IETF Logo Mail Archive

Re: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 27 July 2021 15:08 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE903A08EA for <secdispatch@ietfa.amsl.com>; Tue, 27 Jul 2021 08:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1x9SdUXRhP7S for <secdispatch@ietfa.amsl.com>; Tue, 27 Jul 2021 08:08:02 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76CDA3A08F8 for <secdispatch@ietf.org>; Tue, 27 Jul 2021 08:08:02 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id m20-20020a05600c4f54b029024e75a15716so2571657wmq.2 for <secdispatch@ietf.org>; Tue, 27 Jul 2021 08:08:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=+VvOkSl2Ls4cuFV0jVFpymlrQ9s+CnFAzFAv1NEJQLE=; b=ngXx3pPvqKTbDS/bwhOnErGXF6s9bXBZxzSkzmBdmcW1SgJ4kMmW0DMI331vZnhEUd iTBpemuUojM7D2qu6hLM4RC9IiBGNn8RVnGTehP/CtWBc2Mq1Mhiu17vPWb4TzdMLTFU DnECmpHlq4WYlfcsSkJZ6tQjWXthskXvuvavJ20Koroso3ptETZneJXiQ/m6D4owLhe/ dHbS4J+25dVOFbbPUM79FzfCNjRhokqWVls7sRBqTtu2YZMjh5kB3lWzkDsgkxVMBLW6 5afhfxA9hjcu71DgZrVkZNU/gmjiRaeWt7XJGCfOYYiuxEriys8qHfMW28Ndlkk5v5tF b5Kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=+VvOkSl2Ls4cuFV0jVFpymlrQ9s+CnFAzFAv1NEJQLE=; b=SRZ62+LzUCrDDcwCn/+6tVp5UZSp88c60OUaX3/cje/jo3niFKsnnaumpcmLAlNB8A E9QW7vHHlFdT0IMyDAikVCnvwbdYOpWGv982slSH9f+T0inHfSxKBwGAOOMCC3Ic/vN8 CMc8o8g+OC/hlmcbWcaLg9lACQOGqYYuWsFUJ3H9fyrcmOFD47r2uNCItGv2HqD8UQ4F ZrtPgOiZvCGfFSYis6OMGmUKYQ2TPHOtfCTZCU9ps8GPnA8aHwLVGObScFb5x1seq8Ih U5WjrX+t9tewcKwqnSRyEVjKtrHjwHAVLxd8rXlYhSAQ6AA+4y0yHN9XazihRJ4tJTzL qIPg==
X-Gm-Message-State: AOAM533EZlNPqm4VjJrOZRZQZL9ZNM/Y66EL2CEJZA6UX9GhKPFehllr HDnkGurZl5ms7ilsmer2KVb7aAH/HhEiuQ==
X-Google-Smtp-Source: ABdhPJyFCyodahXLJxQZO5qXRQ+2XvuKBrlM0bYty51Nh5GlxAmfz3c0GWAgQJRpL9ndXtOjTxA5hg==
X-Received: by 2002:a05:600c:2f01:: with SMTP id r1mr13142941wmn.178.1627398480099; Tue, 27 Jul 2021 08:08:00 -0700 (PDT)
Received: from [192.168.1.67] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id c16sm3568809wru.82.2021.07.27.08.07.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 Jul 2021 08:07:59 -0700 (PDT)
To: Carsten Bormann <cabo@tzi.org>
Cc: IETF SecDispatch <secdispatch@ietf.org>
References: <CABcZeBObr7ExGwCPMLJFqg3tdTegwmnmSVcr2pZ8uGoj=EBpyg@mail.gmail.com> <656.1627347926@localhost> <3E3EBA99-16A7-44C2-9829-47AD681BEDDD@tzi.org> <22ea0a96-345d-6272-b287-a2ca78d87e33@gmail.com> <01DD5A19-C35F-4757-B7D1-D94C5B180918@tzi.org>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <4e86a2d0-0df3-8392-7342-4529957b5e38@gmail.com>
Date: Tue, 27 Jul 2021 17:08:00 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <01DD5A19-C35F-4757-B7D1-D94C5B180918@tzi.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/U8tX2y7PMx-rCtc1Xy_IwVZqMlk>
Subject: Re: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 15:08:09 -0000

On 2021-07-27 12:58, Carsten Bormann wrote:
> On 2021-07-27, at 09:41, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>> Unlike JSON which nowadays [1] have a working deterministic representation [2], CBOR leaves a good portion of this crucial part to application developers to figure out.
>> The net result is a fragmented CBOR space with groups like FIDO creating their own unique definition called CTAP2.
> 
> Statements like this are a reason why I’m calling for some supervision here.

Another action could be to consider co-creating(!) an "I-CBOR" profile that would not only address documented CBOR interoperability issues for normal data exchange [1], but also make CBOR usable in cryptographic contexts without necessary embedding data-to-signed in bstr like COSE.

thanx,
Anders

1] https://github.com/w3c/webauthn/issues/1624#issuecomment-862672788

v2.23.0 | Report a Bug | By Email