Re: [Teep] Call for adoption of draft-thaler-teep-otrp-over-http

[Anders Rundgren <anders.rundgren.net@gmail.com>]

Hi David,
Since you mention the unfinished architecture document, have you seen https://github.com/ietf-teep/architecture/issues/52#issuecomment-493652265 ?

This is about creating a *unified* (JSON/CBOR independent) TEE management API.

Ten years ago I had something similar to OTrP but felt it was becoming "clunky" and limiting, so I threw it out and haven't regretted it a second.
The switch wasn't that difficult after getting the core mechanics in place.
Much later when I was forced switching protocol format from XML to JSON, *not a single bit* changed in the API.

Regards,
Anders


On 2019-05-29 16:43, Wheeler, David M wrote:
> I am more in favor of a CBOR/CWT binding than JSON, although I agree that JSON and JWT is more commonly deployed at the moment.
> 
> The direction I think we should push this is toward CBOR. However, I think that it is fine to build JSON into the OTrP protocol spec and then have an alternative specification that provides CBOR bindings – I would be willing to work with Anders on a such a specification (after the arch document is complete 😉 ).
> 
> Thanks,
> 
> Dave Wheeler
> 
> *From:* TEEP <teep-bounces@ietf.org> *On Behalf Of *Hannes Tschofenig
> *Sent:* Wednesday, May 29, 2019 7:35 AM
> *To:* Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>; Anders Rundgren <anders.rundgren.net@gmail.com>; Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>; teep@ietf.org
> *Subject:* Re: [Teep] Call for adoption of draft-thaler-teep-otrp-over-http
> 
>   * The IoT market has adopted CBOR rather than JSON.
> 
>   * That’s a bit overstated, “IoT” is very broad and hence there are _/many/_ IoT “markets”, and many of them have not adopted CBOR. For example, if you look in industrial IoT, the dominant protocol is OPC UA, which uses neither CBOR nor JSON. In consumer IoT like in devices on shelves now, I think you will find that JSON is far more deployed than CBOR is (e.g., Hue light bulbs and many other IoT devices use JSON-over-HTTP). It is true that /some/ of the IoT market has adopted CBOR.  For example, OCF adopted CBOR, but OCF has very little actual deployment today.
> 
> I agree with Dave here. I think it is fair to say that the JWT has been implement and deployed by the Web community. Particularly in the OAuth context it is widely deployed.
> 
> CBOR has been suggested for IoT-related specifications but CBOR, COSE and CWT is definitely not widely implement and even less widely used.
> 
> The question I wonder is whether the current deployment status matters in our case and I don’t think it has any relationship to the call for adoption of draft-thaler-teep-otrp-over-http.
> 
> When the initial version of OTrP was written there was the assumption that the encoding of the protocol in JSON would be more convenient for Web developers given that the main deployment use case was for mobile phones and tablets.
> 
> Now, there is of course the question whether Web developers should be exposed to the details and the encoding of the OTrP protocol itself. I think that’s an important question. Afterall, we are trying to make the life of developers simpler with this work.
> 
> Since the formation of the TEEP group we have also added other use cases extending our original goals for OTrP. This makes me believe that it is worthwhile to look into a CBOR-based encoding as well. I also would like to take advance of ongoing working work in SUIT & RATS.
> 
> Ciao
> Hannes
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>