IETF Logo Mail Archive

Re: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt

Carsten Bormann <cabo@tzi.org> Tue, 27 July 2021 01:23 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6B2B3A0D7A for <secdispatch@ietfa.amsl.com>; Mon, 26 Jul 2021 18:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OddTcJkZ-E-Y for <secdispatch@ietfa.amsl.com>; Mon, 26 Jul 2021 18:23:10 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [134.102.50.15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB16E3A0D75 for <secdispatch@ietf.org>; Mon, 26 Jul 2021 18:23:10 -0700 (PDT)
Received: from [192.168.217.118] (p548dcc89.dip0.t-ipconnect.de [84.141.204.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4GYfDp36mJz31LW; Tue, 27 Jul 2021 03:23:06 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <656.1627347926@localhost>
Date: Tue, 27 Jul 2021 03:23:05 +0200
Cc: Eric Rescorla <ekr@rtfm.com>, IETF SecDispatch <secdispatch@ietf.org>
X-Mao-Original-Outgoing-Id: 649041785.909597-9bded545182f3a4ba5af31561c829d64
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E3EBA99-16A7-44C2-9829-47AD681BEDDD@tzi.org>
References: <CABcZeBObr7ExGwCPMLJFqg3tdTegwmnmSVcr2pZ8uGoj=EBpyg@mail.gmail.com> <656.1627347926@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/rY3PYbegRkaAhVu9EZR7p4m_TJQ>
Subject: Re: [Secdispatch] Comments on draft-jordan-jws-ct-04.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 01:23:16 -0000

> As I understood Carsten's suggestion, we should canonicalize the data by
> turning it into CBOR, and using COSE.

Actually, when I started saying that, I meant it as a reduction ad absurdum.

But after thinking about it, it is actually not so absurd, but the best way to handle the use case — everything is already in place for that.

But that simple change is just a different function to compute a signing input from data at rest — the more difficult question is what is it that you compute the signing input of, and the fact that you now have a signature for something that is in a complex and not entirely well-defined relationship to the data that is in your database and that you might think some subset of which you maybe have a signature for.

If your application design can take care of that part, then you win (and can use CBOR-deterministic + COSE, or if you must, translate to XML first and do an XMLDsig, etc.).

Grüße, Carsten

v2.23.0 | Report a Bug | By Email