IETF Logo Mail Archive

Re: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt

Carsten Bormann <cabo@tzi.org> Tue, 27 July 2021 15:42 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7A343A0E8C for <secdispatch@ietfa.amsl.com>; Tue, 27 Jul 2021 08:42:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NiFVx4lo7dPA for <secdispatch@ietfa.amsl.com>; Tue, 27 Jul 2021 08:42:05 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [134.102.50.15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 273BA3A0E88 for <secdispatch@ietf.org>; Tue, 27 Jul 2021 08:42:05 -0700 (PDT)
Received: from [192.168.217.118] (p548dcc89.dip0.t-ipconnect.de [84.141.204.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4GZ1Hr0sq8z31N0; Tue, 27 Jul 2021 17:42:00 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <4e86a2d0-0df3-8392-7342-4529957b5e38@gmail.com>
Date: Tue, 27 Jul 2021 17:41:59 +0200
Cc: IETF SecDispatch <secdispatch@ietf.org>
X-Mao-Original-Outgoing-Id: 649093319.763059-330d75aa142b9e5974b29925f5ad9448
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9FAE9C8-F783-4334-B675-394713ACA37A@tzi.org>
References: <CABcZeBObr7ExGwCPMLJFqg3tdTegwmnmSVcr2pZ8uGoj=EBpyg@mail.gmail.com> <656.1627347926@localhost> <3E3EBA99-16A7-44C2-9829-47AD681BEDDD@tzi.org> <22ea0a96-345d-6272-b287-a2ca78d87e33@gmail.com> <01DD5A19-C35F-4757-B7D1-D94C5B180918@tzi.org> <4e86a2d0-0df3-8392-7342-4529957b5e38@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/92P-dD5YX-Rwn_lv2BEqT4s9kXg>
Subject: Re: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 15:42:11 -0000

On 2021-07-27, at 17:08, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> Another action could be to consider co-creating(!) an "I-CBOR" profile that would not only address documented CBOR interoperability issues for normal data exchange [1], but also make CBOR usable in cryptographic contexts without necessary embedding data-to-signed in bstr like COSE.

[Not in citation given.]

[1] discusses a case where, in two unimplemented extensions, application developers wanted to ship floating point values in the specific format they happen to have them.  That would have been fine, but it means there would have been a deviation from 4.2.1.  4.2.1 *is* the interoperable set of deterministic encoding rules; deviations are explicitly allowed, but indeed mean a deviation.

And then there is the old “canonical” encoding from 7049 that is described in 4.2.3 of 8949.  We are genuinely sorry about that, that was a design that got sufficient negative feedback from implementers over the years that we decided to upgrade it by providing a preferred deterministic serialization as well.  So I currently have exactly two implementations: cbor-canonical, which implements 7049’s old “canonical" serialization, and cbor-deterministic, which implements 8949’s deterministic serialization.  They are 44 lines each (and don’t differ much, obviously).  In my case, I can’t even implement “in the specific format I happen to have”, because I don’t have floating point values in specific formats; if this is ever needed, this could be supported by adding new application types for these formats, of course.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email