Re: [Multiformats] Multiformats Considered Harmful
Melvin Carvalho <melvincarvalho@gmail.com> Thu, 07 September 2023 20:29 UTC
Return-Path: <melvincarvalho@gmail.com>
X-Original-To: multiformats@ietfa.amsl.com
Delivered-To: multiformats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2925CC15108F for <multiformats@ietfa.amsl.com>; Thu, 7 Sep 2023 13:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9n_mhWCfmoW for <multiformats@ietfa.amsl.com>; Thu, 7 Sep 2023 13:29:16 -0700 (PDT)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC669C1516F2 for <multiformats@ietf.org>; Thu, 7 Sep 2023 13:28:59 -0700 (PDT)
Received: by mail-ot1-x32e.google.com with SMTP id 46e09a7af769-6befdb1f545so1058604a34.3 for <multiformats@ietf.org>; Thu, 07 Sep 2023 13:28:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694118539; x=1694723339; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=iaGgNAyuwrbcWBLFNPw/rJXiHq7zHQU7D6vP6g1hKjY=; b=TOrSuP1bowxVWZ5fy9A2RFb7KuBajsieGCckBHuoyViruBxOSrl7j44ZyeCHxYvuK/ QgqMCMsHq/he9oqnj3EcvYQHZ4QK/rgGjFdAOU0foFOqiLiKsnhi3insNqwnj37u5tjU CyEaRxg8DyQxDKN044SPpv8hMel6X7eDo4Hx7IEQULc9kwuXmgnsKRdWt4OyfhFr5a+R BicSdOnez8LKGPHAKR3VMjJwY3POrvIaNilxgF2qEbSwFLVa45FASMaMJmOQKzT8BqhB ipG6RN2Yl/eKWe25Zrz+rIZG1y8Q5e5Z4F3hLbULHk6m9H9dXP2TXSNseyACHjtDgVMg 4CBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694118539; x=1694723339; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iaGgNAyuwrbcWBLFNPw/rJXiHq7zHQU7D6vP6g1hKjY=; b=eLHUXOacb1+iuDUgsd+mRlUEjD0nB3tNNVeTQozT4mP5583VUi17fdBOykfhg9Kbzl VpOsgXi6bnWenD0GN4f4naabeOTCkkSIwi0s2n+N+qLlQA6JRh9y3Xre9+sklBY0/Tv5 C57buf29dEJozBHGRhUeEh1DaDIVESevm3KeuReEynXuq4q9IkzbaEMqBCDozRnrNNm0 /8Dn5uMe7X7PBYce5vlyDVYrNpoZuE4vb3nmJEGVLJFhoSsR7saWzx7AQwlTW/AWcZkG sdpE1uD0ulaPonyD5mubPJ6C77EyjKewipB+C5OYmSRBVLVkeZg4kcc4DUBitV+BWBQD 7Iig==
X-Gm-Message-State: AOJu0YxPSnwPMJ4r1vk0KS6BSKhHSAXkF5eIfDJghCs3T3WObgKiZ/bK vcscVPwXKGEqYKiyNq5MHVuDUjDAPSQuwgbP/pQ=
X-Google-Smtp-Source: AGHT+IGVVP0/BXusHgKdLfJaqV3IWqS0Dm1e9P8lpqk1OI71AYNNavug3REuT94dptS1YB7p+fM7zRJI9OSzeLtbBwk=
X-Received: by 2002:a05:6830:1be4:b0:6b9:cba0:93a9 with SMTP id k4-20020a0568301be400b006b9cba093a9mr437104otb.31.1694118538485; Thu, 07 Sep 2023 13:28:58 -0700 (PDT)
MIME-Version: 1.0
References: <F814189D-031F-4CED-AC9A-F6049D010632@tzi.org> <81D17EDC-723D-4977-AA82-6164DDB5B431@tzi.org> <CAN8C-_LpYSimtHTn0nE7HN13iJ8FyxchaDm4G1mTX97MhYf=bw@mail.gmail.com> <MW4PR02MB7428BE7784A204FC9F945685B7EFA@MW4PR02MB7428.namprd02.prod.outlook.com> <CAL02cgSyS9AuVde_HYyP2Dghq6ZnVpVnis6egR8CTf24b4h37w@mail.gmail.com>
In-Reply-To: <CAL02cgSyS9AuVde_HYyP2Dghq6ZnVpVnis6egR8CTf24b4h37w@mail.gmail.com>
From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Thu, 07 Sep 2023 22:28:45 +0200
Message-ID: <CAKaEYh+Y618B-NHNfMdBhzO3KG8NFiWh4N-T-EH5K7iYuo5NHg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Michael Jones <michael_b_jones@hotmail.com>, Orie Steele <orie@transmute.industries>, Carsten Bormann <cabo@tzi.org>, "multiformats@ietf.org" <multiformats@ietf.org>, Murray Kucherawy <superuser@gmail.com>, Barry Leiba <barryleiba@computer.org>, Francesca Palombini <francesca.palombini@ericsson.com>, Roman Danyliw <rdd@cert.org>, Paul Wouters <paul.wouters@aiven.io>, Russ Housley <housley@vigilsec.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Content-Type: multipart/alternative; boundary="000000000000b1a7650604cab5eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/multiformats/o8cRFM9Wq2vzcsyZMC37UhkefJo>
Subject: Re: [Multiformats] Multiformats Considered Harmful
X-BeenThere: multiformats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion related to the various Multiformats data formats <multiformats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multiformats>, <mailto:multiformats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multiformats/>
List-Post: <mailto:multiformats@ietf.org>
List-Help: <mailto:multiformats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multiformats>, <mailto:multiformats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 20:29:20 -0000
čt 7. 9. 2023 v 22:16 odesílatel Richard Barnes <rlb@ipv.sx> napsal: > Not sure why I got added to this thread (I guess because I talked to Orie > :) ), but overall I endorse the objections that Mike and Orie raise. > > As I understand it, the reason multiformats exist is basically that the > blockchain community failed to organize itself well enough to agree on an > encoding, so there was a need to shove multiple encodings into a slot and > let the recipient figure it out. While this seems to be a common pattern > in some W3C spaces (e.g., VC, DID), it is a compatibility nightmare, and is > not something we should build standards around. Much like DID, > multiformats is a fine hack to multiplex multiple things into a single > slot, but one that should at best be documented for historical purposes > while we build forward to a common thing, not held out as in any sense a > good thing to do. > For context, the predominant deployment within the blockchain realm employs the bech32 serialization for hashed keys, notable for its efficient error correction and the exclusion of certain characters. However, I observed that this isn't encompassed in the multiformats specification. Although termed "universal", the specification appears to selectively include certain serializations while omitting others. > > --Richard > > On Wed, Sep 6, 2023 at 3:53 PM Michael Jones <michael_b_jones@hotmail.com> > wrote: > >> For the benefit of those added to the thread, you can read my original >> message that this is response to at https://self-issued.info/?p=2408. >> >> >> >> -- Mike >> >> >> >> *From:* Orie Steele <orie@transmute.industries> >> *Sent:* Wednesday, September 6, 2023 12:47 PM >> *To:* Carsten Bormann <cabo@tzi.org> >> *Cc:* Michael Jones <michael_b_jones@hotmail.com>; multiformats@ietf.org; >> Murray Kucherawy <superuser@gmail.com>; Barry Leiba < >> barryleiba@computer.org>; Francesca Palombini < >> francesca.palombini@ericsson.com>; Roman Danyliw <rdd@cert.org>; Paul >> Wouters <paul.wouters@aiven.io>; Russ Housley <housley@vigilsec.com>; >> Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; Richard Barnes < >> rlb@ipv.sx> >> *Subject:* Re: [Multiformats] Multiformats Considered Harmful >> >> >> >> I'll comment in the context of the experience working with multicodec and >> multibase at W3C. >> >> And include a few folks I spoke with regarding this topic at the last >> IETF. >> >> We implemented support for publicKeyMultibase, and helped register the >> NIST curves in order to be able to do "key translation" required to use >> Decentralized Identifiers or Verifiable Credentials. >> >> https://github.com/multiformats/multicodec/pull/190 >> >> We've also used multibase encoded "proofValue" in JSON-LD / RDF to encode >> various kinds of Data Integrity Proofs: >> >> https://github.com/w3c/vc-data-integrity >> >> The 2 primary points of connection to W3C for this work are "encoding key >> representations" and "encoding signature / proof values"... not just >> encoding hashes as strings, although that is also commented on >> https://github.com/search?q=repo%3Aw3c%2Fvc-data-integrity%20digestMultibase&type=code >> ... >> >> I'd add that digestMultibase is positioned as competing with digestSRI, >> and the W3C working group has no consensus on if it's worth not being >> compatible with SRI... In very much the same way the working group can't >> agree to recommend using publicKeyMultibase over publicKeyJwk... It's >> possible that might change in the current verifiable credentials working >> group, if it does not, that would also prove my general point regarding >> helpfulness. >> >> W3C specifications do not require, prefer or recommend multibase. >> >> Data Integrity - https://github.com/w3c/vc-data-integrity which is on >> track to become a technical recommendation is, afaik, the sole exception to >> this, `proofValue` MUST be encoded as multibase... This is a part of what >> is motivating the need to move multibase to an organization that can be >> referenced normatively by W3C, without producing their version of a downref. >> >> Some members of W3C want to position multibase keys and signatures as >> recommendations, and there seems to be a good amount of overlap with folks >> wanting to position data integrity proofs, which are similar to xml >> digital signatures, as the recommended way to encode verifiable credentials >> with security. >> >> Everything these folks are recommending can be solved for with standards >> that are available today, many of which have lots of off the shelf >> implementations and are widely adopted in protocols for moving JSON based >> data models (JOSE, OAuth, OIDC). >> >> Having spent a lot of time implementing support for multibase in the >> context of DIDs and VCs our conclusion is that they are not "worth the >> switching cost" relative to JOSE... COSE support is worth the switching >> cost, but it's not compatible with the W3C Data Model approach which is >> based on JSON-LD and RDF. >> >> The primary point I want to make is this: >> >> Adding many ways to do the same thing, with very little benefit over the >> existing ways is not helpful. >> >> Adding new ways to do old things that are not an improvement worth paying >> to upgrade too, is also not helpful. >> >> It creates a fertile garden bed of bugs and consulting opportunities, >> which can reduce security and drive up costs for regulators and commercial >> markets needing to implement standards, without benefiting end users, who >> we are here to serve. >> >> To be clear, there is nothing wrong with preferring base58btc over >> base64url, or uvarint prefixing over cbor tagging... But there is a lot >> wrong with forcing verifiers and relying parties to support "every binary >> encoding format multiplied by every registered public key or hash type"... >> it's better to not publish a standard, than it is to do this. >> >> I don't see how multiformats does not leave the verifier or relying party >> holding this bag, along with all the other burdens they are required to >> carry already (JOSE, COSE, etc...), and if they can't handle it, or they >> handle only part of it, the consumer / end user does not get the benefit. >> >> I don't think the work should be done... If it is done, or continues to >> be done (since it's happening at W3C regardless of progress in IETF), I >> think it will continue to cause harm to the use cases that it's supposedly >> being done to support. >> >> Specifically ensuring end users can control their own identifiers and >> credentials, and that verifiers (governments, organizations, hardware >> systems and other users) can automate compliance requirements built on >> digital trust ecosystems. >> >> I have a lot of respect for the people involved with the work, in >> particular Protocol Labs & Digital Bazaar, even if I don't think this >> particular approach should become an IETF standard. >> >> Regards, >> >> OS >> >> >> >> On Wed, Sep 6, 2023 at 3:45 AM Carsten Bormann <cabo@tzi.org> wrote: >> >> RFC 6256, which was used in the bundle protocol v6, before they switched >> to CBOR for v7 >> >> Sent from mobile, sorry for terse >> >> >> >> On 6. Sep 2023, at 10:09, Carsten Bormann <cabo@tzi.org> wrote: >> >> Leb128 (not sure that the drafts call it by its common name) is the >> little endian variant of sdnv, which we do have as an rfc (please look that >> up for me…) >> >> -- >> Multiformats mailing list >> Multiformats@ietf.org >> https://www.ietf.org/mailman/listinfo/multiformats >> >> >> >> >> -- >> >> >> >> >> *ORIE STEELE *Chief Technology Officer >> www.transmute.industries >> >> <https://transmute.industries/> >> > -- > Multiformats mailing list > Multiformats@ietf.org > https://www.ietf.org/mailman/listinfo/multiformats >
- [Multiformats] Multiformats Considered Harmful Michael Jones
- Re: [Multiformats] Multiformats Considered Harmful Murray S. Kucherawy
- Re: [Multiformats] Multiformats Considered Harmful Michael Jones
- Re: [Multiformats] Multiformats Considered Harmful Carsten Bormann
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho
- Re: [Multiformats] Multiformats Considered Harmful Carsten Bormann
- Re: [Multiformats] Multiformats Considered Harmful bumblefudge von CASA
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho
- Re: [Multiformats] Multiformats Considered Harmful Orie Steele
- Re: [Multiformats] Multiformats Considered Harmful Orie Steele
- Re: [Multiformats] Multiformats Considered Harmful Michael Jones
- Re: [Multiformats] Multiformats Considered Harmful Richard Barnes
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho
- Re: [Multiformats] Multiformats Considered Harmful Robin Berjon
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho
- Re: [Multiformats] Multiformats Considered Harmful Robin Berjon
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho
- Re: [Multiformats] Multiformats Considered Harmful bumblefudge von CASA
- Re: [Multiformats] Multiformats Considered Harmful Robin Berjon
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho
- Re: [Multiformats] Multiformats Considered Harmful Robin Berjon
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho
- Re: [Multiformats] Multiformats Considered Harmful Robin Berjon
- Re: [Multiformats] Multiformats Considered Harmful Orie Steele
- Re: [Multiformats] Multiformats Considered Harmful Martin J. Dürst
- Re: [Multiformats] Multiformats Considered Harmful Martin J. Dürst
- Re: [Multiformats] Multiformats Considered Harmful Aaron Goldman
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho
- Re: [Multiformats] Multiformats Considered Harmful Manu Sporny
- Re: [Multiformats] Multiformats Considered Harmful Melvin Carvalho