[sacm] [sacmwg/draft-ietf-sacm-coswid] COSE and CBOR tags (#42)

Laurence Lundblade <notifications@github.com> Thu, 04 March 2021 20:13 UTC

Return-Path: <noreply@github.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E2C3A15A4 for <sacm@ietfa.amsl.com>; Thu, 4 Mar 2021 12:13:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.347
X-Spam-Level:
X-Spam-Status: No, score=-3.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T-IstNb1QLo7 for <sacm@ietfa.amsl.com>; Thu, 4 Mar 2021 12:13:14 -0800 (PST)
Received: from smtp.github.com (out-22.smtp.github.com [192.30.252.205]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48BD53A15A3 for <sacm@ietf.org>; Thu, 4 Mar 2021 12:13:14 -0800 (PST)
Received: from github.com (hubbernetes-node-514f8b1.ac4-iad.github.net [10.52.200.55]) by smtp.github.com (Postfix) with ESMTPA id 84557560DAC for <sacm@ietf.org>; Thu, 4 Mar 2021 12:13:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1614888793; bh=5etcKozs66k6uHs7Y/+mH0/ePhaCFV8oq1oel41ekqs=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=xrDoKpWH87Sf+F8vLeVEiMUKm+3b68LJ9W1DUDHacXFU/WjQcg+oU60GOcBfSVsrB d4eWA9fmMKtgJDtussNoAopFRiDV/goXAFHiwwbSBaTqxat5YDF1hwFQUceR5mCWwh yLEK6zOxuiKqbnanjpUV1sLFGoT1BDZiL94K8Ehk=
Date: Thu, 04 Mar 2021 12:13:13 -0800
From: Laurence Lundblade <notifications@github.com>
Reply-To: sacmwg/draft-ietf-sacm-coswid <reply+ACTMJUP4DVTZ5QZDZQWU7X56JUQFTEVBNHHDCBPFG4@reply.github.com>
To: sacmwg/draft-ietf-sacm-coswid <draft-ietf-sacm-coswid@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <sacmwg/draft-ietf-sacm-coswid/issues/42@github.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_60413f5981c77_5917d46307e"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: laurencelundblade
X-GitHub-Recipient: sacm
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: sacm@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/OzHBnc1o8t2TApckH719mOMsnfY>
Subject: [sacm] [sacmwg/draft-ietf-sacm-coswid] COSE and CBOR tags (#42)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 20:13:16 -0000

I think what we're after for CoSWID+COSE is almost exactly the same as CWT+UCCS. It's not exactly the same because UCCS uses a different tag number than CWT and CoSWID doesn't.

I think we want to allow all variants of COSE signing, encryption and MAC just like CWT does. 

```
concise-swid-tag — Naked, no COSE, not CBOR tag, like a UCCS

#6.1398229316(concise-swid-tag) - Just a CoSWID tag, no COSE, like a CWT with no COSE

#6.1398229316(#6.18(COSE-Sign1<concise-swid-tag>)) A CoSWID tag with signing

#6.1398229316(#6.17(COSE-Mac01<concise-swid-tag>))

#6.1398229316(#6.18(COSE-Sign1(#6.96(cose_encrypt<concise-swid-tag>)))

…plus lots more combos of signing, encrypting and mac’ing 

#6.18(COSE-Sign1<concise-swid-tag>) Signing not a CoSWID CBOR tag

#6.17(COSE-Mac01<concise-swid-tag>) Mac, not a CoSWID CBOR tag

#6.18(COSE-Sign1(#6.96(cose_encrypt<concise-swid-tag>)) Signed and encrypted not a CoSWID CBOR tag

…plus the same combos of signing, encrypting and mac'ing
```

What is NOT allowed, like CWT disallows, are these:

```
#6.1398229316(COSE-Sign1<concise-swid-tag>)

#6.1398229316(COSE-Mac01<concise-swid-tag>)

#6.1398229316(COSE-Sign1<cose_encrypt<concise-swid-tag>>)
```

Are we in agreement on this?

An implementor should be able to use the same COSE code that recursively removes COSE layers it identifies by the COSE tags to get to the final payload just like in CWT. Maybe even exactly the same COSE code.

I think section 7 and 8 get close to this, but are not exactly right. They don't allow for encryption or mac. I think the CWT description of this is solid and correct though it doesn't use CDDL and doesn't cover UCCS.

My thought for bringing CoSWID into EAT is to have a claim that is explicitly a CoSWID so #6.1398229316() is never used. If it is COSE is used then it is a COSE tag. If COSE is not used then it is a concise-swid-tag. It is naked.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/sacmwg/draft-ietf-sacm-coswid/issues/42