IETF Logo Mail Archive

Re: [Multiformats] Multiformats Considered Harmful

Melvin Carvalho <melvincarvalho@gmail.com> Sun, 05 November 2023 22:08 UTC

Return-Path: <melvincarvalho@gmail.com>
X-Original-To: multiformats@ietfa.amsl.com
Delivered-To: multiformats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23E2EC1D2D78 for <multiformats@ietfa.amsl.com>; Sun, 5 Nov 2023 14:08:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.844
X-Spam-Level:
X-Spam-Status: No, score=-6.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hpx_FosqKQZY for <multiformats@ietfa.amsl.com>; Sun, 5 Nov 2023 14:08:33 -0800 (PST)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5244C1C5F31 for <Multiformats@ietf.org>; Sun, 5 Nov 2023 14:08:10 -0800 (PST)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-5afbdbf3a19so45082667b3.2 for <Multiformats@ietf.org>; Sun, 05 Nov 2023 14:08:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699222090; x=1699826890; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=P8XgWFWY8sEbI47UpgKSMYrd4Da3YX7abewVQuPu6mE=; b=KOG3kg3dY7ZkcXiTyli4OoQSUDaijjd83hz5Q/5yfyCgLv5dx8395AObm1sB9yJfBe eFimLYgBQ/C5KpkHlR4OnOR09vRs8O5h7w4DmjfnQ5NaXkgN4ebzaPOF3Pr/1vnFXi5j jSdQK4pEYvDDUOV4zhnZs8ZBQqcjSFkDUhPNxWuPeTHP/64/6Ki3RAMmn03kE2WMRfMa u0EscpKasX4JVFoFL04AnaTqBFZBN1DND1oXoJJcirItrY326NzBBcgxMLyrHNvDEmTG XRpJcXk7rkBfhQKFQlu2XOMBqEAIZUrI438C5WGUZIFta5wj3x2jrLmP2kCeruZm1Mqi 5nFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699222090; x=1699826890; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=P8XgWFWY8sEbI47UpgKSMYrd4Da3YX7abewVQuPu6mE=; b=MXQjXgN/0gDl7t3v2+c/PPuoY8dn6lZEaUPpFImG6+PnIl9YzDWsABY4WmigPwyXaV 1OzIJ+JfySp4kvPAsV+xmGBdehAg5gnxjaoSWZY1/9Dx0u6TQCy4dmrYi/dl2IgIJRK2 msVuTthHzTagoTjolYam7c+ltJwAOFReuH+WsHY1XyBdNSyOb5mnOMF/LL2DZaMMj5+e eehFAkimNr6SYs3ffiDk6zI1flRJGGFDHC28BJoLdXDDwgb6Yhj/G4g3ag7QJWYTthkt /N1gkk2Lu9kOv/JB8yolz+pzI4ebT9RUef0tTWByEyFmH+VIp6K8UquVYyIzDo4DGc66 sONQ==
X-Gm-Message-State: AOJu0YxwkydhfpoukazqyHssdS4j77xn0iUL9KjadcR1vrX99O/+MbsN Y13m0Wz/euDblxCDy6ev52T/Djih9o1D/DRDD30Ud+hb++p/eg==
X-Google-Smtp-Source: AGHT+IH5IqESQysfTYuy48uSjbsjhvmoGwcMHDIsSACnxc74JoLSHYjyvuWmUsrk45LezNz90JtdhXNV/xY8FwywtQo=
X-Received: by 2002:a81:9152:0:b0:5a7:d8f0:a30a with SMTP id i79-20020a819152000000b005a7d8f0a30amr9949299ywg.28.1699222089536; Sun, 05 Nov 2023 14:08:09 -0800 (PST)
MIME-Version: 1.0
References: <MW4PR02MB74285C15BBD628DD5F637C2EB7EFA@MW4PR02MB7428.namprd02.prod.outlook.com>
In-Reply-To: <MW4PR02MB74285C15BBD628DD5F637C2EB7EFA@MW4PR02MB7428.namprd02.prod.outlook.com>
From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 05 Nov 2023 23:07:56 +0100
Message-ID: <CAKaEYhLJy8CW333ZwGujc1JpgpTqZR09_9yk3FQt7sPsFgXv+w@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Cc: "Multiformats@ietf.org" <Multiformats@ietf.org>, Murray Kucherawy <superuser@gmail.com>, Barry Leiba <barryleiba@computer.org>, Francesca Palombini <francesca.palombini@ericsson.com>, Roman Danyliw <rdd@cert.org>, Paul Wouters <paul.wouters@aiven.io>
Content-Type: multipart/related; boundary="0000000000000ab78e06096ef967"
Archived-At: <https://mailarchive.ietf.org/arch/msg/multiformats/FOLBcVSIdW4Nmk6HHTdtbYeg280>
Subject: Re: [Multiformats] Multiformats Considered Harmful
X-BeenThere: multiformats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion related to the various Multiformats data formats <multiformats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multiformats>, <mailto:multiformats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multiformats/>
List-Post: <mailto:multiformats@ietf.org>
List-Help: <mailto:multiformats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multiformats>, <mailto:multiformats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2023 22:08:38 -0000

st 6. 9. 2023 v 4:03 odesílatel Michael Jones <michael_b_jones@hotmail.com>
napsal:

> While I usually reserve my time and energy for advancing good ideas, I’m
> making an exception to publicly state the reasons why I believe “
> multiformats <https://github.com/msporny/charter-ietf-multiformats/>”
> should not be considered for standardization by the IETF.
>
> 1. Multiformats institutionalize the failure to make a choice, which is
> the opposite of what good standards do. Good standards make choices about
> representations of data structures resulting in interoperability, since
> every conforming implementation uses the same representation. In contrast,
> multiformats enable different implementations to use a multiplicity of
> different representations for the same data, harming interoperability.
> https://datatracker.ietf.org/doc/html/draft-multiformats-multibase-03#appendix-D.1 defines
> 23 equivalent and non-interoperable representations for the same data!
>
> 2. The stated purpose of “multibase
> <https://www.ietf.org/archive/id/draft-multiformats-multibase-08.html>”
> is “*Unfortunately, it’s not always clear what base encoding is used;
> that’s where this specification comes in. It answers the question: Given
> data ‘d’ encoded into text ‘s’, what base is it encoded with?*”, which is
> wholly unnecessary. Successful standards DEFINE what encoding is used
> where. For instance,
> https://www.rfc-editor.org/rfc/rfc7518.html#section-6.2.1.2 defines that
> “x” is base64url encoded. No guesswork or prefixing is necessary or useful.
>
> 3. Standardization of multiformats would result in unnecessary and
> unhelpful duplication of functionality – especially of key representations.
> The primary use of multiformats is for “publicKeyMultibase” – a
> representation of public keys that are byte arrays. For instance, the only
> use of multiformats by the W3C DID spec <https://www.w3.org/TR/did-core/> is
> for publicKeyMultibase. The IETF already has several perfectly good key
> representations, including X.509, JSON Web Key (JWK), and COSE_Key. There’s
> not a compelling case for another one.
>
> 4. publicKeyMultibase can only represent a subset of the key types used in
> practice. Representing many kinds of keys requires multiple values – for
> instance, RSA keys require both an exponent and a modulus. By comparison,
> the X.509, JWK, and COSE_Key formats are flexible enough to represent all
> kinds of keys. It makes little to no sense to standardize a key format that
> limits implementations to only certain kinds of keys.
>
> 5. The “multihash
> <https://www.ietf.org/archive/id/draft-multiformats-multihash-07.html>”
> specification relies on a non-standard representation of integers called
> “Dwarf”. Indeed, the referenced Dwarf document lists itself as being at
> http://dwarf.freestandards.org/ – a URL that no longer exists!
>
> 6. The “Multihash Identifier Registry” at
> https://www.ietf.org/archive/id/draft-multiformats-multihash-07.html#mh-registry duplicates
> the functionality of the IANA “Named Information Hash Algorithm Registry”
> at
> https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg,
> in that both assign (different) numeric identifiers for hash functions. If
> multihash goes forward, it should use the existing registry.
>
> 7. It’s concerning that the draft charter
> <https://msporny.github.io/charter-ietf-multiformats/> states that “*Changing
> current Multiformat header assignments in a way that breaks backward
> compatibility with production deployments*” is out of scope. Normally
> IETF working groups are given free reign to make improvements during the
> standardization process.
>
> 8. Finally, as a member of the W3C DID and W3C Verifiable Credentials
> working groups, I will state that it is misleading for the draft charter to
> say that “*The outputs from this Working Group are currently being used
> by … the W3C Verifiable Credentials Working Group, W3C Decentralized
> Identifiers Working Group…*”. The documents produced by these working
> groups intentionally contain no normative references to multiformats or any
> data structures derived from them. Where they are referenced, it is
> explicitly stated that the references are non-normative.
>

I would like to draw attention to potentially new information with broad
impact, specifically regarding the proposed deprecation of publicKeyPem and
the adoption of multiformats. The fediverse, a sizable social network
platform, relies heavily on publicKeyPem, with a deployment base exceeding
10 million accounts. Abrupt deprecation of such widely-used standards can
have significant and far-reaching consequences.

Moreover, the adoption of multiformats has seemingly overlooked
compatibility with prevalent key formats such as bech32, which may
inadvertently lead to a dichotomy of 'winners and losers' in the space,
rather than fostering inclusivity.

In light of these considerations, I urge the IETF to reflect on whether the
move towards multiformats genuinely embodies the principles of a universal
standard or if it rather represents a narrowing of scope to
well-established implementations. It is my view that this transition may
not only be premature but also potentially detrimental to systems that have
achieved substantial network effect over time.  See the issue below which
proposes deprecating publicKeyPem (in use over 10 million accounts) for
very complex multiformats alternative.
https://github.com/w3c/vc-data-integrity/issues/74

[image: image.png]


>
>
>
>                                                 -- Mike
>
>
>
> P.S.  This was also posted at https://self-issued.info/?p=2408 and
> https://www.linkedin.com/posts/selfissued_github-mspornycharter-ietf-multiformats-activity-7105001423574077441-6tcS,
> referenced from https://twitter.com/selfissued/status/1699234431293370376,
> and filed as an issue at
> https://github.com/msporny/charter-ietf-multiformats/issues/2.
>
>
> --
> Multiformats mailing list
> Multiformats@ietf.org
> https://www.ietf.org/mailman/listinfo/multiformats
>

v2.23.0 | Report a Bug | By Email