On 2022-02-22 10:08, Carsten Bormann wrote:
<snip>>>
On 2022-02-22, at 06:59, Anders Rundgren <[email protected]> wrote:
However, due to the myriad of CBOR serialization options,...
Not true.
All widely used serialization formats grant the encoder some freedoms in
encoding information, CBOR is not different. There are no “options” that need
to be chosen or known to the recipient; there is only one CBOR.
Dear Carsten,
I have absolutely ZERO interest in criticizing You, CBOR, or COSE, I'm here to
point out a problem which I have experienced both as an *enthusiastic* CBOR
implementer and as a reviewer of various drafts.
The WebAuthn/FIDO specification details CBOR serialization requirements while
the EAT draft specifies multiple alternatives. There must be a reason for
that. To cope with (and potentially enforce/verify), different CBOR
serialization variants, CBOR tools typically provide options:
https://github.com/peteroupc/CBOR-Java/blob/master/api/com.upokecenter.cbor.CBOREncodeOptions.md
Anyway, it has been a while since CBOR was conceived. In the mean time,
Moore's Law has kept chugging along nicely, making previously unimaginable
things like Apple's Max Pro chip with 58 Billion transistors a reality.
Obviously these developments trickle down to constrained devices as well.
The proposal is simply defining something like an "I-CBOR" that could serve as
the foundation for future standards like EAT.
"I-CBOR" would (in my take on the matter), be CBOR's counterpart to ASN.1's
DER. RFC 8949 is just fine, but it doesn't take this concept the whole way:
https://www.rfc-editor.org/rfc/rfc8949.html#name-additional-deterministic-en
Cheers,
Anders
CWTs suffer from interoperability issues (*)
Not true. Pure FUD.
making JWTs a better choice for *ubiquitous* usage :(
No
By *mandating* preferred serialization ("I-CBOR") you can achieve the same
interoperability as with JWTs,
Nonsense.
JWTs don’t use deterministic encoding, and neither does CWT need to to.
as well as getting away from the need to bury data-to-be-signed in byte-strings.
Detached payloads solve that particular problem (if you have it).
Note that “burying” in CBOR is a simple copy (or reference), while JOSE needs
to base64-encoding everything, often in a nested way.
Such solutions can also conserve buffer RAM in the case RAM is a scarce
resource. Yes, depending on the application your mileage may vary.
CBOR saves RAM compared to JSON here.
Grüße, Carsten
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
