[Rats] Re: UCCS and EAT media types (was: Re: Re: AD follow-up review of draft-ietf-rats-uccs-09)

Orie Steele <orie@transmute.industries> Mon, 03 June 2024 15:24 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 108DEC151980 for <rats@ietfa.amsl.com>; Mon, 3 Jun 2024 08:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xm_5tv-p7GRF for <rats@ietfa.amsl.com>; Mon, 3 Jun 2024 08:24:30 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F086C1D4A63 for <rats@ietf.org>; Mon, 3 Jun 2024 08:24:30 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id 41be03b00d2f7-6c7bf648207so1729579a12.0 for <rats@ietf.org>; Mon, 03 Jun 2024 08:24:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1717428270; x=1718033070; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Y37KotTrNl6cIfXlHRrYOFER9lh9MTdKWzjemTJF1vc=; b=TcLT1AlbVYLyW4qElAGRystiZFvp4SqjBe7DeXImWbnVp+BntpzDw/dJ66vYq3TJYl in7gvYKoXdESCApJDavHU5fzKJtd5MHgA1G/+G+XtsR13yZ6xaYGKYZgqBWjVtRsui51 x7bXRkZvGS/YeJ+Xfs50XqHMnsoizhJBayr2vDNWdp2l/o9gc6aaVosNgQNsFkESYF5+ 5nOvl9uKn9Akj1W/wxtYqL8luVDBMfqdcmUh7GWsOG4Jv+LIY3hozsqs+acxDhkRrGVk DMZQvlrIzbr47uRUKmtAvCSBLJ8Ygf1mm3KEMjA9UsRIJge/nxWRkRVsW/HCg8AhjIYe 5Uow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717428270; x=1718033070; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Y37KotTrNl6cIfXlHRrYOFER9lh9MTdKWzjemTJF1vc=; b=kPaeuCm7EpHCeyTwTDfS8qUzjQ+8q+6c7Qcywy7vz6HxbDE8GT4LYjC8MWNhxX+8Ct 1SDnFu7afBy1r535JdvODsU7cfUQZxGUfLSpay3tKsOOhyGsZ4p9r32v45SZn4jn8tUc 2AA+3i6bnFC45SSVgKQaF4MGXSO4UDu9EaFNvMo9yPQ3816aBDTg7/0NMV+lK9qSjKO6 2HoDROeZ1ZQsaWVVA9jdYOi6uJLuRlMfwGjVi3YbjO7P4EN+LDcGNSUgJmigfrMa60FA seOdW5jSyjXuVtai//uR5SsGcKGCHqTQYf+DjHRhs5YFuWSAi7HN6cDVgBVnxvNl8MkK Qfsg==
X-Forwarded-Encrypted: i=1; AJvYcCVWr6PJGaWvcBYe/b3irQovg2W3yWpCbv3UuBWsAnViQuvA+bHjiCUbfXMX2/tzoxWRhSYrq06Vh4+viRam
X-Gm-Message-State: AOJu0YzLOqfY4+zhxCv6IKKd/M7z9rFV3SkfB7XL8o56ZGwPYKO5rcRo +q9H3CLAxLA3B77c+JX+nYtOQv4F4jA2GbhDTGPFYaSxDkgQ17jZ6996uj7gJPAvAX+3FjIt8j5 agb+5ndZEcBlr8Tha7VjCNCwuWwXK/MYhZepw6A==
X-Google-Smtp-Source: AGHT+IHKuafk8YUY56E7sbPjNHY5U/0yyJ/onwR/DtL+3+/h11sBCUzsQ2bEaECiPHUoJavxmfb6C7lFe+H4uFSkbqU=
X-Received: by 2002:a17:90b:124a:b0:2ba:171e:7a88 with SMTP id 98e67ed59e1d1-2c1dc58ace7mr8277370a91.24.1717428269426; Mon, 03 Jun 2024 08:24:29 -0700 (PDT)
MIME-Version: 1.0
References: <PH1P110MB1116C5BE031039613AA69302DC2DA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM> <609017C0-5043-46A1-81B1-6835F4BD6FF9@tzi.org> <CA+1=6ydAVSbKmphfiFiukv2m7tpkgsZ3RUsqcQW1QRZeMc9_qA@mail.gmail.com> <6E22DA74-DF3A-48ED-AC30-CCEFB4816A05@tzi.org>
In-Reply-To: <6E22DA74-DF3A-48ED-AC30-CCEFB4816A05@tzi.org>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 03 Jun 2024 10:24:18 -0500
Message-ID: <CAN8C-_L_bc4ggCAM9B4PUyayS6yhszn4EEqK9onQZgArX9U=hQ@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Content-Type: multipart/alternative; boundary="000000000000ed47260619fdedd6"
Message-ID-Hash: JHGWMGEQNT66XNC3TSUN3FBAHXJ7XE4D
X-Message-ID-Hash: JHGWMGEQNT66XNC3TSUN3FBAHXJ7XE4D
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "thomas.fossati@linaro.org" <thomas.fossati@linaro.org>, Roman Danyliw <rdd@cert.org>, "rats@ietf.org" <rats@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: UCCS and EAT media types (was: Re: Re: AD follow-up review of draft-ietf-rats-uccs-09)
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/LhJT0HWtFzzBr1suTgJNw9gSikc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

[as an individual, media type enthusiast]

On Mon, Jun 3, 2024 at 10:09 AM Carsten Bormann <cabo@tzi.org> wrote:

>
>
> > On 2024-06-03, at 09:46, Thomas Fossati <thomas.fossati@linaro.org>
> wrote:
> >
> > Hi Carsten,
> >
> > On Fri, 31 May 2024 at 22:45, Carsten Bormann <cabo@tzi.org> wrote:
> >>> I don’t understand.  This CDDL in Appendix A is normative, and so is
> the flexibility in its design to support JSON.  Otherwise, it would be “C<
> ...>” and not “JC<...>”.  I don’t take exception with providing a JSON
> binding but please explain this in the prose and in the introduction..
> >>
> >> We now made it explicit that this is there as “CDDL you can use” — a
> normative intent when actually using this is desirable but the CDDL itself
> is not changing the specifications in any way, hence it is an informative
> appendix.  Line 462..465.
> >
> > Hence, UJCS is *not* defined by draft-ietf-rats-uccs.  Correct?
>
> Well, it is *defined*.
> It is another name for the JWT claims set as defined in RFC 7519.
> The UCCS document simply supplies CDDL that can be used for this.
> The UCCS document also describes the role an unprotected claims set can
> have in the RATS context, specifically for UCCS.
> There is no normative intent with this definition beyond that, but the
> description of the role of UCCS can be analogously applied to UJCS.
> The normative intent of referencing UJCS would be in the document that
> uses this CDDL definition normatively.
> Interestingly, Section 4.2.18 already reads exactly like this, without
> using the term UJCS (it only gives UCCS as an example).
>
> > If so, we need to remove it from draft-ietf-rats-eat-media-type.
>
> I don’t think that this is necessarily following.
>
> > As an aside, I am starting to wonder whether it'd be better for
> > draft-ietf-rats-eat-media-type to just drop the registrations for UCCS
> > and let draft-ietf-rats-uccs handle it.
>
> I think this could also very well be done (media type and content format,
> that is).
> Is there a need to have “eat” in the name?
> (I would probably also let the names reveal that UJCS and UCCS are not
> exactly the same data structures, so this would be application/uccs+cbor
> and application/ujcs+json.)
>

I like these suggestions... especially if uccs and ujcs are indeed
different subtypes.

There are other cases where an unsigned json or cbor claimset might be
useful.

I am specifically thinking of some status lists, such as
https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/

Note a change in -01 : "add option to return an unsigned Status List see
section 8.1:

   *  "application/statuslist+json" for Status List in JSON format
   *  "application/statuslist+jwt" for Status List in JWT format
   *  "application/statuslist+cbor" for Status List in CBOR format
   *  "application/statuslist+cwt" for Status List in CWT format

arguing against myself for a moment, perhaps EAT should remain in the name,
because it is considered a best practice to use more specific media types /
content formats.

Or perhaps the same "uccs != ujcs" logic applies to the JSON and CBOR
status list representations that OAuth contemplates.


> > Transplanting Section 6.7 [1] and moving the "ucs" line from Table 2
> > [2] should do the trick, and disentangle the fate of the two
> > documents.
> >
> > cheers, t
> >
> > [1]
> https://www.ietf.org/archive/id/draft-ietf-rats-eat-media-type-07.html#section-6.7
> > [2]
> https://www.ietf.org/archive/id/draft-ietf-rats-eat-media-type-07.html#table-2
>
> _______________________________________________
> RATS mailing list -- rats@ietf.org
> To unsubscribe send an email to rats-leave@ietf.org
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>