Re: [jose] [EXT] Re: [COSE] Multiple Suffixes with JOSE and COSE media types
Orie Steele <orie@transmute.industries> Thu, 20 July 2023 17:51 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68826C14F73F for <jose@ietfa.amsl.com>; Thu, 20 Jul 2023 10:51:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JncA7Em1haIF for <jose@ietfa.amsl.com>; Thu, 20 Jul 2023 10:51:18 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67A54C14CE2C for <jose@ietf.org>; Thu, 20 Jul 2023 10:51:18 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-51de9c2bc77so1450729a12.3 for <jose@ietf.org>; Thu, 20 Jul 2023 10:51:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1689875477; x=1690480277; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9A26mdgF+zntiwOrF93YO0276qMZHh6cSaiypGhSxYU=; b=UG2+D5P2hxnDScGQQTUsF9yrZdjYk82BaKhjQ6F+ImloKjhQAbvdRK658YCCUMHwAb IyMNuwUwMaiHwwsyQDq/URncBpAv1lgTPZxW/5YxuoimALNj6HgihCCc0kRWXXIhsbn9 30qv5vBbPmS6m1yz2Khn+NewEKKvUkbBAwKi9WOxarSETVP+Jel4erEDWxqLy7E7Wy3g nCQ9RPjC4sWdStugC+PDqfbCGeMG0BKbHHTKCRz7uSh42inQF+5MHpT31g6xYiUg+7IG EUmPCnCMsch245S1Jbp61fgrGtI0hiN6U9OpA7zpVTcDSQF1ywHGluItbUnzf4GIUHqv uqmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689875477; x=1690480277; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9A26mdgF+zntiwOrF93YO0276qMZHh6cSaiypGhSxYU=; b=JHTAQiJ0fRk1BC4HKGhlzoecc7IyCqbDb8ZbQS63BOXf2qLCulHONiJXzd8SWTLItp 0ArkPo6keSWbeWWC8GXV6TIgWpmqdBSddXmboiMkYyzSZ5qIVo+pxyeWd4JCMbllzeAu 3arUtRIi1TbC2bFpfW+vBDJ5KaF2gS4q292f/1Qbj8/m2+U/hV2ZAecNeiL7LXogFnoG AC7XC2IU+g622ixXGKiereyFPZlHPGrO5quqDwqe9AwC5sNIWYZ/qK2SXfKsJJK89vRf JVpECWssqs6fGz0Q4R0e300KINz5Fvhcw3VvJOh04+EMX9MkrgybY0j/l2dA2QQEkv9k a9aA==
X-Gm-Message-State: ABy/qLYWibyH+oeYC+voxRnuO7XdXQhIZfQX66SUTCQYiHO6l87ioGir 0OI0xTI/lgeSs8A43v95UABJGrUOOd7hx8zoozVAHQ==
X-Google-Smtp-Source: APBJJlETmO1fSgDJJfsfq8oAVzRTB0OacVkQs8vu4IpjtspYgJcXEkVVGFa9yqryMImOhxVQEs4xxKCqvl+aGJQcb7Y=
X-Received: by 2002:aa7:d848:0:b0:51e:2cdb:ed1f with SMTP id f8-20020aa7d848000000b0051e2cdbed1fmr5528603eds.9.1689875476724; Thu, 20 Jul 2023 10:51:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_JWY35sVKWH2Ly85c30_zHJuBLP9kO21MJfSFaMOv4PYQ@mail.gmail.com> <29331.1689803277@localhost> <CAN8C-_+_t-oLwFZf-X9jupwbmG_jMgiN54ToJ4PrG2bvZrUT=w@mail.gmail.com> <2381.1689809580@localhost> <CAN8C-_+baqRFa6vhQQ6mJbdwpQri6kNVOVOVJSyAHbRxpxNhUw@mail.gmail.com> <2228.1689815567@localhost> <CAN8C-_+_5KQPMRa11FTimVM7YD8TH7Mz6NjB1Lg9+iVOvjrDhA@mail.gmail.com> <30436.1689820710@localhost> <CAN8C-_LmdSF9T_UDPbTr1OLvBzd6AbSc_7PqhSVgJSUgJb4H6A@mail.gmail.com> <MN2PR13MB26083B8991A0AD480FCA37A8EE3EA@MN2PR13MB2608.namprd13.prod.outlook.com> <CAMBN2CT9Sps=K1zVQa7B=a_4oxktsmxjv0tWPuycmcs07HvhAA@mail.gmail.com>
In-Reply-To: <CAMBN2CT9Sps=K1zVQa7B=a_4oxktsmxjv0tWPuycmcs07HvhAA@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 20 Jul 2023 12:51:05 -0500
Message-ID: <CAN8C-_J_8Tinx5sqjN__Wnzz8WaCMvjViaLTjSuKL=wwySuagg@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Brent Zundel <Brent.Zundel@gendigital.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "media-types@ietf.org" <media-types@ietf.org>, JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008155e10600eecb5f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/Ssn4G7vgwszla0DL6PD5M5FtXfA>
Subject: Re: [jose] [EXT] Re: [COSE] Multiple Suffixes with JOSE and COSE media types
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2023 17:51:22 -0000
Inline: On Thu, Jul 20, 2023 at 11:42 AM Manu Sporny <msporny@digitalbazaar.com> wrote: > On Thu, Jul 20, 2023 at 12:07 PM Brent Zundel > <Brent.Zundel@gendigital.com> wrote: > > So you don't need to register weird and useless stuff like +ld+jwt, or > +json+jwt if you don't have a need to use them by themselves... If that > changes in the future and someone really needs +ld+jwt... They can claim > it, by writing a specification and getting it to RFC. > > > > If the draft says this explicitly the problem with suffixes seems solved. > > > > Is it possible to get this language in? > > Yes, as long as the various WGs agree with the change. > > I'll note that "application/vc+ld+jwt" would set a bad precedent as > both "application/vc" and "application/vc+ld" don't exist -- and > shouldn't exist as both are abstract data models (not > serializations)... they are only realized when serialized to > "application/vc+ld+json". Anyone attempting to register them needs to > involve all of the communities that that particular discussion > impacts. > > Yes, grateful for the feedback we have gotten from COSE and JOSE on this topic. > Suggestions to register "application/vc+ld+jwt" are problematic > I agree they are problematic... but the problem is in the multiple suffixes draft, not the RFCs that registered `+jwt`... because of how time flows in one direction sadly. > because they seem to presume that a downstream processor might know > that when processing "application/vc+ld+jwt" as "+jwt", that handing > off "application/vc+ld" further down the processing chain doesn't make > sense and that they'd have to "fix up" the media type to > "application/vc+ld+json" before sending it on for further > processing... I agree with this, additional language will clarify for any suffix that includes assumptions regarding other media types: `+jwt` secures `application/json` (already a registered structured suffix) `+cwt` secures `application/cbor` ( registration requests exist... https://www.ietf.org/archive/id/draft-ietf-rats-eat-media-type-02.html#section-6.1 ) `+cose` secures an envelope that is `application/cbor` and a payload of type `content_type` ( https://github.com/anima-wg/constrained-voucher/issues/264 ) `+jose` secures an envelope that is `application/json` and a payload of type `cty` (AFAIK, nobody is planning to register this as of right now). You might consider these last 2 special cases of multipart content types... when their headers include `content_type` or `cty`. https://datatracker.ietf.org/doc/html/rfc6838#section-4.2.6 which they'd need special knowledge to do (and anything > just processing as a +jwt wouldn't have that specialized knowledge, in > many cases). > That said, we should leave that discussion up to the WG that's > registering the media type as long as it doesn't have a negative > impact on the rest of the media type ecosystem (as long as it isn't > setting a bad/dangerous precedent). We should probably ask them to > explain why it's safe to do what they're doing and how systems just > looking at the media type would be able to determine how to do > structured suffix processing by just looking at the media type. That's what we are doing right now? COSE and JOSE lists are on this thread. > In the > end, it might just end up negatively impacting the community that > chose the media type (that presumes a particular encoding associated > with another registered media) in the first place. > > Yes this is my concern for +jwt... it presumes +json. > I suggest that the right thing to do here is probably require > "+json+jwt"... but understand that is probably not going to be > acceptable to the JWT community given that they've already registered > a number of media types that don't fit that pattern. Yes, I agree that this is the concern that needs clarification. > They might need > to include language on "equivalent processing" when it comes to the > end product of "+jwt" structured suffix processing... which could be > "treat it as application/json even though +json doesn't exist anywhere > in the media type" or "you can safely assume a +json at the end of the > decoded media type and process accordingly if you want to process > using the structured suffix rules". > Yes exactly this... but with a few extra issues: 1. header and payload are potentially both relevant to +jwt considering them both to be +json implicitly (so not just payload). 2. Same issues apply to +cwt 3. Is decoding the expected processing for a JWT? or is "verifying" the expected processing?... does this interact with 1 and 2 consistently. > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > https://www.digitalbazaar.com/ > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [jose] Multiple Suffixes with JOSE and COSE media… Orie Steele
- Re: [jose] [COSE] Multiple Suffixes with JOSE and… Michael Richardson
- Re: [jose] [COSE] Multiple Suffixes with JOSE and… Orie Steele
- Re: [jose] [COSE] Multiple Suffixes with JOSE and… Michael Richardson
- Re: [jose] [COSE] Multiple Suffixes with JOSE and… Orie Steele
- Re: [jose] [COSE] Multiple Suffixes with JOSE and… Michael Richardson
- Re: [jose] [COSE] Multiple Suffixes with JOSE and… Orie Steele
- Re: [jose] [COSE] Multiple Suffixes with JOSE and… Michael Richardson
- Re: [jose] [COSE] Multiple Suffixes with JOSE and… Orie Steele
- Re: [jose] [EXT] Re: [COSE] Multiple Suffixes wit… Brent Zundel
- Re: [jose] [EXT] Re: [COSE] Multiple Suffixes wit… Manu Sporny
- Re: [jose] [EXT] Re: [COSE] Multiple Suffixes wit… Orie Steele
- Re: [jose] [EXT] Re: [COSE] Multiple Suffixes wit… Michael Richardson
- Re: [jose] [EXT] Re: [COSE] Multiple Suffixes wit… Orie Steele
- Re: [jose] [COSE] [EXT] Re: Multiple Suffixes wit… Brendan Moran
- Re: [jose] [COSE] [EXT] Re: Multiple Suffixes wit… Carsten Bormann
- Re: [jose] [COSE] [EXT] Re: Multiple Suffixes wit… Orie Steele