Re: [Rats] eat-claims definition

Laurence Lundblade <lgl@island-resort.com> Fri, 06 November 2020 18:53 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ECD33A0D1E for <rats@ietfa.amsl.com>; Fri, 6 Nov 2020 10:53:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XdPPPvbv9EQZ for <rats@ietfa.amsl.com>; Fri, 6 Nov 2020 10:53:12 -0800 (PST)
Received: from p3plsmtpa07-09.prod.phx3.secureserver.net (p3plsmtpa07-09.prod.phx3.secureserver.net [173.201.192.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7917B3A1015 for <rats@ietf.org>; Fri, 6 Nov 2020 10:52:43 -0800 (PST)
Received: from [192.168.1.81] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id b6qokifATvO3lb6qpka2wp; Fri, 06 Nov 2020 11:52:43 -0700
X-CMAE-Analysis: v=2.4 cv=WYPJ12tX c=1 sm=1 tr=0 ts=5fa59b7b a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=pGLkceISAAAA:8 a=48vgC7mUAAAA:8 a=fURy2goLx40iiQqCfLUA:9 a=bkZ2pBmohn0Y-UNN:21 a=TbDq8LHgNvdip7cI:21 a=CjuIK1q_8ugA:10 a=-Y9pNgsahAVzGt4gZ04A:9 a=XKYL1Q_csJOaoMpt:21 a=OuBkfbmgISvSRfz6:21 a=2SdxhM4TZ-OLmkXC:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <4029630F-42B5-4EF5-9C6E-315D210D930E@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2FE44FAD-4591-4294-A82C-BEDF02543984"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Fri, 6 Nov 2020 10:52:42 -0800
In-Reply-To: <CAObGJnMzEDEg+AyhG1SYMVV3dgZq2ikQvwB1w60kpNhVGRvi3w@mail.gmail.com>
Cc: rats@ietf.org
To: Thomas Fossati <tho.ietf@gmail.com>
References: <CAObGJnMzEDEg+AyhG1SYMVV3dgZq2ikQvwB1w60kpNhVGRvi3w@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfMbu/QIyhvY91g2+rRQRPKhSyQHLU5Lwi99ktNv++M7LGhjCF24bs9aF543HE+5lDd23L894OqUIzesrzC+KJJkmXDgRej13YTQw1hbeM+THvCjRVq3G fQRHlTbSnxfWbSEQVMa03eCW0dsZOXgwLz68Zb52/3IZ9cz5EsJT/jb97KhhiUCRKhLkXR50ZmC00gPW/EmIOaiQHK4g9BcSQvA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/rVyIhLY8-xHukl9oUkfbooFYZOU>
Subject: Re: [Rats] eat-claims definition
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2020 18:53:20 -0000

I think you are right and we should change to:

eat-claims = {
   ? ueid-claim,
   ? nonce-claim,
   ...

LL

> On Nov 6, 2020, at 5:02 AM, Thomas Fossati <tho.ietf@gmail.com> wrote:
> 
> Hi Laurence, all,
> 
> I'm giving the latest EAT version a go and I got slightly puzzled by the
> fact that the CDDL seems to allow claim duplication (at least
> theoretically):
> 
> ~~~
> eat-claims = { ; the top-level payload that is signed using COSE or JOSE
>    * claim
> }
> 
> claim = (
>    ueid-claim //
>    nonce-claim //
>    origination-claim //
>    oemid-claim //
>    security-level-claim //
>    secure-boot-claim //
>    debug-disable-claim //
>    location-claim //
>    age-claim //
>    uptime-claim //
>    submods-part //
>    cwt-claim //
> ;    generic-claim-type //
> )
> ~~~
> 
> Now, CBOR does not allow duplicate keys in a map, and that is re-stated
> in Section 4.4.1 of EAT - BTW, I guess a ref to 7049 should be enough,
> rather than duplicating text?
> 
> With JSON the situation is slightly more nuanced (8259 a "names SHOULD
> be unique"), but still it makes total sense to avoid duplicates if one
> wants to maximise interop across different stacks.
> 
> Besides, if we aim at isomorphism between serialisation formats we need
> to go for the LCD here.
> 
> So, wouldn't something like:
> 
> ~~~
> eat-claims = {
>    ? ueid-claim,
>    ? nonce-claim,
>    ...
> }
> ~~~
> 
> more precisely describe what we actually want?
> 
> cheers!
> -- 
> Thomas
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>