[Rats] Re: Mohamed Boucadair's Discuss on draft-ietf-rats-msg-wrap-21: (with DISCUSS and COMMENT)

Thomas Fossati <thomas.fossati@linaro.org> Tue, 02 December 2025 16:58 UTC

Return-Path: <thomas.fossati@linaro.org>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B7EEC93FDC74 for <rats@mail2.ietf.org>; Tue, 2 Dec 2025 08:58:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAySPuFZcM1g for <rats@mail2.ietf.org>; Tue, 2 Dec 2025 08:57:59 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 947C893FDC59 for <rats@ietf.org>; Tue, 2 Dec 2025 08:57:59 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-597c83bb5c2so509018e87.3 for <rats@ietf.org>; Tue, 02 Dec 2025 08:57:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1764694678; x=1765299478; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ljcy70DeUPDE1ZiqsKzNcm973fIQ+CirI2qIVCI8k/s=; b=kcK8ALFzPB+W6Iwaz7JUs9xm/QcNGdwPZIDU7RZ8PMreVK44QF+IYY7q8DQrRnqxPM wZAf4Y1UVBpKn/T7ZnsSpLeXhdMH3xpAzyf28J7QefqGBR1Yos6dmDKH0tPP7qbyODId 3kBRIfuXekcHW420UPvsvk/FzkQfuleQ+CPeX3DcKza36ZfQRLW94DmPAzEYyktHrhJX wKDKa1lz7Rv5xfXq8daXPhBe8go8U39pEjrqYEIDTAqrmAMQEWTHRCIO/nlG4TqiSsL5 yszETYf8kE6YJ6/k4FzcjmCN4JyB9a02DAyRhxHDIZcMAvcuOsflltQQNbvTWwYU4wAc lyzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764694678; x=1765299478; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ljcy70DeUPDE1ZiqsKzNcm973fIQ+CirI2qIVCI8k/s=; b=WoOeo4pqMHz2IdZqye7v8gKs71GuhxcGsL8CmtDgYyYH6RsFGVajJ42EgdslYm40ZT F50w+5flkNvnc4xzLm1nGf/tLGxCgUxv6/CK7Zxg382sR+7orvJ4QH7RVbSYs0rDf4Xf ahVW8hT3mwvEUYd005v+lsFEsEdHti4MocHNc7llKlZDiyExetGzrl7izhG4mSR4Z1p2 k519pBCGW9bjOnDIAgSHcsbstL9u8IDzksZHeOr+xCjkSUTeixMvOgqX41oJAP+8xGYJ nItGWvgzdfMQU+3FrjgTiI9EjGxmcfsZJ8SJNX3QQCUGjiWZP2i7SouhGElLWspDn0wr YSjw==
X-Forwarded-Encrypted: i=1; AJvYcCU9Z6DA30zaqWtgXgyU+zl1NrTOG64w+ey0m8FSL/wtsSXAaNds5CYmf3VVmTv9P9Lx6loC@ietf.org
X-Gm-Message-State: AOJu0YwmRw3oDcqfdS1UhRcKy7paG1hN+AFv+6MX/WYu4+prQBsoNhhW tCYFlJ8Lnw/uryvRkG8kbVflnqedBTnf+xWd3UBoaN2rVheeW88dWhFW7CjYhvTuhW+y0d8Srkq 4Pq7l5b0OW+mamkYoREQRrIkpuUIJid5OW8ZgA46I9Q==
X-Gm-Gg: ASbGncv2mmYBzejtAcHfRr0moCsVoz1rXZv4S2XGp+RSm/0ovi2dtr0Od2NF1VLtC7y IwrWg0pbMxoeU/sivwbT+OXL41cdWpMmo03zktxpmtnemZswcWzL+x94JKSUXxAs7Vu1+5RSvPX L5l39nUr2JxOHm/cK/SCK+7APZT4I64aivtUwLS5vmNvpUSQiX+axJUImP9MdBkfz8LLCFHW4FH LCrIi+4GkVlh06fQs0q9EGScGfpLZ/SWpzCUNyD4TE4e1FNM4euVszujH87GJpNAG5q9zNvtm81 ai8HV6wTvg8jBpPA0SuTRdHqng+P/HYQILFO6xtKNqtuGnZI3GpXXXtSgYZbwbTyBpTP4joMKvi OMkOxa2RHJaXJOpxxf/HrA8che/VLzLSJfA4AiIII9yeOPQ0PRxcK8LxOhza0eBAaQxEo1g==
X-Google-Smtp-Source: AGHT+IFdsgmLkpzXm6CfsynnQs9IugX8dLExW/4SerE27WAxS5R3CU24QJwaoI4wpLA85i5hAVAypJlbaawrJTqQ6OI=
X-Received: by 2002:a05:6512:238b:b0:594:51bd:8fcd with SMTP id 2adb3069b0e04-596a3eac930mr15179805e87.16.1764694678125; Tue, 02 Dec 2025 08:57:58 -0800 (PST)
MIME-Version: 1.0
References: <176466381176.3718457.17060515527033550424@dt-datatracker-5bd94c585b-wk4l4>
In-Reply-To: <176466381176.3718457.17060515527033550424@dt-datatracker-5bd94c585b-wk4l4>
From: Thomas Fossati <thomas.fossati@linaro.org>
Date: Tue, 02 Dec 2025 17:57:42 +0100
X-Gm-Features: AWmQ_blqdw5rt212FLxvWAKt3Y0bSzWUq8bt4bT2nJ_1_VS3MFCmyj5zJSj1F28
Message-ID: <CA+1=6yd921uSW8VV_3kq6GKhiHSJtigB_UM1VxicRGNdUo=dog@mail.gmail.com>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: J6U3UMGQNFGD3NRREJOZMJFDKQZRH5R6
X-Message-ID-Hash: J6U3UMGQNFGD3NRREJOZMJFDKQZRH5R6
X-MailFrom: thomas.fossati@linaro.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-rats-msg-wrap@ietf.org, rats-chairs@ietf.org, rats@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: Mohamed Boucadair's Discuss on draft-ietf-rats-msg-wrap-21: (with DISCUSS and COMMENT)
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/d0JyTyknFvI0bUuS7wIpskeKX8Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Med, thanks for the review and comments.

Your suggestions have been addressed in this PR [1].

[1] https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/pull/266

See inline.

On Tue, 2 Dec 2025 at 09:23, Mohamed Boucadair via Datatracker
<noreply@ietf.org> wrote:
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Hi Henk, Ned, Thomas, Hannes, and Dionna,
>
> Thank you for the effort put into this specification.
>
> I trust the CDDL and ASN modules were validated.

yes :-)

> The document is well-written. Please find below some few DISCUSS points, mainly
> about references.
>
> # RFC 9334 is normative
>
> ## The concepts manipulated in this draft can’t be understood without RFC9334.
> This is actually ACKed in Section 2.

I think it is possible to implement CMW without understanding RFC9334.
Clearly, that would be a pity and not something I would recommend, but
strictly speaking, the technical skills required are an understanding
of CBOR, JSON, JWS, COSE and X.509.

That said, the idea of adding RFC9334 to the downref registry has been
discussed more than once in RATS.  Therefore, we are happy to use CMW
as a pretext to mkae the downref request.

> ## Note that this will be a downref, though. Per RFC3967, I’m afraid that we
> fall under the following:
>
>    For Standards Track or BCP documents requiring normative reference to
>    documents of lower maturity, the normal IETF Last Call procedure will
>    be issued, with the need for the downward reference explicitly
>    documented in the Last Call itself.

My understanding is that Section 2 of RFC 8067 (which updates RFC3967)
 relaxes this requirement, making it at the discretion of the IESG.

> # DER Encoding
>
> CURRENT:
>    The DER-encoded CMW is the value of the OCTET STRING for the
>    extnValue field of the extension.
>
> Missing normative reference for DER. Maybe X.690 : Information technology -
> ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical
> Encoding Rules (CER) and Distinguished Encoding Rules (DER)?

ack

> # Normative References, again
>
> CURRENT:
>    This section provides an ASN.1 module [X.680] for the CMW extension,
>    following the conventions established in [RFC5912] and [RFC6268].
>
> I guess both 5912 and 6269 should be listed as normative.

ack

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> # JSON/CBOR encoding and Mapping
>
> As both encoding are specifically provided in the spec, are there any
> deviations/implications if an implementation decide to follow the rules such as
> in rfc8949#section-3.4.5.2 for mapping the two?
>
> Maybe worth to add a note?

Apologies, I don't see how those tags would interact with CMW.

> # To ensure extensibility with interop, I guess “can add” language should be
> better strengthened (e.g., “is recommended to add” or the like)
>
> CURRENT:
>    Future specifications that extend the RATS Conceptual Messages set
>    can add new values to the cm-type using the process defined in
>    Section 10.4.

ack

> # Recursion Limit
>
> CURRENT:
>    Since the Collection CMW is recursive (a Collection CMW is itself a
>    CMW), implementations MAY limit the allowed depth of nesting.
>
> Can that be controlled? Can we ask an implem to expose the nesting depth it
> supports or it actually imposes?

Perhaps an API that uses CMW could add "max-cmw-depth" as a
discoverable attribute, allowing applications to advertise their own
limits.
Or, a protocol using CMW could require a minimum depth from its users.
However, it'd be up to them to specify this.

> # Further highlight this is an example
>
> OLD:
>    func CMWTypeDemux(b []byte) CMWType {
>
> NEW:
>    func example-CMWTypeDemux(b []byte) CMWType {

ack

> #  These two MUSTs are redundant
>
> CURRENT:
>    The CMW extension MUST have the following syntax:
>
>    CMW ::= CHOICE {
>        json UTF8String,
>        cbor OCTET STRING
>    }
>
>    The CMW MUST include the serialized CMW object in either JSON or CBOR
>    format, utilizing the appropriate CHOICE entry.

ack

> # Unfolding
>
> CURRENT:
>    with the following wire representation:
>
>    =============== NOTE: '\' line wrapping per RFC 8792 ================
>
> Please add 8792 to the list of references as this is needed to unfold the
> example.

ack

> # Nits
>
> ## Expand RATS in the title.
>
> ## Please help readers to find where to locate for Passport and
> Background-check models: Pointing to Section 5.1 and 5.2 of 9334 in the text
> would be helpful.

ack

> ## Section 4.2
>
> OLD:
>    The protected header MUST include the signature algorithm identifier.
>    The protected header MUST include the content type application/
>    cmw+json.
>
> NEW:
>    The protected header MUST include the signature algorithm identifier and
>    the content type application/cmw+json.

ack

Again, thanks very much!

>
> Cheers,
> Med
>
>
>