Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIME types
Orie Steele <orie@transmute.industries> Wed, 05 April 2023 00:53 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4AEC15952A for <rats@ietfa.amsl.com>; Tue, 4 Apr 2023 17:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eroOuKKR-OtW for <rats@ietfa.amsl.com>; Tue, 4 Apr 2023 17:53:30 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B11FC153CA1 for <rats@ietf.org>; Tue, 4 Apr 2023 17:53:30 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-92fcb45a2cdso9122766b.0 for <rats@ietf.org>; Tue, 04 Apr 2023 17:53:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1680656008; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bU/bRkXfXgY/RqIuZ2/VfuwKDm3AwchfjAHS2hDsMcw=; b=XhxN4PmfyXuxA1NWR5i0db5eT/cJuQ3iQzChKTD8OUeBm6p1Xne8oZqhmKpHe8o4lS 6ftrploropYRo8L3+1jSEVauaV5I8OZTYmA/U1oL79Y3FZfYWCUUuqubsgzhhirVFVqC e+/wu40ge21Vg68RDzXvDCqMfPL/19yboFfGs5isMt2QfHbBmiyoaudn35gT+IVXkqA7 pUDj/9GV/zJD5APj8W8SDPaE2u8y/pZlE1TyM9Txtgv/gAQI3UgNHr/hJpAiQt1z4KEb co3VgmEIro/SZB1P/nTk1pH1XAccA4bi5/fs0UZQLeBr3h7CgHrRjuDd9TSEC7hmwicu 4ShA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680656008; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bU/bRkXfXgY/RqIuZ2/VfuwKDm3AwchfjAHS2hDsMcw=; b=aYhq4ZwlrbZRAcCOi3v+NrUIT13KU2tbNe7SgwcrKMlEhR7V07obmarH0Icj7RAGFH JrsKiVjMOudkR6UVfO8OpZTyjY02XyzbFjXmGo3yhcjljcmLXLKQc+IDFw7jR2sjShFG 4V+xwbkvdxmGBrOa4JJSlAFcmocyFLtVAOkmWt2vanQFaWRdmJEeqskJ9ssw0C50H318 QEIItYolQk5TCKZdV4GFHCFi+LRcwVEdaA0bACvnUoFRLdTxJK5/fPcVUDhMfgzsL0cx 6M86mF5Qz9CDtNHPWmnAwIi5snT8cqpCSuMHxKmKdORwJ3nEPVgGL4aFvrbgZijXLAUJ u3sQ==
X-Gm-Message-State: AAQBX9dct6/uQEXvXYmm2RG9j8c0ax64O/dtvHNKh1ujdjLHR61ZvAPv Xvd5uikg/OQ6FyL7GOzNGd2sJUSX8l3nfaOOIYrRdQ==
X-Google-Smtp-Source: AKy350bYXtusYStYP2FymMeBEMvmoKp7DaSRNuCam26P4AV5WkdVWXDiqNcESHRAggTmCxEATK8g+VxEF0kAzxI4DVs=
X-Received: by 2002:a50:baeb:0:b0:4fb:c8e3:1ae2 with SMTP id x98-20020a50baeb000000b004fbc8e31ae2mr221418ede.3.1680656007844; Tue, 04 Apr 2023 17:53:27 -0700 (PDT)
MIME-Version: 1.0
References: <167847004893.23876.9884501000866697896@ietfa.amsl.com> <DB9PR08MB6524E8F83E7149AD95B6CDB89CBA9@DB9PR08MB6524.eurprd08.prod.outlook.com> <2313611.1678640027@dyas> <DB9PR08MB6524D3E44EBF11BB83F8F9069CB99@DB9PR08MB6524.eurprd08.prod.outlook.com> <2380614.1678721850@dyas> <CAObGJnPjijJ61B_WvujcbunwW7aPA7c-CY4goPDX+yohR_kHOw@mail.gmail.com> <DB9PR08MB6524A6A7E5AABD96BBA34C8A9C879@DB9PR08MB6524.eurprd08.prod.outlook.com> <14833.1679597042@localhost> <8225.1679872718@localhost> <DU0P190MB19784AFEED440A3EBF922A87FD929@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <4BB67CAE-73E0-43B7-86C4-76DC06379CB1@intel.com> <CAN8C-_L0VnwZaOy8QxKiDBG1dXK+Ct9X-5jzeQGFSnZwLkRzaA@mail.gmail.com> <3EC8A813-C84E-4869-83D2-ECAC2487DE97@intel.com> <CAN8C-_+z0GoNCo_Jd77DWeKN3XE76hccr5gKd90q+rm1w6haAw@mail.gmail.com> <36C7760F-4180-422C-A35B-A626DDC2A6F2@island-resort.com> <EB82CDEC-44A0-42DA-BAF1-71791B28CFDD@intel.com> <CAN8C-_JsBMHGe_5jbShKTHuvT+sZXWFk+G-MOQ9zLVMr_GVxFw@mail.gmail.com> <1A299CE1-9572-48F2-84EA-2DEB21B216C1@intel.com> <CAN8C-_KEVXxS=0ca=n0b5bC=5bpV3xgwzFSE0PrUZYWUS5rHnw@mail.gmail.com> <DU0P190MB19781199C1C9E18FA7DF16B5FD939@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <CAN8C-_KZ5uUruf0tVfwniVWDUua9AVh7bvRAWtzZOtWzVYpEaA@mail.gmail.com> <DU0P190MB19788753DBA803124E05B501FD939@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <C3A1B8A1-7CF5-4539-8FCF-A2B180FBE5E3@intel.com>
In-Reply-To: <C3A1B8A1-7CF5-4539-8FCF-A2B180FBE5E3@intel.com>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 04 Apr 2023 19:53:16 -0500
Message-ID: <CAN8C-_KnEqG4qExUSgT8=JdW_B0pX22HS6DxGE7mkYyFxETqCg@mail.gmail.com>
To: "Smith, Ned" <ned.smith@intel.com>
Cc: Esko Dijk <esko.dijk@iotconsultancy.nl>, Laurence Lundblade <lgl@island-resort.com>, Michael Richardson <mcr@sandelman.ca>, Thomas Fossati <Thomas.Fossati@arm.com>, Thomas Fossati <tho.ietf@gmail.com>, cose <cose@ietf.org>, rats <rats@ietf.org>, anima@ietf.org
Content-Type: multipart/alternative; boundary="00000000000056699e05f88c38ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/-uVEsFklI4n6Jr6OwWBfrnsc6Go>
Subject: Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIME types
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 00:53:35 -0000
+1 to the commentary on keeping payloads opaque until after security checks. One interesting difference between jose and cose, is that jose has: typ: the content type of the token. cty: the content type of the payload. For most JWT use cases the cty value is sorta redundant, since we expect the payload to be of type application/json. For COSE, there is no registered tag for typ, and we might expect many different cty values, since COSE is friendlier as an envelope format to wrapping different content types. I am not sure about CWTs, are they also expected to produce cbor or can they be used to produce json after verify? I am intrigued by the difference between: jwt+json (doesn't make sense) json+jwt (alternative name for JWT?) And cwt+cbor (kinda makes sense) cbor+cwt (alternative name for CWT?) According to the JWT BCP, the specific typing is used to distinguish different types of tokens, and so: typ: subtype+jwt Just to highlight the draft / todos related to this thread: 1. Multiple suffixes draft 2. +cwt suffix registration 3. typ tag for COSE (if parity with JWT BCP is desired) OS On Tue, Apr 4, 2023, 3:35 PM Smith, Ned <ned.smith@intel.com> wrote: > +1 to: > > > The security & safety aspect is definitely important here – I was > assuming that a receiver that cannot understand/parse the full media type > may just render some informative details about the > > > data object to the user, or log these details in a nice way (so that a > user reading the logs can understand), without necessarily continuing to > process: > > > the receiver should not take any risky / critical actions like > authorizing something, based on a partially parsed data item. Whatever the > media type composition it remains the responsibility of the > > > receiver to not be vulnerable to attacks done by an attacker e.g. > sending half-correct data items to that receiver. > > > > It seems the intent of having a security envelope is that what is inside > the envelope remains off limits (opaque) until the security checks are > satisfied. > > The content-type-name conventions could model the intent that envelope > payloads remain opaque by excluding them from a content-type-name structure > that includes a crypto envelope (e.g., cose, jose, cwt, jwt, eat). When the > cryptographic processing is complete, what remains is the payload and that > payload should/could have a different content-type-name. RATS found it > helpful to define uccs to represent unsigned cwt. For example, if an ar4si > structure was placed in a cose envelope, the content-type-name might be > “application/cose+cbor”. Following the processing of the envelope, the > resulting content might have a content-type-name of > “application/ar4si+cbor”. Alternatively, if the envelope was > “application/cwt+cbor”, the resulting verified output might be > “application/ar4si+uccs”. > > > > Any of the token types (jwt, cwt, eat) are interesting because they have > both an envelope and a content (that is intended to be opaque until after > the security checks are finalized). > > > > In the case of cwt, uccs [I-D.ietf.rats.uccs] would be the expected > emergent content type. But even if cose was used instead of cwt, uccs could > still be a reasonable emergent content type. > > > > Keeping crypto enveloped payloads opaque also implies content-type > nesting. > > > > *From: *RATS <rats-bounces@ietf.org> on behalf of Esko Dijk < > esko.dijk@iotconsultancy.nl> > *Date: *Tuesday, April 4, 2023 at 9:16 AM > *To: *Orie Steele <orie@transmute.industries> > *Cc: *"Smith, Ned" <ned.smith@intel.com>, Laurence Lundblade < > lgl@island-resort.com>, Michael Richardson <mcr@sandelman.ca>, Thomas > Fossati <Thomas.Fossati@arm.com>, Thomas Fossati <tho.ietf@gmail.com>, > cose <cose@ietf.org>, rats <rats@ietf.org>, "anima@ietf.org" < > anima@ietf.org> > *Subject: *Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIME types > > > > The security & safety aspect is definitely important here – I was assuming > that a receiver that cannot understand/parse the full media type may just > render some informative details about the data object to the user, or log > these details in a nice way (so that a user reading the logs can > understand), without necessarily continuing to process: > > the receiver should not take any risky / critical actions like authorizing > something, based on a partially parsed data item. Whatever the media type > composition it remains the responsibility of the receiver to not be > vulnerable to attacks done by an attacker e.g. sending half-correct data > items to that receiver. > > > > For example, if a receiver logs every failed request carrying a > ‘eat+cwt+cbor’ item where the CWT is incorrect in a CBOR diagnostic > notation in the log file; then the attacker has a nice way to try to > overflow the logs. But the same problem is there if it would be an > ‘eat+cwt’ media type, although slightly different perhaps. (The version of > ‘eat+cwt+cbor’ may give a slightly larger attack surface in > implementations. E.g. a developer may be more tempted to let the receiver > treat the data item as CBOR as a fallback option and do something with it, > thus wasting system resources.) > > > > In ANIMA WG we just had a call to discuss we could have a ‘+cose’ subtype > registered, so that our Voucher format could be “voucher+cose” or > “voucher-cbor+cose” or so. (The latter ‘-cbor’ is appended to distinguish > from the archetypical Voucher data format which is JSON. The fact that the > COSE wrapper is itself CBOR, is independent from that.) > > Input from COSE WG members would be useful for this! > > > > Esko > > > > > > *From:* Orie Steele <orie@transmute.industries> > *Sent:* Tuesday, April 4, 2023 17:27 > *To:* Esko Dijk <esko.dijk@iotconsultancy.nl> > *Cc:* Smith, Ned <ned.smith@intel.com>; Laurence Lundblade < > lgl@island-resort.com>; Michael Richardson <mcr@sandelman.ca>; Thomas > Fossati <Thomas.Fossati@arm.com>; Thomas Fossati <tho.ietf@gmail.com>; > cose <cose@ietf.org>; rats <rats@ietf.org>; anima@ietf.org > *Subject:* Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types > > > > Inline > > > > On Tue, Apr 4, 2023 at 2:55 AM Esko Dijk <esko.dijk@iotconsultancy.nl> > wrote: > > > So you can read the subtype "eat" and then consider it as +cwt, +cose, > +cbor, for an example media type of "application/eat+cbor+cose+cwt" > > > > It looks like in your example the order is reversed; given the existing > examples defined in draft-ietf-mediaman-suffixes-03 Section 2.1? > > > > Let’s assume it is the reverse, namely “application/eat+cwt+cose+cbor”. > Then following the Section 2.1 examples a parser would go through these > steps for example: > > > > - Do I know “application/eat+cwt+cose+cbor” ? No. > - Do I know “+cbor” ? Yes, decode it as CBOR – ok it’s valid, proceed > to next stage of the processing pipeline. > - Do I know “+cose” ? No. Processing stops here. > > > > Is it safe to end here? > > > > > - > - End result: I’ll render it in CBOR diagnostic notation. > > > > Is this safe for a token format? > > > > > - > > > > Another parser might do these steps: > > > > - Do I know “application/eat+cwt+cose+cbor” ? No. > - Do I know “+cbor” ? Yes, decode it as CBOR – it’s valid, proceed to > next stage of the processing pipeline. > - Do I know “+cose” ? Yes, that’s COSE semantics – decode it – it’s > valid, and although I can’t verify the signature, go to next stage of the > processing pipeline. > - Do I know “+cwt” ? No, stop here. > > > > Again is this safe place to end? > > > > > - > - End result: display it as a COSE object. Do not trust it as I can’t > verify the signature. > > > Exactly... This could be desirable, but it makes me a bit nervous... see > "alg=none". > > > > - > > > > Yet another parser: > > > > - Do I know “application/eat+cwt+cose+cbor” ? No. > - Do I know “+cbor” ? Yes, decode it as CBOR – it’s valid, proceed to > next stage of the processing pipeline. > - Do I know “+cose” ? Yes, that’s COSE – decode it – it’s valid, go to > next stage of the processing pipeline. > - Do I know “+cwt” ? Yes, that’s a CWT – now checking that the COSE > payload is correct CBOR with CWT structure inside – okay. > - End result: display it as a CWT. > > > > > > For security oriented APIs this feels like where you want to end... > Perhaps what we are seeing here is an interaction between "safe api design" > and "trying to process stuff that might not be verified, or has been > tampered with"... > > > > > > Using the reverse way "application/eat+cbor+cose+cwt" seems not compatible > with what’s currently written in draft-ietf-mediaman-suffixes-03 about > “pipelines”. > > For example, suppose a “CWT decoder” gets this media type first, and it > then sends “eat+cbor+cose” to the next pipeline stage, that wouldn’t make > sense since the ‘+cbor’ and ‘+cose’ parts were already decoded as part of > ‘+cwt’. > > > > > > I agree, but the JWT BCP uses at+jwt... so you either handle JWT or you > fail... that seems desirable in most security cases. > > > > For completeness here the example from the draft "image/svg+xml+gzip": > > - Do I know "image/svg+xml+gzip" ? No. > - Do I know “+gzip” ? Yes, I can unzip the data – that works. Send the > data to the next pipeline stage. > - Do I know “+xml” ? Yes, that’s just XML – can display it. > > > It is not "just XML".. it is "+xml" vs "application/xml"... this is > discussed in the IETF 116 meeting (and there is no consensus on how the > current draft should be interpreted). > > - https://www.iana.org/assignments/media-types/application/xml > > vs > > - > https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml > - https://www.rfc-editor.org/rfc/rfc7303.html#page-12 > > > > - > - Do I know “svg” ? No. > - End result: display the object in my XML viewer. > > > > (Using here "image/svg+gzip+xml" would lead to incorrect results clearly.) > > > > Yes, this makes me wonder what happens to protected and unprotected > headers, when processing anything with +cwt or +cose in the middle of > multiple suffixes... to me this suggests that they cannot go "in the > middle', unless everything to the left expects them. > > I suppose this concern also applies to +jwt, except in those cases the > intention is very clearly to produce a specific subtype that is also a JWT. > > Arguing against myself: > > “application/eat+cwt+cose+cbor” seems ok if the goal is to end at COSE > without verifying (a tamper friendly media type). > > “application/eat+cwt” seems ok if the goal is to end at an eat token or > fail (tamper unfriendly) > > I am nervous about specifying "verifiable media types" that in practice > processing of verifying can be skipped, and it seems like multiple suffixes > is a gateway to seeing more of these in the future. > > I think it would be nice if the suffixes draft commented on cases where > digital signatures might interact with suffixes, including commenting > on +jwt and +cose. > > > > > > Esko > > > > *From:* Orie Steele <orie@transmute.industries> > *Sent:* Tuesday, April 4, 2023 02:09 > *To:* Smith, Ned <ned.smith@intel.com> > *Cc:* Laurence Lundblade <lgl@island-resort.com>; Esko Dijk < > esko.dijk@iotconsultancy.nl>; Michael Richardson <mcr@sandelman.ca>; > Thomas Fossati <Thomas.Fossati@arm.com>; Thomas Fossati < > tho.ietf@gmail.com>; cose <cose@ietf.org>; rats <rats@ietf.org>; > anima@ietf.org > *Subject:* Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types > > > > Per the JWT BCP, regarding typ. > > > > https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing > > > > The +jwt suffix goes on the end. > > > > You would need to register +eat as a structured suffix otherwise. > > > > My understanding is that you currently intend to register application/eat > as a subtype, not a structured suffix (you can do both, see json). > > > > The 116 meeting mentions that while it is the case today that most > structured suffix are also registered subtypes, this might not be a > reliable assumption in the future. > > > > The current multiple suffixes draft makes it clear that processing of > suffixes is right to left (confusing / surprising perhaps). > > > > So you can read the subtype "eat" and then consider it as +cwt, +cose, > +cbor, for an example media type of "application/eat+cbor+cose+cwt" > > > > As I mentioned before, the multiple suffixes draft might not land... So it > would be better to avoid multiple plus and follow the conventions from the > JWT BCP, and avoid registering new or interesting suffixes, given the > current confusion regarding them. > > > > I'm not saying any of this is correct, just noting what the suffixes draft > says today, and how it is related to the several +jwt media types that have > already been registered. > > > > Another interesting case to consider... Data URI of type "eat+jwt+gzip"... > Since base64 URL encoding can quickly max out QR Codes / NFC or URL limits. > > > > Decompress, verify, parse / validate. > > > > OS > > > > > > On Mon, Apr 3, 2023, 6:36 PM Smith, Ned <ned.smith@intel.com> wrote: > > > application/eat+cbor+cose+cwt > > > > EAT is a specialization of a CWT or a JWT. What in eat is encoded before > the cbor (which encodes the token)? > > > > If the conceptual message is identified by a message wrapper draft-ftbs-rats-msg-wrap-02 > - RATS Conceptual Messages Wrapper (ietf.org) > <https://datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/>, then the > cbor bytes could be encoded in an cmw array. As in: > > `[ “application/cbor+cose+cwt+eat”, bstr ]` > > > > The discussion around cmw hasn’t concluded, but in theory, the array > structure could be embedded in a conveyance protocol or message that would > have some way to identify it as a cmw. The cmw I-D doesn’t try to define a > media type name for `cmw-array`. Hopefully, that isn’t needed. But it is > the outer most onion skin before talking about conveyance protocol / > message framing. > > > > -Ned > > > > *From: *Orie Steele <orie@transmute.industries> > *Date: *Monday, April 3, 2023 at 3:21 PM > *To: *"Smith, Ned" <ned.smith@intel.com> > *Cc: *Laurence Lundblade <lgl@island-resort.com>, Esko Dijk < > esko.dijk@iotconsultancy.nl>, Michael Richardson <mcr@sandelman.ca>, > Thomas Fossati <Thomas.Fossati@arm.com>, Thomas Fossati < > tho.ietf@gmail.com>, "cose@ietf.org" <cose@ietf.org>, "rats@ietf.org" < > rats@ietf.org>, "anima@ietf.org" <anima@ietf.org> > *Subject: *Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types > > > > Inline: > > > > On Mon, Apr 3, 2023 at 3:10 PM Smith, Ned <ned.smith@intel.com> wrote: > > > there’s no standard for the key material and key identification > > The observation is that the COSE block contains a key-id that can be used > to locate the key material (e.g., I assume key material refers to the > public key needed to verify the COSE signature given asymmetric crypto). > The COSE parser (layer) would normally be equipped to handle this sort of > thing. If the media type was ‘cwt’ the parser would have to support > everything in the COSE layer as well as what’s in the token part as well. > EAT adds additional parsing requirements on top of CWT. Hence, the > expression “application/cbor+cose+cwt+eat” isn’t unreasonable. > > > > I would expect something more like this (according the current suffixes > draft): > > application/eat+cbor+cose+cwt > > or simply: > > application/eat+cwt (since cwt implies cbor + cose) > > Closest JWT analogy currently in the registry: > > - https://www.iana.org/assignments/media-types/application/at+jwt > - https://www.rfc-editor.org/rfc/rfc9068.html > > keep in mind the multiple suffixes is not yet an RFC... if you can avoid > multiple suffixes, I think it is very wise to do so. > > The reason to use multiple suffixes is to signal that there is meaningful > processing that can be done... for token formats, I feel this is less true > than json flavors, such as "application/vc+ld+json". > > I had a discussion with friends at IETF 116 about "sd+jwt" vs "sd-jwt", > related to > https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-03.html#name-iana-considerations-24 > > For example, sd-jwt implies normal jwt processing is not meaningful, > whereas sd+jwt implies jwt processing is meaningful... There were good > arguments on both sides. > > Given the current state of consensus on multiple suffixes, I would > potentially avoid taking a dependency on it if possible, sticking to just 1 > plus. > > > > Someone could argue that “…+cose+cwt…” doesn’t add anything, as “+cwt” > alone could infer both. The same is true for “…cbor+eat…”. > > But I think there is value in being able to describe a fully qualified > representation that is the primitive representation after the various > inferred representations have been computed. > > > > > but that’s about the library, not dispatching some content arriving to a > particular application > > I think the value is it doesn’t assume monolithic applications. A library > or processor that is specific to the encoding between the pluses, e.g., > “+cose+”, can be used in some sort of highly optimized pipeline, rather > than presumed to be a monolith. > > > > *From: *Laurence Lundblade <lgl@island-resort.com> > *Date: *Monday, April 3, 2023 at 12:44 PM > *To: *Orie Steele <orie@transmute.industries> > *Cc: *"Smith, Ned" <ned.smith@intel.com>, Esko Dijk < > esko.dijk@iotconsultancy.nl>, Michael Richardson <mcr@sandelman.ca>, > Thomas Fossati <Thomas.Fossati@arm.com>, Thomas Fossati < > tho.ietf@gmail.com>, "cose@ietf.org" <cose@ietf.org>, "rats@ietf.org" < > rats@ietf.org>, "anima@ietf.org" <anima@ietf.org> > *Subject: *Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types > > > > I’m not sure identifying something as COSE, or even CWT is that useful > because there’s no standard for the key material and key identification > that cuts across all uses of COSE or CWT. > > > > For example with EAT the receiver probably will need an endorsement (a > very specific thing with very specific semantics) with a public key to be > able to process the CWT/COSE. If COSE is used for encrypted email (a future > S/MIME), the key material identification will probably be really different. > It’s hard for me to see what a generic COSE/CWT handler is going to do > here. It’s good and well if an EAT processor uses the same COSE library as > an S/MIME processor, but that’s about the library, not dispatching some > content arriving to a particular application. > > > > No objection to the work here. Just some observations. > > > > LL > > > > > > > > On Apr 3, 2023, at 11:14 AM, Orie Steele <orie@transmute.industries> > wrote: > > > > Yes! That seems to have been one proposal, related to cleaning up the > registry and clarifying interpretation. > > If you have strong opinions on this, please help contribute to the dialog > on this media types list: > > > https://mailarchive.ietf.org/arch/msg/media-types/qO72m31whV5QZmV6kj55KDqS8n8/ > > Regards, > > OS > > > > On Mon, Apr 3, 2023 at 1:12 PM Smith, Ned <ned.smith@intel.com> wrote: > > Interesting! > > It would be nice if I-D.ietf-mediaman-suffixes could define a backward > compatibility convention that shows how existing / registered > media-type-names can co-exist with I-D.ietf-mediaman-suffixes. > > > > > > *From: *Orie Steele <orie@transmute.industries> > *Date: *Monday, April 3, 2023 at 10:47 AM > *To: *"Smith, Ned" <ned.smith@intel.com> > *Cc: *Esko Dijk <esko.dijk@iotconsultancy.nl>, Michael Richardson < > mcr@sandelman.ca>, Thomas Fossati <Thomas.Fossati@arm.com>, Thomas > Fossati <tho.ietf@gmail.com>, "cose@ietf.org" <cose@ietf.org>, " > rats@ietf.org" <rats@ietf.org>, "anima@ietf.org" <anima@ietf.org> > *Subject: *Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types > > > > At IETF 116 this draft was discussed: > > - https://datatracker.ietf.org/doc/draft-ietf-mediaman-suffixes > - https://youtu.be/BrP1upACJ0c?t=1744 > > TLDR; there is work in progress to define multiple suffixes, and how they > are interpreted. > > This would be relevant to potential future +cwt media types, it is already > causing us some concern with respect to special cases of +jwt. > > Regards, > > OS > > > > On Mon, Apr 3, 2023 at 12:28 PM Smith, Ned <ned.smith@intel.com> wrote: > > It seems the early registrations focused on encoding formats for content > to the right of the "+" like '+xml', '+json', '+cbor', '+der', while later > registrations seem to include schema formats like '+jwt', '+sqlite3', and > '+tlv'. > > It would have been nice if the registry defined the right side for > encoding formats and let the left side contain content / schema formats > IMHO. That way, the parsers could scan for the "+" to identify if it > supports the encoding format as a first pass operation. If it can't decode > the first byte, then there's no point in going further. > > If it can decode, then the first byte/bytes may provide insight into what > content is there. For example, a CBOR tagged structure. But additionally, > the left hand side identifies schemas. Given many data structures can be > integrity protected, signed, and encrypted. Supplying a value that > describes a cryptographic enveloping schema / format seems like a > reasonable requirement for the '-label' to the immediate left of the plus, > e.g., "-cose+cbor". > The data within the cryptographic envelope may follow a well-defined > schema such as the RATS ar4si. E.g., "ar4si-cose+cbor". I don't see a > problem with omitting the cryptographic envelope label if no envelope is > provided. E.g., "ar4si-+cbor". > > JWT and CWT are both an envelope and a data model schema, so the > cryptographic envelope could be inferred. But it wouldn't be incorrect to > restate the obvious for the benefit of the parsers who only care about > cryptographic wrapper processing. E.g., "jwt-jose+json" is still a > reasonable way to encode 'jwt'. > > If there are content schemas that are to the left of some other content > schema, then that can be accommodate easily by prepending another 'label-'. > E.g., "ar4si-jwt-jose+json". > > This approach allows an initial parser / message router to get a view of > all the parsers needed to fully inspect the message in advance of making an > initial message routing decision which would enable efficient parser > offload architectures. There could be different registries for the > different types of structure "+label" for encoding formats only, "-label" > to the immediate left of "+" for cryptographic enveloping, and application > formats for the next left most content. > > To make processing even more efficient, the content-type-name should > reverse the order based on outer-most format. E.g., "json+jose-jwt-ar4si". > This way buffer only needs to contain the first bytes up to the '+' and so > forth. > > I realize this goes beyond the initial focus of the discussion thread. But > IETF is also concerned about the long-term future of the Internet and in > optimizing wherever it makes sense. Content typing is just a form of deep > packet inspection that goes beyond network framing. > > Cheers, > Ned > > On 4/3/23, 12:33 AM, "RATS on behalf of Esko Dijk" <rats-bounces@ietf.org > <mailto:rats-bounces@ietf.org> on behalf ofesko.dijk@iotconsultancy.nl > <mailto:esko.dijk@iotconsultancy.nl>> wrote: > > > Hi, > > > As for the questions mentioned on these slides: > > > 1. "Is is '-cose+cbor' or '-cbor+cose' > > > The registry > https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml > < > https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml> > lists the subtypes that one have after the '+' sign. > 'cbor' is there but 'cose' is not. 'cwt' is also not there. > > > So for the moment, registering a 'mytype+cose' or 'voucher+cose' or > 'voucher-cbor+cose' is not possible now unless you would also register the > '+cose' as a subtype. RFC 9052 did not choose to register the subtype > '+cose', for whatever reason. > > > Luckily because COSE is just "plain CBOR" itself , we can use the subtype > '+cbor'. So having "voucher-cose+cbor" would be fine. Also "voucher+cbor" > would be equally ok albeit a little bit less informative that it contains > COSE. > > > > > 2. "are they sufficiently different" (this is about > application/voucher-cose+cbor and application/eat+cwt formats) > > > The voucher is not a CWT format, e.g. it does not use the standardized CWT > claims at all. It defines an own format within the constraints of YANG > CBOR, while CWT does not use any YANG semantics. > > > (Now converting the constrained Voucher format into a CWT based format > would certainly be possible; but that's probably not the discussion > intended by these slides.) > > > Regards > Esko > > > PS more detailed info at > https://github.com/anima-wg/constrained-voucher/issues/264 < > https://github.com/anima-wg/constrained-voucher/issues/264> > https://github.com/anima-wg/constrained-voucher/issues/263 < > https://github.com/anima-wg/constrained-voucher/issues/263> > > > -----Original Message----- > From: Anima <anima-bounces@ietf.org <mailto:anima-bounces@ietf.org>> On > Behalf Of Michael Richardson > Sent: Monday, March 27, 2023 01:19 > To: Thomas Fossati <Thomas.Fossati@arm.com <mailto:Thomas.Fossati@arm.com>>; > Thomas Fossati <tho.ietf@gmail.com<mailto:tho.ietf@gmail.com>>; > cose@ietf.org <mailto:cose@ietf.org>; rats@ietf.org <mailto:rats@ietf.org > >; anima@ietf.org<mailto:anima@ietf.org> > Subject: Re: [Anima] [Rats] cose+cbor vs cwt in MIME types > > > Michael Richardson <mcr+ietf@sandelman.ca <mailto:mcr+ietf@sandelman.ca>> > wrote: > > COSE CHAIRS: can we have 5 minutes for this discussion? > > I guess I can make two slides tomorrow and get Thomas to co-author them. > > > I guess we didn't get any time at COSE. > > > > https://github.com/anima-wg/voucher/blob/main/presentations/ietf116-cose-mime-cwt.pdf > < > https://github.com/anima-wg/voucher/blob/main/presentations/ietf116-cose-mime-cwt.pdf > > > > > _______________________________________________ > Anima mailing list > Anima@ietf.org <mailto:Anima@ietf.org> > https://www.ietf.org/mailman/listinfo/anima < > https://www.ietf.org/mailman/listinfo/anima> > > > _______________________________________________ > RATS mailing list > RATS@ietf.org <mailto:RATS@ietf.org> > https://www.ietf.org/mailman/listinfo/rats < > https://www.ietf.org/mailman/listinfo/rats> > > > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose > > > > > -- > > *ORIE STEELE* > > Chief Technical Officer > > www.transmute.industries > > > > *Error! Filename not specified.* <https://www.transmute.industries/> > > > > > -- > > *ORIE STEELE* > > Chief Technical Officer > > www.transmute.industries > > > > *Error! Filename not specified.* <https://www.transmute.industries/> > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose > > > > > > > -- > > *ORIE STEELE* > > Chief Technical Officer > > www.transmute.industries > > > > > > > -- > > *ORIE STEELE* > > Chief Technical Officer > > www.transmute.industries > > > > [image: Image removed by sender.] <https://www.transmute.industries/> >
- [Rats] I-D Action: draft-ietf-rats-eat-media-type… internet-drafts
- Re: [Rats] I-D Action: draft-ietf-rats-eat-media-… Thomas Fossati
- Re: [Rats] I-D Action: draft-ietf-rats-eat-media-… Orie Steele
- Re: [Rats] I-D Action: draft-ietf-rats-eat-media-… Thomas Fossati
- Re: [Rats] I-D Action: draft-ietf-rats-eat-media-… Michael Richardson
- Re: [Rats] I-D Action: draft-ietf-rats-eat-media-… Orie Steele
- Re: [Rats] I-D Action: draft-ietf-rats-eat-media-… Thomas Fossati
- [Rats] cose+cbor vs cwt in MIME types Michael Richardson
- Re: [Rats] cose+cbor vs cwt in MIME types Thomas Fossati
- Re: [Rats] cose+cbor vs cwt in MIME types Thomas Fossati
- Re: [Rats] [COSE] cose+cbor vs cwt in MIME types Laurence Lundblade
- Re: [Rats] [COSE] cose+cbor vs cwt in MIME types Thomas Fossati
- Re: [Rats] cose+cbor vs cwt in MIME types Michael Richardson
- Re: [Rats] cose+cbor vs cwt in MIME types Smith, Ned
- Re: [Rats] cose+cbor vs cwt in MIME types Michael Richardson
- Re: [Rats] [Anima] cose+cbor vs cwt in MIME types Michael Richardson
- Re: [Rats] [Anima] cose+cbor vs cwt in MIME types Esko Dijk
- Re: [Rats] [Anima] cose+cbor vs cwt in MIME types Smith, Ned
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Orie Steele
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Smith, Ned
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Michael Richardson
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Orie Steele
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Laurence Lundblade
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Smith, Ned
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Smith, Ned
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Michael Richardson
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Orie Steele
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Smith, Ned
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Orie Steele
- Re: [Rats] [Anima] [COSE] cose+cbor vs cwt in MIM… Esko Dijk
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Esko Dijk
- Re: [Rats] [Anima] [COSE] cose+cbor vs cwt in MIM… Michael Richardson
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Orie Steele
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Esko Dijk
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Laurence Lundblade
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Smith, Ned
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Smith, Ned
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Orie Steele
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Esko Dijk
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Orie Steele
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Esko Dijk
- Re: [Rats] [Anima] [COSE] cose+cbor vs cwt in MIM… Esko Dijk
- Re: [Rats] [Anima] [COSE] cose+cbor vs cwt in MIM… Michael Richardson
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Michael Richardson
- Re: [Rats] [COSE] [Anima] cose+cbor vs cwt in MIM… Michael Richardson