Re: [COSE] [IANA #1284212] expert review for draft-ietf-cose-cwt-claims-in-headers (cose)

[Michael Jones]

Likewise, thanks for your quick reply, Francesca!

It seems that we're seeing things the same way and that we have a good path 
forward.  Let's do that!

The one optional request that I have is for you call the header parameter "CWT 
Claims" or "CWT_Claims" so that its meaning will be more evident to people when 
they reference the registry.  But If you oppose that, I can live with "ccs".  
In that case, the IANA Considerations registration in draft-ietf-lake-edhoc 
would be updated to something like:

   +------------+----+-----+-------------------------+
   | CWT Claims | 14 | map | A CWT Claims Set (CCS). |
   |            |    |     | CWT Claims Set is       |
   |            |    |     | defined in RFC 8392.    |
   +------------+----+-----+-------------------------+

And we'd update draft-ietf-cose-cwt-claims-in-headers to use that registration 
and add the reference to the draft in the registry, as you suggest.

If you agree, could you send e-mail to IANA and the RFC Editor requesting those 
updates?  I'll likewise produce a new editor's draft of 
draft-ietf-cose-cwt-claims-in-headers and send it to you for your review.  
We'll then publish it when the submission window reopens.

Thanks again.  See you in Prague!

                                                       -- Mike

From: Francesca Palombini <francesca.palomb...@ericsson.com>
Sent: Friday, October 27, 2023 1:52 AM
To: Michael Jones <michael_b_jo...@hotmail.com>; 
drafts-expert-review-comm...@iana.org
Cc: c...@tzi.org; cose@ietf.org; paul.wout...@aiven.io
Subject: Re: [IANA #1284212] expert review for 
draft-ietf-cose-cwt-claims-in-headers (cose)

Hi Mike, thank you for your quick reply!

With regards to additional normative recommendations and requirements this 
document does, I agree that these are not covered in the existing EDHOC 
registration (nor do they need to be, in that document).

This is my recommendation going forward:

  *   In EDHOC: Still make the modifications I indicated below, to change 
"kccs" into "ccs", a more general field. Note that EDHOC will still add its own 
requirements to this field, but they do not need to go into the IANA 
registration. (this is the first sentence of your B point)
  *   In draft-ietf-cose-cwt-claims-in-headers remove the registration request, 
and keep the recommendations and requirements as they are. Point to the "ccs" 
registration. (This is part of your C point)
  *   In draft-ietf-cose-cwt-claims-in-headers IANA section: ask IANA to update 
the reference of the "ccs" parameter to also add 
draft-ietf-cose-cwt-claims-in-headers as a reference.

Basically, I like C. but I don't agree that you need to "Update" EDHOC, since 
this is in practice an update to the IANA registration and usage of the field, 
and you can get that link from the IANA registry directly. 
draft-ietf-cose-cwt-claims-in-headers wouldn't be needed from a reader of 
EDHOC, so it would be wrong to add that tag there, IMO.

Happy to discuss more in Prague - yes I will be there!
Thanks,
Francesca

From: Michael Jones 
<michael_b_jo...@hotmail.com<mailto:michael_b_jo...@hotmail.com>>
Date: Friday, 27 October 2023 at 01:13
To: Francesca Palombini 
<francesca.palomb...@ericsson.com<mailto:francesca.palomb...@ericsson.com>>, 
drafts-expert-review-comm...@iana.org<mailto:drafts-expert-review-comm...@iana.org>
 
<drafts-expert-review-comm...@iana.org<mailto:drafts-expert-review-comm...@iana.org>>
Cc: c...@tzi.org<mailto:c...@tzi.org> <c...@tzi.org<mailto:c...@tzi.org>>, 
cose@ietf.org<mailto:cose@ietf.org> <cose@ietf.org<mailto:cose@ietf.org>>, 
paul.wout...@aiven.io<mailto:paul.wout...@aiven.io> 
<paul.wout...@aiven.io<mailto:paul.wout...@aiven.io>>
Subject: RE: [IANA #1284212] expert review for 
draft-ietf-cose-cwt-claims-in-headers (cose)
Thanks for your useful review, Francesca.  In particular, thank you for 
identifying the overlap between the specifications.

I always consider it a good sign when multiple independent groups of people 
invent essentially the same thing because they have a need for it.  It's a 
clear indication that standardization should occur.

I completely agree that there should only be one header parameter of this kind 
registered.  The rest of my note explores possibilities to get us there.

The main differences that I see between 
https://datatracker.ietf.org/doc/draft-ietf-lake-edhoc/ and 
https://datatracker.ietf.org/doc/draft-ietf-cose-cwt-claims-in-headers/ with 
respect to this header parameter are:

  1.  draft-ietf-lake-edhoc requires the "cnf" claim to be present in the CWT 
Claims Set.
  2.  draft-ietf-lake-edhoc has security considerations about the claims being 
processed as untrusted input (good idea!).
  3.  draft-ietf-cose-cwt-claims-in-headers defines normative behaviors in the 
case that the COSE object is a CWT - in particular, about duplicated claims.
  4.  draft-ietf-cose-cwt-claims-in-headers recommends use only in the 
protected headers.
  5.  draft-ietf-cose-cwt-claims-in-headers has security considerations about 
use with detached payloads.
  6.  draft-ietf-cose-cwt-claims-in-headers has privacy considerations about 
the claims being unencrypted.

Of these, I view 1, 3, and 4 as being the most significant.

Here's some possibilities of next steps, all of which would be fine by me.


  1.  Incorporate the content from draft-ietf-cose-cwt-claims-in-headers into 
draft-ietf-lake-edhoc needed to define the cwt-claims/kccs header parameter as 
a general purpose facility (mainly items 3-6 above).  draft-ietf-lake-edhoc 
would then also profile the general-purpose facility it defines to require 
inclusion of the "cnf" claim for its use case.  I'd be glad to help with the 
editing needed to make this happen.
  2.  Indicate in draft-ietf-lake-edhoc that the cwt-claims/kccs claim is 
general purpose but that the specification only defines it use for its own 
purposes, including requiring "cnf" for its uses.  The spec optionally could 
include a non-normative statement along the lines of "It is anticipated that 
draft-ietf-cose-cwt-claims-in-headers will further specify the use of this 
header parameter for additional use cases."  Note that this would then not 
delay progression of draft-ietf-lake-edhoc to RFC.  
draft-ietf-cose-cwt-claims-in-headers would be modified to drop its 
registration and instead use the value registered by draft-ietf-lake-edhoc.
  3.  Leave draft-ietf-lake-edhoc largely as-is (possibly with Francesca's 
suggested modifications below).  draft-ietf-cose-cwt-claims-in-headers would be 
modified to drop its registration and instead use the value registered by 
draft-ietf-lake-edhoc, while including an "Updates" clause enabling it to 
enhance the definition of the "kccs" or "ccs" claim.

My preference is plan B, as it will cooperatively achieve a useful result with 
very little additional work needed for either spec.  For the record, I believe 
that any plan must retain 3-6.  Thus, unless we pursue A, dropping 
draft-ietf-cose-cwt-claims-in-headers isn't a reasonable option.

As background information, the SCITT working group plans to use 
draft-ietf-cose-cwt-claims-in-headers.  Their claims-in-headers CWT Claims Sets 
will include "iss" and "sub" but not "cnf".  For instance, 
https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/pull/123/files<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-e51d7d1ef162c1c7&q=1&e=63975852-b4be-4a38-9fa0-8c590a1676b1&u=https%3A%2F%2Fgithub.com%2Fietf-wg-scitt%2Fdraft-ietf-scitt-architecture%2Fpull%2F123%2Ffiles>
 uses the "CWT Claims" header parameter in this way.

The other background information is that draft-ietf-cose-cwt-claims-in-headers 
is scheduled for the November 30th IESG telechat.

The good news is that we can discuss this together in Prague.  (Will you be 
there, Francesca?)  I look forward to working with you on this!

                                                       Thanks again,
                                                       -- Mike

From: COSE <cose-boun...@ietf.org<mailto:cose-boun...@ietf.org>> On Behalf Of 
Francesca Palombini
Sent: Thursday, October 26, 2023 11:20 AM
To: 
drafts-expert-review-comm...@iana.org<mailto:drafts-expert-review-comm...@iana.org>
Cc: c...@tzi.org<mailto:c...@tzi.org>; cose@ietf.org<mailto:cose@ietf.org>; 
paul.wout...@aiven.io<mailto:paul.wout...@aiven.io>
Subject: Re: [COSE] [IANA #1284212] expert review for 
draft-ietf-cose-cwt-claims-in-headers (cose)

Hello,

I have reviewed the registration request for 
draft-ietf-cose-cwt-claims-in-headers-07 as a Designated Expert for the "COSE 
Header Parameters" registry 
https://www.iana.org/assignments/cose/cose.xhtml#header-parameters. I have not 
consulted with the other expert, so Carsten, if you have any opinion please go 
ahead.

I have a major issue with this registration: this is basically a duplicate of 
an existing registration, called "kccs". "kccs" is described as follows:

> A CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim and possibly 
> other claims. CCS is defined in [RFC8392].

If my understanding is correct, this is almost exactly what 
draft-ietf-cose-cwt-claims-in-headers wants, with the exception that 
draft-ietf-cose-cwt-claims-in-headers doesn't give any specification about 
which claims are included. I believe registering another parameter, as 
requested by draft-ietf-cose-cwt-claims-in-headers, goes against the guidance 
given by the Expert Review Instructions of RFC 9052, Section 11.6:

> Reviewers are encouraged to get sufficient information for registration 
> requests to ensure that the usage is not going to duplicate an existing 
> registration

I note that "kccs" is registered by the EDHOC document in lake: 
https://datatracker.ietf.org/doc/draft-ietf-lake-edhoc/ which is not yet 
published (it is however in EDIT state in the RFC Editor queue). I suggest that 
that document's COSE Header Parameter is changed so that the description is 
more general and cover this case as well.

This could be done by a small change of the name "kccs" to "ccs" and the 
following change in the description:

OLD
A CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim and possibly 
other claims. CCS is defined in [RFC8392].
NEW
A CWT Claims Set (CCS) as defined in [RFC8392].

(And if that is done, I suggest the same modification is done for "kcwt").

Then draft-ietf-cose-cwt-claims-in-headers would not need to be published at 
all.

Francesca

From: David Dong via RT 
<drafts-expert-review-comm...@iana.org<mailto:drafts-expert-review-comm...@iana.org>>
Date: Tuesday, 17 October 2023 at 20:45
To:
Cc: Francesca Palombini 
<francesca.palomb...@ericsson.com<mailto:francesca.palomb...@ericsson.com>>, 
c...@tzi.org<mailto:c...@tzi.org> <c...@tzi.org<mailto:c...@tzi.org>>, 
cose@ietf.org<mailto:cose@ietf.org> <cose@ietf.org<mailto:cose@ietf.org>>
Subject: [IANA #1284212] expert review for 
draft-ietf-cose-cwt-claims-in-headers (cose)
Dear Francesca Palombini and Carsten Bormann (cc: cose WG),

As the designated experts for the COSE Header Parameters registry, can you 
review the proposed registration in draft-ietf-cose-cwt-claims-in-headers-06 
for us? Please see:

https://datatracker.ietf.org/doc/draft-ietf-cose-cwt-claims-in-headers/

The due date is October 31st.

If this is OK, when the IESG approves the document for publication, we'll make 
the registration at:

https://www.iana.org/assignments/cose/

Unless you ask us to wait for the other reviewers, we'll act on the first 
response we receive.

With thanks,

David Dong
IANA Services Sr. Specialist

_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose