Hi Carsten, Let us ignore the current status of the EAT spec for a moment.
Laurence was saying: " CoSWID replicates and modifies a lot of COSE CDDL in normative text primarily so it can fully specify the COSE payload with a .cbor control. SUIT doesn’t replicate COSE. It specifies the COSE payload in prose. " The statement about SUIT is only partially true. At the beginning we only referenced COSE and didn't "modify" (or profiled anything) because we thought we don't need to do it. When we started the work on firmware encryption we suddenly realized that this is not really practical. You need to provide more rules on how to use COSE to provide implementers enough context to build interoperable specifications. That's why the firmware encryption draft modified the COSE CDDL and later it then introduced HPKE (instead of using an alternative public key encryption scheme specified in COSE itself). It is unclear to me whether a similar approach will be needed for the SUIT manifest as well. It might be insufficient to say "use COSE_Sign, COSE_Sign1, COSE_Mac, and COSE_Mac0" alone. One could write the additional constraints into the specification text but it might be better to take the respective CDDL fragment and modify it accordingly. Ciao Hannes PS: I am not sure whether the ".cbor control" is an important concept in this conversation. -----Original Message----- From: Carsten Bormann <[email protected]> Sent: Wednesday, December 8, 2021 2:27 PM To: Hannes Tschofenig <[email protected]> Cc: Laurence Lundblade <[email protected]>; cose <[email protected]>; [email protected]; Henk Birkholz <[email protected]> Subject: Re: [Cbor] CDDL for COSE + EAT/CWT + SUIT + CoSIWD Hi Hannes, > On 2021-12-08, at 13:46, Hannes Tschofenig <[email protected]> wrote: > > Hi Carsten, > > I suspect Laurence is sending this email because of his work on EAT. I am > arguing that an attempt to improve the CDDL for the mentioned specs will not > lead to any improvement at all because the problem is elsewhere. I am saying > that because I have just spent many hours reading the EAT spec. Thank you for clarifying this, providing the RATS perspective that I’m missing here. I’m glad to hear that EAT only has one problem :-) (“the problem”). I still think that doing the work I was outlining would help us in various specifications. And when it comes to EAT, I’m assuming that at some point we want to describe EAT claims with some statements about their structure, which would naturally use CDDL. But that may not be needed for the initial EAT specification; I haven’t checked that. If it is not needed, it might be too much of a distraction to apply the work I was outlining to EAT now. Grüße, Carsten > > Ciao > Hannes > > -----Original Message----- > From: Carsten Bormann <[email protected]> > Sent: Wednesday, December 8, 2021 1:37 PM > To: Hannes Tschofenig <[email protected]> > Cc: Laurence Lundblade <[email protected]>; cose <[email protected]>; > [email protected]; Henk Birkholz <[email protected]> > Subject: Re: [Cbor] CDDL for COSE + EAT/CWT + SUIT + CoSIWD > > On 2021-12-08, at 13:30, Hannes Tschofenig <[email protected]> wrote: >> >> EAT by itself is not really an interoperable spec. COSE on its own is not >> interoperable either. > > If I guess about the definition of "interoperable spec” you are using here, > ASCII is not an interoperable spec either - you still have to agree on what > the text means… Still, ASCII was kind of useful as the basis for a lot of > interoperability, I think. > > I think the point here was to shape some CDDL that makes it easier to talk > about the way a more specific (interoperable?) spec uses COSE (which does > have CDDL, just not in a way that usually can be integrated as-is to express > the additional constraints a COSE-using specification typically makes). > > Grüße, Carsten > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
