IETF Logo Mail Archive

Re: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 27 July 2021 07:41 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87ADE3A0A3D for <secdispatch@ietfa.amsl.com>; Tue, 27 Jul 2021 00:41:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GWzk_eO6UEC0 for <secdispatch@ietfa.amsl.com>; Tue, 27 Jul 2021 00:41:32 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 143233A0A29 for <secdispatch@ietf.org>; Tue, 27 Jul 2021 00:41:31 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id b7so13994724wri.8 for <secdispatch@ietf.org>; Tue, 27 Jul 2021 00:41:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=OoQ7H8Gh9Swgx6HjYbMf2l57Oq3RDkxMN/HKeqCnmMM=; b=gJRn+Wz+Dn7j1YvuHWaaE8kuLskQfB8ZnAXa+kYPZ/oP5SJScWIROs/r+3MFXH7ASG HWJDO9xdpsxs1eldOaIdVC0+XSaEJ+UfifiG0bXjvbbyrGqQ2bemKyiUlYVVn7L02IGp gyM4DVSY+sJPM+ZZzjcBMQNprWJyLSWzHqmkso5X7xa473LjMbYyPJiEYQxHmGVh8J4s YRpU14G0r6LJOhpwf1eFbshO7EPeWsCFfQzNpWFVSyIFKWKq2GeJqix83zfAOget+45J h6pKCumSUNvICg59DeXdPyoWVJdk5PyfWx0g6yFIgKTa8HWy2YyQ1qg8+AY9t3c8rWaQ jL0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=OoQ7H8Gh9Swgx6HjYbMf2l57Oq3RDkxMN/HKeqCnmMM=; b=sjqxHI9nUQz+57jczK5zcIcFhcoynv6cPqiOY5E9WCDKVtfM1CYEi7MqRnFp2DPxBv hWDqFDN1TscA9SAvdRf7Zhcqdlwk3P4wjCyTqLOyvnYtAPWmASuNN3sgSRXF3Dy1/7gg ZKXi5hVMy4oeOJxYRYi79ggWeR6MxAtxvV9mB/5cdNUga9Bv/xHcqOSSkL05CWrMEh3Z 1aFvDCPbYZytvMBSh+iZ1zDJcrHmArARkYjyZkEWymL92mQ7vynOwGJjs9sp26p1mSW5 GUbUa5nGA+uuQabWchFTZmBfcdyOLHveOgULXN+EHi98/Q5S0fu3YQm5QtPJW7HIWiUh C6wA==
X-Gm-Message-State: AOAM530SLUfk4M/wP/cZLPZob39ADF59Jjz8LiHWahuYHW05MqhQnQgu nF7Y13xfihiFgEFyvHUNGnEG0mBAZSbEQg==
X-Google-Smtp-Source: ABdhPJzACGbUvUhnIOdjU1ackx2SfuKV5JHTEnjXyOI1MIA4j4Rol08sa6ORVCHODYfBLySR046Lig==
X-Received: by 2002:a5d:5987:: with SMTP id n7mr23149512wri.263.1627371688367; Tue, 27 Jul 2021 00:41:28 -0700 (PDT)
Received: from [192.168.1.67] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id u2sm1915749wmm.37.2021.07.27.00.41.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 Jul 2021 00:41:27 -0700 (PDT)
To: Carsten Bormann <cabo@tzi.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Eric Rescorla <ekr@rtfm.com>, IETF SecDispatch <secdispatch@ietf.org>
References: <CABcZeBObr7ExGwCPMLJFqg3tdTegwmnmSVcr2pZ8uGoj=EBpyg@mail.gmail.com> <656.1627347926@localhost> <3E3EBA99-16A7-44C2-9829-47AD681BEDDD@tzi.org>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <22ea0a96-345d-6272-b287-a2ca78d87e33@gmail.com>
Date: Tue, 27 Jul 2021 09:41:28 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <3E3EBA99-16A7-44C2-9829-47AD681BEDDD@tzi.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/jmUYk3doYwaXueDF8JK86BgrUNc>
Subject: Re: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 07:41:37 -0000

Unlike JSON which nowadays [1] have a working deterministic representation [2], CBOR leaves a good portion of this crucial part to application developers to figure out.
The net result is a fragmented CBOR space with groups like FIDO creating their own unique definition called CTAP2.

The authors will consider the ISE path for the proposed work-item.

thanx,
Anders

1] Encountered floating point parsing and serialization issues have been fixed by the platform vendors which makes the task creating an RFC 8785-compatible canonicalizer quite simple.
2] By constraining the Number type to IEEE 754 double and requiring the String type to be immutable.

On 2021-07-27 3:23, Carsten Bormann wrote:
>> As I understood Carsten's suggestion, we should canonicalize the data by
>> turning it into CBOR, and using COSE.
> 
> Actually, when I started saying that, I meant it as a reduction ad absurdum.
> 
> But after thinking about it, it is actually not so absurd, but the best way to handle the use case — everything is already in place for that.
> 
> But that simple change is just a different function to compute a signing input from data at rest — the more difficult question is what is it that you compute the signing input of, and the fact that you now have a signature for something that is in a complex and not entirely well-defined relationship to the data that is in your database and that you might think some subset of which you maybe have a signature for.
> 
> If your application design can take care of that part, then you win (and can use CBOR-deterministic + COSE, or if you must, translate to XML first and do an XMLDsig, etc.).
> 
> Grüße, Carsten
> 
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>

v2.23.0 | Report a Bug | By Email