Re: [secdir] [Cbor] Secdir last call review of draft-ietf-cbor-file-magic-11
Carsten Bormann <cabo@tzi.org> Wed, 20 April 2022 22:29 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA69A3A10C5; Wed, 20 Apr 2022 15:29:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JV0pb9xcLkHE; Wed, 20 Apr 2022 15:29:29 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [134.102.50.15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD4C03A10CB; Wed, 20 Apr 2022 15:29:27 -0700 (PDT)
Received: from [192.168.217.118] (p5089ad4f.dip0.t-ipconnect.de [80.137.173.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4KkFhj0vGHzDCbM; Thu, 21 Apr 2022 00:29:25 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <165004421223.2657.13933771758777228182@ietfa.amsl.com>
Date: Thu, 21 Apr 2022 00:29:24 +0200
Cc: secdir@ietf.org, cbor@ietf.org, draft-ietf-cbor-file-magic.all@ietf.org, last-call@ietf.org
X-Mao-Original-Outgoing-Id: 672186564.658735-45c9906acecf85eab0ad0b27c4ab20eb
Content-Transfer-Encoding: quoted-printable
Message-Id: <62B6E5D3-CC25-4BFA-9F73-252AE7767B2A@tzi.org>
References: <165004421223.2657.13933771758777228182@ietfa.amsl.com>
To: Christopher Wood <caw@heapingbits.net>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/UlvzgO8OhTxjfvscY5ylxPbqaKQ>
Subject: Re: [secdir] [Cbor] Secdir last call review of draft-ietf-cbor-file-magic-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 22:29:34 -0000
Hi Chris, thank you for this review. I have collected my proposed changes based on these and other comments in https://github.com/cbor-wg/cbor-magic-number/pull/21 under the commit https://github.com/cbor-wg/cbor-magic-number/pull/21/commits/fce5cef Grüße, Carsten […] > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-cbor-file-magic/ > > Section 2.1: > > The use of a sequence of four US-ASCII codes which are mnemonic to > the protocol is encouraged, but not required. > > This seems like good advice. Including an example for one of the CBOR Protocols > under development might be helpful. I added a pointer to Appendix B and lifted the secret that it uses “OPSN”. > Section 2.2: > > The tag content of that tag is a second CBOR Tag that has been > allocated to describe the specific Protocol involved, as described > above. > > I'd replace "as described above" with an explicit reference to Section 2.1. > Moreover, I might rephrase this to something like the following: > > The tag content of the outer tag is a second CBOR Tag whose number has > been allocated to describe the specific Protocol involved, as described > above. The tag content of this inner tag is the single CBOR data item. Nice, thank you. > Section 2.3: > > Unlike 2.2, there's no accompanying example. I think it would improve > readability if one were included, even though conceptually the wrapping > mechanism is simple. Yes. (Contrived) example based on RFC 9177 added. > Section 3.2: > > If only one item is ever expected in the file, the use of Labeled > CBOR Sequence may present an implementation hurdle to programs that > previously just read a single data item and used it. > > What stood out to me when reading this document is that the CBOR Sequence > wrapper could (seemingly) be used for all use cases -- it just happens to be a > little more complicated to implement when all one requires is a single data > item and doesn't expected to be concatenating files (wrappers) together. > However, the additional complexity seems pretty minimal. Would it be worth just > dropping the Tag Wrapped variant entirely? At the very least, that would seem > to not fracture parsing support, where some parsing programs expect a single > wrapped Protocol data item in a file, whereas others might expect multiple. > Encouraging the latter seems more generally useful, especially give the PEM > certificate format example in Section 3. Certainly worth a consideration. The main reason we didn’t do this simplification: CBOR sequences were added to CBOR relatively late in the process: RFC 7049: October 2013 RFC 8742: February 2020 Even today, not all popular generic CBOR de/encoders support APIs that enable RFC 8742. So it is good to have a “tag wrapping” approach based on RFC 7049 (8949) means only. (This also saves 4 bytes, which may or may not be relevant in the storage system in use.) > Section 3.3: > > If the Protocol expects to use other tags values at the top-level, > then the use of the tag wrapped format may be easier to explain in > the protocol description. > > I didn't quite follow this. In particular, the "top-level" for the Protocol is > is the wrapped CBOR data item, right? That is, using the example from Section > 2.2.1, the top-level is here: > > d9 d9f7 # tag(55799) > da 63740070 # tag(1668546672) > 81 # array(1) <----- top-level? > > But this text in Section 3.3 seems to suggest that the top-level is: > > d9 d9f7 # tag(55799) <----- suggested top-level > da 63740070 # tag(1668546672) > 81 # array(1) > > My understanding is that the Protocol's use of CBOR is entirely encapsulated by > the wrappers, so I'm not sure I understand the guidance in this section. > Clarification might be helpful, if only for me. =) See reply to Roman, and the fix in: https://github.com/cbor-wg/cbor-magic-number/pull/21/commits/fce5cef
- [secdir] Secdir last call review of draft-ietf-cb… Christopher Wood via Datatracker
- Re: [secdir] [Cbor] Secdir last call review of dr… Carsten Bormann
- Re: [secdir] [Cbor] Secdir last call review of dr… Carsten Bormann