[Rats] OIDs for profile (was Re: IANA pre-RFC code points)

Laurence Lundblade <lgl@island-resort.com> Mon, 01 March 2021 03:11 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDB863A138D for <rats@ietfa.amsl.com>; Sun, 28 Feb 2021 19:11:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWNMrLglvlMF for <rats@ietfa.amsl.com>; Sun, 28 Feb 2021 19:11:39 -0800 (PST)
Received: from p3plsmtpa11-06.prod.phx3.secureserver.net (p3plsmtpa11-06.prod.phx3.secureserver.net [68.178.252.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 385C63A138C for <rats@ietf.org>; Sun, 28 Feb 2021 19:11:39 -0800 (PST)
Received: from [192.168.23.97] ([189.222.136.252]) by :SMTPAUTH: with ESMTPSA id GYy9lhenAhFMzGYy9leNtr; Sun, 28 Feb 2021 20:11:38 -0700
X-CMAE-Analysis: v=2.4 cv=MNClJOVl c=1 sm=1 tr=0 ts=603c5b6a a=jpg7Y8Xf5Z06fcc9mZ46Dw==:117 a=jpg7Y8Xf5Z06fcc9mZ46Dw==:17 a=IkcTkHD0fZMA:10 a=K6EGIJCdAAAA:8 a=7CQSdrXTAAAA:8 a=lKIKd7NtAAAA:8 a=48vgC7mUAAAA:8 a=zWWAyoP6ngCBYHP9O0wA:9 a=SChmsQHJkxmP2Eir:21 a=5REtb0ZjvetpMmsb:21 a=QEXdDO2ut3YA:10 a=L6pVIi0Kn1GYQfi8-iRI:22 a=a-qgeE7W1pNrGK8U0ZQC:22 a=Q4nn7pJknIVYsolpXXmV:22 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <31513B32-3CC6-4AE0-8C79-4A9078DEE3EE@island-resort.com>
Date: Sun, 28 Feb 2021 19:11:36 -0800
Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Thomas Fossati <Thomas.Fossati@arm.com>, "rats@ietf.org" <rats@ietf.org>, Simon Frost <Simon.Frost@arm.com>, Adrian Shaw <Adrian.Shaw@arm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <115687F0-10AE-4710-BE0C-8D35AC8D8B94@island-resort.com>
References: <80F4DFAD-8A5D-44DC-BEDF-BA96B7F21991@arm.com> <D7AFAA80-B8EE-4657-8A81-71FE4F79E23B@island-resort.com> <CO1PR11MB51690D5D3D7EA17153C83EBAE5889@CO1PR11MB5169.namprd11.prod.outlook.com> <B549435F-1896-4A8D-A1FB-CE57567E824D@island-resort.com> <0CF448FE-B249-496E-B1A8-528B189DA16C@intel.com> <E386083F-DD06-452D-A6A7-6EEC0C79A1F8@island-resort.com> <DC3C69C6-4995-4050-B8E0-38057B321DE7@arm.com> <AC5754A8-1BC3-49E9-8B61-F7DA96BDDA99@island-resort.com> <79A5E862-B336-4B67-AE02-9E6F2E9375AC@arm.com> <B34C7BD7-6EE7-4948-911F-F1F92FAB3954@island-resort.com> <4473BF8F-2681-4F0B-8152-2194F23A12CE@arm.com> <7b79459f-b766-d821-e549-7b3068760a10@sit.fraunhofer.de> <31513B32-3CC6-4AE0-8C79-4A9078DEE3EE@island-resort.com>
To: "Smith, Ned" <ned.smith@intel.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-CMAE-Envelope: MS4xfCluXQvTl/UwVFCG0S1brNXs9YcjAVPWo/X/nE6QQmsv6BwSSv6wpuext8nvIe0ehTeQnnD2sCEVPARy0nm8w4+evSWJETZsj86Do1AD16TxEUGZDlZH xXxLs3fG/l8HV7QdlIvDPJt9DJwfY5Kw/vHmtVlyucokyG2Cihv2cvSaUiz/K7KzPcmvQipZOnCMaR+ADMCsh1zRh0WGTdE3FmTpMUPJJgmQ0C+gb1hJxC+e XLR4cdyZnAq/wBJeWlQSwiTOAiEnMyDW5MHJ9HLDwGKTOPDycdmmCoLmBz9wS6/5CU9lHF4EhoMXen3RRbTvaACW5z3mon9dj8vEJcN6mi0PR7eSitHsGP/p zMu//bN0+bn98c2lm79kqBtWX/uVkl5a/zFqX/iLWJLmditkjtU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/3rYERjP_GNEi0v1sxyiixDX5H8M>
Subject: [Rats] OIDs for profile (was Re: IANA pre-RFC code points)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 03:11:41 -0000

FYI, one of the implications of using an OID here is that to translate a token to/from CBOR to JSON will require code to turn CBOR OIDs into text string dotted-decimal OIDs and vice versa. That’s going to require a full encoder/decoder of the ASN.1 OID format. 

This is probably OK because:
- this is nothing near a full ASN.1 encoder/decoder
- this will happen mostly on servers where code size is not an issue

Note that the plan to format an OID in JSON is to use a text string like “1.2.20.1”. 

(I’m working on code that will translate CBOR tokens to JSON; it’s a good validation of the EAT draft).

LL


> On Feb 27, 2021, at 8:29 PM, Laurence Lundblade <lgl@island-resort.com> wrote:
> 
> OK. There’s a PR for OIDs and URIs now. It also does pre-assignment for the profile claim so it can be included. 
> 
> Ned, please advice on next step here.
> - Is Profile stable enough for reassignment?
> - If so, do we have to issue an -09 draft?
> 
> Please, no more request for claims for pre-assignment so we can get this done.
> 
> LL
> 
> 
> 
>> On Feb 17, 2021, at 3:06 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote:
>> 
>> + 1 to:
>> 
>> * oids as a preferred choice (uri are fine but alas not very concise)
>> * avoiding unstructured text (and inheriting that weirdness here)
>> * avoiding more registries (not only because of more delay)
>> 
>> On 17.02.21 10:55, Thomas Fossati wrote:
>>> Hi Laurence,
>>> On 17/02/2021, 00:59, "Laurence Lundblade" <lgl@island-resort.com> wrote:
>>>>> On Feb 16, 2021, at 5:44 PM, Thomas Fossati <Thomas.Fossati@arm.com> wrote:
>>>>> 
>>>>> On 16/02/2021, 20:25, "Laurence Lundblade" <lgl@island-resort.com> wrote:
>>>>>> Below...
>>>>>> 
>>>>>>> On Feb 16, 2021, at 11:10 AM, <Thomas.Fossati@arm.com> wrote:
>>>>>>> 
>>>>>>> On 16/02/2021, 17:43, <lgl@island-resort.com> wrote:
>>>>>>>> 
>>>>>>>> If we can agree that profiles are necessary and that a simple
>>>>>>>> text string is good enough to name a profile, then we can put in
>>>>>>>> in the pre-allocation.  We don't have to agree on the mechanism
>>>>>>>> for defining profiles, just for naming them.
>>>>>>> 
>>>>>>> I think what is in -08 in terms of defining a profile is great.
>>>>>>> 
>>>>>>> I think we should just nail down the type and constraints around
>>>>>>> the claim value.  The way it is now (i.e., plain, unstructured
>>>>>>> tstr) creates an incentive to using short strings and therefore
>>>>>>> increasing the chance of collisions, which is bad.
>>>>>>> 
>>>>>>> If we say:
>>>>>>> ~~~
>>>>>>> profile-claim = ( profile => $profile-type,)
>>>>>>> 
>>>>>>> $profile-type /= uri ; i.e., #6.32(tstr)
>>>>>>> $profile-type /= oid ; draft-ietf-cbor-tags-oid
>>>>>>> ~~~
>>>>>>> 
>>>>>>> We'd allow both human readable https://fidoalliance.org/profile/a,
>>>>>>> as well as compact, machine readable 1.3.6.1.4.1.etc in a way that
>>>>>>> prevents clashes.
>>>>>>> 
>>>>>>> I don't think it's crazy to expect the profile owner to also
>>>>>>> control a DNS name and/or a PEN.
>>>>>> 
>>>>>> Yes, I was thinking we might want this to be a URI or such myself.
>>>>>> Here’s several options:
>>>>>> 
>>>>>> 1) Make it string-or-uri like the JWT issuer, subject and audience
>>>>>>   claims. Already well-established approach.
>>>>>> 
>>>>>> 2) Allow string, URI or OID. Most flexibility, but do we really
>>>>>>   need OIDs?
>>>>> 
>>>>> I like OIDs because they are relatively compact and unambiguous.
>>>>> They look like the CBOR-friendly equivalent of URIs.  They also
>>>>> render well in JSON as strings in dotted notation.
>>>> 
>>>> I think a good very compact CBOR-friendly way would be to use a simple
>>>> integer in some way.
>>>> 
>>>> One way to do that is to make an IANA registry for profiles with each
>>>> entry:
>>>>  - integer
>>>>  - name
>>>>  - URI
>>> Yes, but we'd need another registry.  Going with URIs and OIDs (PENs)
>>> would avoid the extra IANA round-trip.
>>>> The profile claim in a token could be solely the integer value. Or it
>>>> could be the URI or the text string.
>>>> 
>>>> I'd prefer that to more use of OIDs.
>>> I am not married to any particular format, I am looking for one that can
>>> effectively balance:
>>> * compactness of representation
>>> * minimal IANA impact
>>> * collision avoidance of the identifiers
>>>> The policy for the registry would be pretty loose. Just indicate the
>>>> existence of some document somewhere. Maybe reserve the values less
>>>> than 24 for profiles documents that are standards.
>>>> 
>>>> This seems pretty good to me, but I'm a bit worried about delaying the
>>>> pre-allocation for it since it involves creating another IANA
>>>> registry.
>>> yep
>>> cheers, t
>>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>>> _______________________________________________
>>> RATS mailing list
>>> RATS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/rats
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats