IETF Logo Mail Archive

Re: [Teep] JSON/JOSE vs. CBOR/COSE

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Mon, 24 February 2020 13:24 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E8A23A0B37 for <teep@ietfa.amsl.com>; Mon, 24 Feb 2020 05:24:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.101
X-Spam-Level: *
X-Spam-Status: No, score=1.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BITCOIN_SPAM_02=2.499, PDS_BTC_ID=0.499, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4Hlxr-rG-CC for <teep@ietfa.amsl.com>; Mon, 24 Feb 2020 05:24:18 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FFA53A0B2E for <teep@ietf.org>; Mon, 24 Feb 2020 05:24:17 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 01ODO67T005089 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Mon, 24 Feb 2020 14:24:07 +0100
Received: from [134.102.153.63] (134.102.153.63) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Mon, 24 Feb 2020 14:24:01 +0100
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Akira Tsukamoto <akira.tsukamoto@gmail.com>
CC: Konda Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com>, Mingliang Pei <mingliang.pei=40broadcom.com@dmarc.ietf.org>, Nicolae Paladi <nicolae.paladi@ri.se>, teep <teep@ietf.org>
References: <AM6PR08MB37181998F4E68A7F6BCC8110FA130@AM6PR08MB3718.eurprd08.prod.outlook.com> <59627424-2BE9-4E52-8F57-B7853D71023C@ri.se> <CABDGos7T5rjN4qHUyg_ptC+uB4gEjY26pe3=Z+Kky-LG5gkHDQ@mail.gmail.com> <CY4PR1601MB125438E2058280B86B32F650EA120@CY4PR1601MB1254.namprd16.prod.outlook.com> <a16d028a-43cf-bb5f-f21c-e26315280a2c@sit.fraunhofer.de> <CACuRN0O44V6HCUoRMjYdiz+yU=TykR89Qxsy5BifPfES_wkxkQ@mail.gmail.com> <CACuRN0PDevvPt6AkwgtBu2LhHBDbCZT490jkyQ8CjUNHKutN3g@mail.gmail.com> <AM0PR08MB371658433A963F30E53D5B16FAEC0@AM0PR08MB3716.eurprd08.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <e7b36f1d-67da-e072-1d93-4e05808cf4f3@sit.fraunhofer.de>
Date: Mon, 24 Feb 2020 14:24:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <AM0PR08MB371658433A963F30E53D5B16FAEC0@AM0PR08MB3716.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.153.63]
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/2Be7xCUMcqa6ZsAqsvAmrn9F1oA>
Subject: Re: [Teep] JSON/JOSE vs. CBOR/COSE
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 13:24:21 -0000

Hi all,

while I am of course in favor of using cbor-diag, please mind that would 
be a CBOR instance example. In general, the message structure (that the 
cbor-diag is an example of) should be illustrated (or specified, 
depending on the nature of the document) in CDDL.

I do not object to start with JSON and then finalizing with CBOR only, 
in principle. The only caveat here is that a lot of the benefits by 
using CBOR only that were highlighted in this thread are lost for the 
most part of the way, if you start with JSON.

Viele Grüße,

Henk

On 24.02.20 08:12, Hannes Tschofenig wrote:
> Thanks, Akira.
> 
> If we decide to only use CBOR/COSE for the TEEP protocol then the draft becomes simpler. It still make sense to put examples with CBOR diagnostic format into the draft. That's something we should certainly do.
> 
> I am pushing for a decision about this topic because
> * the draft needs to be updated in time for the IETF submission deadline,
> * the reference implementations need to progress, and
> * making a decision gives us clarity about the direction we are heading.
> 
> For the reference implementation I am wondering whether it makes sense to re-use QCBOR and an enhanced version* of t_cose. Hackathon participants were quite impressed with QCBOR and t_cose.
> 
> Ciao
> Hannes
> 
> *: I am speaking about an enhanced version because t_cose implements only verifying digital signatures. The sign functionality is missing. (At least that's my understanding.)
> 
> -----Original Message-----
> From: Akira Tsukamoto <akira.tsukamoto@gmail.com>
> Sent: Monday, February 24, 2020 2:01 PM
> To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
> Cc: Konda Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com>; Mingliang Pei <mingliang.pei=40broadcom.com@dmarc.ietf.org>; Nicolae Paladi <nicolae.paladi@ri.se>; Hannes Tschofenig <Hannes.Tschofenig@arm.com>; teep <teep@ietf.org>
> Subject: Fwd: [Teep] JSON/JOSE vs. CBOR/COSE
> 
> I mistakenly dropped many addresses when I pressed button gmail, this is resend which I sent to Henk only.
> 
>>          On 20 Feb 2020, at 11:16, Hannes Tschofenig
>>          <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>>
>>          wrote:
>>
>>          With the impression from the Hackathon in mind I am wondering
>>          whether we should make a decision about the encoding of the TEEP
>>          protocol messages. Today, the spec allows two types of
>>          encodings, namely JSON and CBOR (with their security mechanisms).
>>
>>          It is obviously a pain to implement both encodings. The spec
>>          supports two encodings because the OTrP design was based on JSON
>>          / JOSE and it felt logical to “inherit” this encoding. Then, we
>>          added CBOR and COSE for use with constrained devices.
>>
>>          I believe we should only have one encoding.
>>
>>          CBOR and COSE appear to be the better choice (although I have
>>          been working on an implementation of JSON and JOSE at the
>>          Hackathon). While JSON/JOSE is easier to debug the TEEP protocol
>>          is actually quite simple. The use of CBOR/COSE will allow us to
>>          keep the trusted computing base smaller considering that SUIT
>>          manifests as well as EAT tokens are/can be encoded in CBOR and
>>          protected by COSE.
> 
> The Hackathon at  Berlin was really productive and thanks.
> 
> I personally do not mind if the protocol spec becomes having only CBOR/COSE and drop JSON/JOSE.
> 
> I think we have two discussion on this topic, one is completing the draft and other is whether the TAM implementation must support support both CBOR and JSON.
> 
> It is very good to have some kind of reference implementation of TEEP along side with the spec draft, so I would prefer having the current implementation started on JSON to be finished and fill out the details in the spec for what we have discussed during the Hakathon.
> 
> The sequences of TEEP in JSON which I was wroking on at the Hackathon are still not mature.
> https://github.com/ietf-teep/teep-protocol/issues/7
> The suit representation is not there yet either.
> 
> These are the links I would like to reflect on the draft before the next IETF hackathon.
> https://github.com/ietf-teep/architecture/issues/151
> https://github.com/ietf-teep/teep-protocol/issues/6
> https://github.com/ietf-teep/teep-protocol/issues/5
> https://github.com/ietf-teep/teep-protocol/issues/4 <- we had conclusion at the Hakathon on this
> 
> Otherwise I am bit concerned many people having different interpretation from reading the draft and many implementation suffering interoperability.
> Once the details is addressed in the JSON then having CBOR representation in the spec is fine.
> The cbor-diag tool mentioned by Carsten at the other thread is great.
> It is good if somebody starts CBOR implementation in the time being.
> 
> My thought was that switching to CBOR only and no JSON now for the Hackathon is that the TAM side is possible to talk CBOR relatively easy since there is "npm install cbor" to use cbor library with javascript, but for the implementation on TEEP device side, there are cn-cbor and tiny-cbor for c language which is not so easy for try and error and changing the message formats while the draft is also moving.
> 
> The other topic of requiring the TAM to support both JSON and CBOR in the draft, I do not feel that it should have to support both.
> TAM talking otrp with json or/either teep with cbor is fine for me.
> 
> -Akira
> 
> On Fri, Feb 21, 2020 at 6:49 PM Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote:
>>
>> Hi Tiru,
>>
>> I'd stay in the scope of CBOR and use cbor-diag. As cbor-diag can be
>> directly translated into CBOR data items, that is the notation I am
>> working with on a daily basis.
>>
>> If needed, a JSON data item can be derived from cbor-diag quite easily.
>>
>> Viele Grüße,
>>
>> Henk
>>
>> On 21.02.20 04:43, Konda, Tirumaleswar Reddy wrote:
>>> The protocol draft can discuss either CBOR to JSON conversion or
>>> diagnostic notation discussed in
>>> https://tools.ietf.org/html/rfc7049#section-6 to ease debugging.
>>>
>>> -Tiru
>>>
>>> *From:* TEEP <teep-bounces@ietf.org> *On Behalf Of * Mingliang Pei
>>> *Sent:* Thursday, February 20, 2020 10:52 PM
>>> *To:* Nicolae Paladi <nicolae.paladi@ri.se>
>>> *Cc:* Hannes Tschofenig <Hannes.Tschofenig@arm.com>; teep@ietf.org
>>> *Subject:* Re: [Teep] JSON/JOSE vs. CBOR/COSE
>>>
>>> *CAUTION*:External email. Do not click links or open attachments
>>> unless you recognize the sender and know the content is safe.
>>>
>>> --------------------------------------------------------------------
>>> ----
>>>
>>> I agree we move forward TEEP protocol with one mandatory format:
>>> CBOR / COSE, and focus on specifying only one for now. Thanks, Ming
>>>
>>> On Thu, Feb 20, 2020 at 6:26 AM Nicolae Paladi <nicolae.paladi@ri.se
>>> <mailto:nicolae.paladi@ri.se>> wrote:
>>>
>>>
>>>
>>>          On 20 Feb 2020, at 11:16, Hannes Tschofenig
>>>          <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>>
>>>          wrote:
>>>
>>>          Hi all,
>>>
>>>          With the impression from the Hackathon in mind I am wondering
>>>          whether we should make a decision about the encoding of the TEEP
>>>          protocol messages. Today, the spec allows two types of
>>>          encodings, namely JSON and CBOR (with their security mechanisms).
>>>
>>>          It is obviously a pain to implement both encodings. The spec
>>>          supports two encodings because the OTrP design was based on JSON
>>>          / JOSE and it felt logical to “inherit” this encoding. Then, we
>>>          added CBOR and COSE for use with constrained devices.
>>>
>>>          I believe we should only have one encoding.
>>>
>>>          CBOR and COSE appear to be the better choice (although I have
>>>          been working on an implementation of JSON and JOSE at the
>>>          Hackathon). While JSON/JOSE is easier to debug the TEEP protocol
>>>          is actually quite simple. The use of CBOR/COSE will allow us to
>>>          keep the trusted computing base smaller considering that SUIT
>>>          manifests as well as EAT tokens are/can be encoded in CBOR and
>>>          protected by COSE.
>>>
>>>      I agree, better to focus on one format.
>>>
>>>      Best regards,
>>>
>>>      Nicolae
>>>
>>>
>>>
>>>          With this email I wanted to kick-off a discussion. What do you
>>>          think?
>>>
>>>          Ciao
>>>
>>>          Hannes
>>>
>>>          IMPORTANT NOTICE: The contents of this email and any attachments
>>>          are confidential and may also be privileged. If you are not the
>>>          intended recipient, please notify the sender immediately and do
>>>          not disclose the contents to any other person, use it for any
>>>          purpose, or store or copy the information in any medium. Thank
>>>          you. _______________________________________________
>>>          TEEP mailing list
>>>          TEEP@ietf.org <mailto:TEEP@ietf.org>
>>>          https://www.ietf.org/mailman/listinfo/teep
>>>
>>> <https://clicktime.symantec.com/3MSsiXmEmb2Dwfb5s7ZBbYv7Vc?u=https%3
>>> A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep>
>>>
>>>      _______________________________________________
>>>      TEEP mailing list
>>>      TEEP@ietf.org <mailto:TEEP@ietf.org>
>>>
>>> https://clicktime.symantec.com/3MSsiXmEmb2Dwfb5s7ZBbYv7Vc?u=https%3A
>>> %2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep
>>>
>>>
>>> _______________________________________________
>>> TEEP mailing list
>>> TEEP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/teep
>>>
>>
>> _______________________________________________
>> TEEP mailing list
>> TEEP@ietf.org
>> https://www.ietf.org/mailman/listinfo/teep
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>

v2.23.0 | Report a Bug | By Email