IETF Logo Mail Archive

Re: [Multiformats] Multiformats Considered Harmful

Michael Jones <michael_b_jones@hotmail.com> Wed, 06 September 2023 19:53 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: multiformats@ietfa.amsl.com
Delivered-To: multiformats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80146C1522DA for <multiformats@ietfa.amsl.com>; Wed, 6 Sep 2023 12:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9-qJNvTyfQp for <multiformats@ietfa.amsl.com>; Wed, 6 Sep 2023 12:53:33 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11olkn2010.outbound.protection.outlook.com [40.92.20.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D8FAC1516FF for <multiformats@ietf.org>; Wed, 6 Sep 2023 12:53:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n28EYV6mPn6njZBsfdwdAV6qi6XDWlQlErdHXlvgVt+WOfLdrJ1fAeOHQCIaZc43yWJtQmF85per/rPidI4Xq7CG9zqnTxoTNbu5+aFnmSt5aXbqgBqSCmjHFYErWAQr2TftMvr5OJr4pdaeAXFlAWKioMiqrQNYVuEEhXgIfs7Kvliy7O8xWoGTCq9HNm1FULrBple40DQb7l/C85zE6u1VH0syHtkJ+Y7GQPfdApqCiUQyDGx/krZWtyngF/BcUTyUChj+fejqTVU7859NlrmGSPffnTclfeTjLqTWCDmPtVHNZ3YAUDm79wbCjMkQxpqOi9WiCreKotai9eLtBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LQpKiMJwVfmqDAqqZ0U83kDFEc2hKkv2t+qyACLoHns=; b=fNdeR4olWLcZ/9PGmu4euhZgmjRg2WheOKsHqVmZ1DSJcZyTOS92zY1v/g2qgMe5mVNOfu6gfj6COUkdioLlbYyrYKd1SxhYzjq7fDwDiKuxvT9b4milV0D3/OC4xetRhsfgyzaZe33gMZQOcMN7o0VBAD5Zg/eUqDl0Xxs4c46VWtgA9Rbk2roo9ZQfsiC8oqtfYQ15Onz7U0uoK+ADjlIe+as6hZwCuDkjWv4I0QSF1grckazqiY4gc3SPlabg4JbRyaeHLJpy+oi998UG98nT6veCzgz/EDWawNb0auzeq0axaK/6sW2qb6DRk/CyO8EIVPrrH8Y5X4iYgIhr6w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LQpKiMJwVfmqDAqqZ0U83kDFEc2hKkv2t+qyACLoHns=; b=CJXb3PX6hlRtjkLWLz4ghK4xdr+b0MqBGRSouwd31OWUEVWD8XoezcV/CFTUNNOtYB0NaqSNLKckA14HXn403DlycMa5bz+OJiUibEQmaksY6VCgMSgGezXwzlp+xQNX2KUlZIQgMXTsLLVcFBWcAqYLZsxSHvlSuotFIzev5nzR2W0sQHNP6Bter9meukHfvfOMYtU2aNtkk3AwX4upC5I7N5ujB4meMELz/iZT26SFDfCCw6b7osnsi4VaVctLBfK0oVMhSDdjFget+se2GCX7MO4PNSVgOyARWpZ9wNxQ7Ua6xTLOPbbXjvc/Tlh7GRSukSlTCiA5xg3qYgg6Ag==
Received: from MW4PR02MB7428.namprd02.prod.outlook.com (2603:10b6:303:71::5) by PH7PR02MB9052.namprd02.prod.outlook.com (2603:10b6:510:1f0::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.33; Wed, 6 Sep 2023 19:53:30 +0000
Received: from MW4PR02MB7428.namprd02.prod.outlook.com ([fe80::36ca:d688:8cee:d6f7]) by MW4PR02MB7428.namprd02.prod.outlook.com ([fe80::36ca:d688:8cee:d6f7%7]) with mapi id 15.20.6699.035; Wed, 6 Sep 2023 19:53:30 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Orie Steele <orie@transmute.industries>, Carsten Bormann <cabo@tzi.org>
CC: "multiformats@ietf.org" <multiformats@ietf.org>, Murray Kucherawy <superuser@gmail.com>, Barry Leiba <barryleiba@computer.org>, Francesca Palombini <francesca.palombini@ericsson.com>, Roman Danyliw <rdd@cert.org>, Paul Wouters <paul.wouters@aiven.io>, Russ Housley <housley@vigilsec.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Richard Barnes <rlb@ipv.sx>
Thread-Topic: [Multiformats] Multiformats Considered Harmful
Thread-Index: AdngY0G2EEkSJQrVSjGitvNBIl2pDgANityAAAE9GIAAFx/JAAAAL04g
Date: Wed, 06 Sep 2023 19:53:30 +0000
Message-ID: <MW4PR02MB7428BE7784A204FC9F945685B7EFA@MW4PR02MB7428.namprd02.prod.outlook.com>
References: <F814189D-031F-4CED-AC9A-F6049D010632@tzi.org> <81D17EDC-723D-4977-AA82-6164DDB5B431@tzi.org> <CAN8C-_LpYSimtHTn0nE7HN13iJ8FyxchaDm4G1mTX97MhYf=bw@mail.gmail.com>
In-Reply-To: <CAN8C-_LpYSimtHTn0nE7HN13iJ8FyxchaDm4G1mTX97MhYf=bw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [gNUkO0v1B9nLKsN3XzHfHSNt+yG1v6xpMSQxvReluq3gpN6/22+7xRo1QvD4vzCJXN3YIlst4aA=]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR02MB7428:EE_|PH7PR02MB9052:EE_
x-ms-office365-filtering-correlation-id: 9cbebc58-02fa-403e-e15f-08dbaf12f1e5
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: r1eZUAOni3uzWUzD/M+1HOTyq9Ia9U6H6+04J4cPKP4CSb+R+tgHx3/GavzAkqD52FEJi0KKdclRtKbXmJazCFJPCUhn3EYBkeExlG2Hdu7VSKV+N7ijywdGQZaukz8WeOwQcA3lD2Mh9tQbiyTUvRaCqmB1YNUFFm6z8V4rNG93txswAXotgMen7NMQAdYGiGMlDCqmDI2nycmu2lCnHVL7KiCv9Pg17gtN79jZiesxZfrA5/sVc6N4VlZZoTFbHzHQqXXT9aZZoyhHw4o5GL/AraKnnaeLxOtRD+d5xFlZ8Ojr8+f2ZoEVE58a+zKsS5QdwGVnBYRTQhvgkvLGC6Ii++q+JpSsx++yJ/PhTBmrjlRZHDhGCwH9NfndaYSe8TIP1moWg/izt9v5sQDtK70F0YIeR8mMsHbxIuXXuJ68jokixAX7sIe+Gzf0r5+6IOMH0OPJaZIj+iEIwowBzRkQR7VjWBqUKsdPE5u2/ON4Yl3s4MvflN7/fXkqlwfsSDyjLTVPtxZulGOrmYSGI7bE6diMyF40XECaV5WNKlrmKv153RDQX+ad+Ri38yU+Uo+yuYBFbbF7N9jtT8+j6kCDr/yRT8wuRYgcOZNuIBZAuGR86ZxQ7jrZJ2i6We4LH5R3Tj9Tf5KDkP3wzApd5beOPzwrBWxQaG8RQbWTZcg=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8u1n5M5X/K9HIS0kXwYRtPZpFakKlJrt8uMbpClid38tgrjXNG7k6ruYPQL9wEWVLwrZCDphKp/qnyUOz1Aodi5F+IxMgp9FL2gg7wvwfJhD83XP7tcsNYd9UqqxJmPQZpxlUMgvGoMvUHHzomFsb6RAlo9QfcFZw1HCyUDXWfEV7FGbtmsYV86vU5z6FIsMubRvy+FUmNt0ojEz78eIyTaeiuhfeilCe6M7UbknZFZ5gJSfz87EvxFZvtvLFyOYg3mmlQuRwDn0RpxMC6J9hJ5KCSdzkcFEupzh04ZPj7YXxxQRjZnQJ/Xsi9pb81xGlH91yOA7Zc806MiXqmstZJFBjUT2G3SK8G0qQF3lqGlvUSVEUH5TulcT1goihqZntKblAm+hHCVQZkfF/jUCJ1QUXaREd+v8uNVKeJXMczqHgiXVF/irPoVAJ0zwKsYzY+7tdSxImgTZWVopvRmiMoiruvTbXh15hGGRT4AR4Caamsi5YcRyMeOx2uEtXDt6tV2PTvkoxJXAgPNFjRHlw+0+orpbIiqOqnFOT4H2W31Gwy3aUVEKaEBaH7q6Ntn6n2bF5CXngo8rHpVupidQuwARMNuUnlhT1hzKY6zc19L07EpaNQB7JSMS0YZdixUj13Y9t0ZIUkfiTlvEuSknzzmcaxyBofv++SD+DH/rb2/FjQV7kXJbsR7DzxkU8K7E0WvYJMvhREUatJBcrO5hSKSqz2vAGa1QuiPRPT0M9VNZcIzsqkZaO8ktB0nICt2IY9YsHY3noDJvudkTWGYeojjMH9/LABTkOfrjhL8y7Wb3lsIglqZO7MOd63b8NT2Yhmv/LabntYQjcWS/fpUHRdtlMZBcFl15SQ97z5Z7NmLqdP8MT6xu7h8Uh9uTWDZMiUyQR9DJVXNyOtoX6+nM9ZImLgJvEHm/SNrUVk8GFdMR61jHT8v/3dEXP1klYklzy0Ka98ES6Fo7S4VZ1HUgVpXg9XPiZwtlsF/fVlw1JPhkfEyj7AzwgvN6lBaVXCzU/jDzTuNh7tSL4nObQlwwYLd8H00BgfnebhlY9zlyaNFgoxXpEeppxucsnr3Ka6uqePsZRBQ/MB3csWDAzUQKGt2GLXx4uhMEzc8nPBf0RhxJFXhs2PVc0WdRdjeXokRTJmzwzXtNh4vdl1QczIYSQ3NaaJ9hjkc5Aq8IxjdNEeLknt9TQNB/T6ZU4AQbTv/9hEqwL+95xtbgFTiRgxpCgPUeGSzxCorkGmteDAG3BjDR6BhngpEDtgX/lkc9rsVFAJJlhPtwocUQapjTSUUcN8YGjfMAUgTxTczW89YAIyo=
Content-Type: multipart/alternative; boundary="_000_MW4PR02MB7428BE7784A204FC9F945685B7EFAMW4PR02MB7428namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR02MB7428.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 9cbebc58-02fa-403e-e15f-08dbaf12f1e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2023 19:53:30.5609 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR02MB9052
Archived-At: <https://mailarchive.ietf.org/arch/msg/multiformats/gWvUBFC6KOmNd0-hYgnU9O_pqQY>
X-Mailman-Approved-At: Thu, 07 Sep 2023 13:16:39 -0700
Subject: Re: [Multiformats] Multiformats Considered Harmful
X-BeenThere: multiformats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion related to the various Multiformats data formats <multiformats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multiformats>, <mailto:multiformats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multiformats/>
List-Post: <mailto:multiformats@ietf.org>
List-Help: <mailto:multiformats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multiformats>, <mailto:multiformats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2023 19:53:37 -0000

For the benefit of those added to the thread, you can read my original message that this is response to at https://self-issued.info/?p=2408.

                                                       -- Mike

From: Orie Steele <orie@transmute.industries>
Sent: Wednesday, September 6, 2023 12:47 PM
To: Carsten Bormann <cabo@tzi.org>
Cc: Michael Jones <michael_b_jones@hotmail.com>; multiformats@ietf.org; Murray Kucherawy <superuser@gmail.com>; Barry Leiba <barryleiba@computer.org>; Francesca Palombini <francesca.palombini@ericsson.com>; Roman Danyliw <rdd@cert.org>; Paul Wouters <paul.wouters@aiven.io>; Russ Housley <housley@vigilsec.com>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; Richard Barnes <rlb@ipv.sx>
Subject: Re: [Multiformats] Multiformats Considered Harmful

I'll comment in the context of the experience working with multicodec and multibase at W3C.

And include a few folks I spoke with regarding this topic at the last IETF.

We implemented support for publicKeyMultibase, and helped register the NIST curves in order to be able to do "key translation" required to use Decentralized Identifiers or Verifiable Credentials.

https://github.com/multiformats/multicodec/pull/190

We've also used multibase encoded "proofValue" in JSON-LD / RDF to encode various kinds of Data Integrity Proofs:

https://github.com/w3c/vc-data-integrity

The 2 primary points of connection to W3C for this work are "encoding key representations" and "encoding signature / proof values"... not just encoding hashes as strings, although that is also commented on https://github.com/search?q=repo%3Aw3c%2Fvc-data-integrity%20digestMultibase&type=code ...

I'd add that digestMultibase is positioned as competing with digestSRI, and the W3C working group has no consensus on if it's worth not being compatible with SRI... In very much the same way the working group can't agree to recommend using publicKeyMultibase over publicKeyJwk... It's possible that might change in the current verifiable credentials working group, if it does not, that would also prove my general point regarding helpfulness.

W3C specifications do not require, prefer or recommend multibase.

Data Integrity - https://github.com/w3c/vc-data-integrity which is on track to become a technical recommendation is, afaik, the sole exception to this, `proofValue` MUST be encoded as multibase... This is a part of what is motivating the need to move multibase to an organization that can be referenced normatively by W3C, without producing their version of a downref.

Some members of W3C want to position multibase keys and signatures as recommendations, and there seems to be a good amount of overlap with folks wanting to position data integrity proofs, which are similar to xml digital signatures, as the recommended way to encode verifiable credentials with security.

Everything these folks are recommending can be solved for with standards that are available today, many of which have lots of off the shelf implementations and are widely adopted in protocols for moving JSON based data models (JOSE, OAuth, OIDC).

Having spent a lot of time implementing support for multibase in the context of DIDs and VCs our conclusion is that they are not "worth the switching cost" relative to JOSE... COSE support is worth the switching cost, but it's not compatible with the W3C Data Model approach which is based on JSON-LD and RDF.

The primary point I want to make is this:

Adding many ways to do the same thing, with very little benefit over the existing ways is not helpful.

Adding new ways to do old things that are not an improvement worth paying to upgrade too, is also not helpful.

It creates a fertile garden bed of bugs and consulting opportunities, which can reduce security and drive up costs for regulators and commercial markets needing to implement standards, without benefiting end users, who we are here to serve.

To be clear, there is nothing wrong with preferring base58btc over base64url, or uvarint prefixing over cbor tagging... But there is a lot wrong with forcing verifiers and relying parties to support "every binary encoding format multiplied by every registered public key or hash type"... it's better to not publish a standard, than it is to do this.

I don't see how multiformats does not leave the verifier or relying party holding this bag, along with all the other burdens they are required to carry already (JOSE, COSE, etc...), and if they can't handle it, or they handle only part of it, the consumer / end user does not get the benefit.

I don't think the work should be done... If it is done, or continues to be done (since it's happening at W3C regardless of progress in IETF), I think it will continue to cause harm to the use cases that it's supposedly being done to support.

Specifically ensuring end users can control their own identifiers and credentials, and that verifiers (governments, organizations, hardware systems and other users) can automate compliance requirements built on digital trust ecosystems.

I have a lot of respect for the people involved with the work, in particular Protocol Labs & Digital Bazaar, even if I don't think this particular approach should become an IETF standard.

Regards,

OS


On Wed, Sep 6, 2023 at 3:45 AM Carsten Bormann <cabo@tzi.org<mailto:cabo@tzi.org>> wrote:
RFC 6256, which was used in the bundle protocol v6, before they switched to CBOR for v7
Sent from mobile, sorry for terse


On 6. Sep 2023, at 10:09, Carsten Bormann <cabo@tzi.org<mailto:cabo@tzi.org>> wrote:
Leb128 (not sure that the drafts call it by its common name) is the little endian variant of sdnv, which we do have as an rfc (please look that up for me…)
--
Multiformats mailing list
Multiformats@ietf.org<mailto:Multiformats@ietf.org>
https://www.ietf.org/mailman/listinfo/multiformats


--



ORIE STEELE
Chief Technology Officer
www.transmute.industries<http://www.transmute.industries/>

[https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/>

v2.23.0 | Report a Bug | By Email