries> Thu, 20 July 2023 17:51 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68826C14F73F for <jose@ietfa.amsl.com>; Thu, 20 Jul 2023 10:51:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JncA7Em1haIF for <jose@ietfa.amsl.com>; Thu, 20 Jul 2023 10:51:18 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67A54C14CE2C for <jose@ietf.org>; Thu, 20 Jul 2023 10:51:18 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-51de9c2bc77so1450729a12.3 for <jose@ietf.org>; Thu, 20 Jul 2023 10:51:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1689875477; x=1690480277; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9A26mdgF+zntiwOrF93YO0276qMZHh6cSaiypGhSxYU=; b=UG2+D5P2hxnDScGQQTUsF9yrZdjYk82BaKhjQ6F+ImloKjhQAbvdRK658YCCUMHwAb IyMNuwUwMaiHwwsyQDq/URncBpAv1lgTPZxW/5YxuoimALNj6HgihCCc0kRWXXIhsbn9 30qv5vBbPmS6m1yz2Khn+NewEKKvUkbBAwKi9WOxarSETVP+Jel4erEDWxqLy7E7Wy3g nCQ9RPjC4sWdStugC+PDqfbCGeMG0BKbHHTKCRz7uSh42inQF+5MHpT31g6xYiUg+7IG EUmPCnCMsch245S1Jbp61fgrGtI0hiN6U9OpA7zpVTcDSQF1ywHGluItbUnzf4GIUHqv uqmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689875477; x=1690480277; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9A26mdgF+zntiwOrF93YO0276qMZHh6cSaiypGhSxYU=; b=JHTAQiJ0fRk1BC4HKGhlzoecc7IyCqbDb8ZbQS63BOXf2qLCulHONiJXzd8SWTLItp 0ArkPo6keSWbeWWC8GXV6TIgWpmqdBSddXmboiMkYyzSZ5qIVo+pxyeWd4JCMbllzeAu 3arUtRIi1TbC2bFpfW+vBDJ5KaF2gS4q292f/1Qbj8/m2+U/hV2ZAecNeiL7LXogFnoG AC7XC2IU+g622ixXGKiereyFPZlHPGrO5quqDwqe9AwC5sNIWYZ/qK2SXfKsJJK89vRf JVpECWssqs6fGz0Q4R0e300KINz5Fvhcw3VvJOh04+EMX9MkrgybY0j/l2dA2QQEkv9k a9aA==
X-Gm-Message-State: ABy/qLYWibyH+oeYC+voxRnuO7XdXQhIZfQX66SUTCQYiHO6l87ioGir 0OI0xTI/lgeSs8A43v95UABJGrUOOd7hx8zoozVAHQ==
X-Google-Smtp-Source: APBJJlETmO1fSgDJJfsfq8oAVzRTB0OacVkQs8vu4IpjtspYgJcXEkVVGFa9yqryMImOhxVQEs4xxKCqvl+aGJQcb7Y=
X-Received: by 2002:aa7:d848:0:b0:51e:2cdb:ed1f with SMTP id f8-20020aa7d848000000b0051e2cdbed1fmr5528603eds.9.1689875476724; Thu, 20 Jul 2023 10:51:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_JWY35sVKWH2Ly85c30_zHJuBLP9kO21MJfSFaMOv4PYQ@mail.gmail.com> <29331.1689803277@localhost> <CAN8C-_+_t-oLwFZf-X9jupwbmG_jMgiN54ToJ4PrG2bvZrUT=w@mail.gmail.com> <2381.1689809580@localhost> <CAN8C-_+baqRFa6vhQQ6mJbdwpQri6kNVOVOVJSyAHbRxpxNhUw@mail.gmail.com> <2228.1689815567@localhost> <CAN8C-_+_5KQPMRa11FTimVM7YD8TH7Mz6NjB1Lg9+iVOvjrDhA@mail.gmail.com> <30436.1689820710@localhost> <CAN8C-_LmdSF9T_UDPbTr1OLvBzd6AbSc_7PqhSVgJSUgJb4H6A@mail.gmail.com> <MN2PR13MB26083B8991A0AD480FCA37A8EE3EA@MN2PR13MB2608.namprd13.prod.outlook.com> <CAMBN2CT9Sps=K1zVQa7B=a_4oxktsmxjv0tWPuycmcs07HvhAA@mail.gmail.com>
In-Reply-To: <CAMBN2CT9Sps=K1zVQa7B=a_4oxktsmxjv0tWPuycmcs07HvhAA@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 20 Jul 2023 12:51:05 -0500
Message-ID: <CAN8C-_J_8Tinx5sqjN__Wnzz8WaCMvjViaLTjSuKL=wwySuagg@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Brent Zundel <Brent.Zundel@gendigital.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "media-types@ietf.org" <media-types@ietf.org>, JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008155e10600eecb5f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/Ssn4G7vgwszla0DL6PD5M5FtXfA>
Subject: Re: [jose] [EXT] Re: [COSE] Multiple Suffixes with JOSE and COSE media types
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2023 17:51:22 -0000

Inline:

On Thu, Jul 20, 2023 at 11:42 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On Thu, Jul 20, 2023 at 12:07 PM Brent Zundel
> <Brent.Zundel@gendigital.com> wrote:
> > So you don't need to register weird and useless stuff like +ld+jwt, or
> +json+jwt if you don't have a need to use them by themselves... If that
> changes in the future and someone really needs +ld+jwt... They can claim
> it, by writing a specification and getting it to RFC.
> >
> > If the draft says this explicitly the problem with suffixes seems solved.
> >
> > Is it possible to get this language in?
>
> Yes, as long as the various WGs agree with the change.
>
> I'll note that "application/vc+ld+jwt" would set a bad precedent as
> both "application/vc" and "application/vc+ld" don't exist -- and
> shouldn't exist as both are abstract data models (not
> serializations)... they are only realized when serialized to
> "application/vc+ld+json". Anyone attempting to register them needs to
> involve all of the communities that that particular discussion
> impacts.
>
>
Yes, grateful for the feedback we have gotten from COSE and JOSE on this
topic.


> Suggestions to register "application/vc+ld+jwt" are problematic
>

I agree they are problematic...
but the problem is in the multiple suffixes draft, not the RFCs that
registered `+jwt`...
because of how time flows in one direction sadly.


> because they seem to presume that a downstream processor might know
> that when processing "application/vc+ld+jwt" as "+jwt", that handing
> off "application/vc+ld" further down the processing chain doesn't make
> sense and that they'd have to "fix up" the media type to
> "application/vc+ld+json" before sending it on for further
> processing...


I agree with this, additional language will clarify for any suffix that
includes assumptions regarding other media types:

`+jwt` secures `application/json` (already a registered structured suffix)

`+cwt` secures `application/cbor` ( registration requests exist...
https://www.ietf.org/archive/id/draft-ietf-rats-eat-media-type-02.html#section-6.1
 )

`+cose` secures an envelope that is `application/cbor` and a payload of
type `content_type` (
https://github.com/anima-wg/constrained-voucher/issues/264 )

`+jose` secures an envelope that is `application/json` and a payload of
type `cty` (AFAIK, nobody is planning to register this as of right now).

You might consider these last 2 special cases of multipart content types...
when their headers include `content_type` or `cty`.

https://datatracker.ietf.org/doc/html/rfc6838#section-4.2.6

which they'd need special knowledge to do (and anything
> just processing as a +jwt wouldn't have that specialized knowledge, in
> many cases).
>
That said, we should leave that discussion up to the WG that's
> registering the media type as long as it doesn't have a negative
> impact on the rest of the media type ecosystem (as long as it isn't
> setting a bad/dangerous precedent). We should probably ask them to
> explain why it's safe to do what they're doing and how systems just
> looking at the media type would be able to determine how to do
> structured suffix processing by just looking at the media type.


That's what we are doing right now?

COSE and JOSE lists are on this thread.


> In the
> end, it might just end up negatively impacting the community that
> chose the media type (that presumes a particular encoding associated
> with another registered media) in the first place.
>
>
Yes this is my concern for +jwt... it presumes +json.


> I suggest that the right thing to do here is probably require
> "+json+jwt"... but understand that is probably not going to be
> acceptable to the JWT community given that they've already registered
> a number of media types that don't fit that pattern.


Yes, I agree that this is the concern that needs clarification.


> They might need
> to include language on "equivalent processing" when it comes to the
> end product of "+jwt" structured suffix processing... which could be
> "treat it as application/json even though +json doesn't exist anywhere
> in the media type" or "you can safely assume a +json at the end of the
> decoded media type and process accordingly if you want to process
> using the structured suffix rules".
>

Yes exactly this... but with a few extra issues:

1. header and payload are potentially both relevant to +jwt considering
them both to be +json implicitly (so not just payload).
2. Same issues apply to +cwt
3. Is decoding the expected processing for a JWT? or is "verifying" the
expected processing?... does this interact with 1 and 2 consistently.



>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email