Thanks Brian, great feedback and proposal! I recorded it as issue #222<https://github.com/cose-wg/CBOR-certificates/issues/222>.
Let’s think this over soon so we could make the update before WGLC. Göran From: Sipos, Brian J. <[email protected]> Date: Tuesday, 4 March 2025 at 15:28 To: [email protected] <[email protected]> Subject: [COSE] Re: [EXT] I-D Action: draft-ietf-cose-cbor-encoded-cert-13.txt Authors, I think the C509 contents and definition are in good shape. One comment / suggestion that I ran into when handling C509 data is related to the current "direct" CBOR form of the C509 certificate when carried in a COSE header as either "c5c" or "c5b" (and referenced by a "c5u"). The current definition of this container is COSE_C509 = C509Certificate / [ 2* C509Certificate ] which requires the handlers of the container to either decode the C509 contents itself or use a CBOR decoder to skip over the "C509Certificate" items (which likely contain deeply nested structure and is not a trivial activity [1] and not universally supported by CBOR libraries). This is in contrast to the X.509 container, defined in RFC 9360 as COSE_X509 = bstr / [ 2*certs: bstr ] Which relieves the handler of that item of caring what are the exact contents of the contained bstr item(s). Would it seem sensible to rework the C509 container as (something equivalent to) the following? COSE_C509 = C509CertData / [ 2* C509CertData ] C509CertData = bstr .cbor C509Certificate This relieves the handler of the container from needing to decode the bstr items, but also allows an aware handler to validate the embedded CBOR item just as is required today. The expense is the bstr wrapper item, which for small-ish certificates would be an overhead of 2-3 bytes per certificate. I understand that one of the main purposes of C509 is to reduce encoded size, but I think the current direct container contents also forces handlers to expend processing/memory resources to skip or decode the certificate contents even if that handler just passes the encoded certificate along to different entities/layers. Any thoughts about this alternative "bstr embedded" container? Thanks, Brian S. [1] https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flaurencelundblade%2FQCBOR%2Fblob%2F83c4af09d3752afa64ae66e2a3382192bf682541%2Finc%2Fqcbor%2Fqcbor_decode.h%23L1014C1-L1014C28&data=05%7C02%7Cgoran.selander%40ericsson.com%7C22cead1a3f31436834f308dd5b28dc2c%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638766953247131877%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=oCl00L4uj%2F4dwioCXXZPGOA%2Fmn7ISju6lClbdS6uyys%3D&reserved=0<https://github.com/laurencelundblade/QCBOR/blob/83c4af09d3752afa64ae66e2a3382192bf682541/inc/qcbor/qcbor_decode.h#L1014C1-L1014C28> > -----Original Message----- > From: [email protected] <[email protected]> > Sent: Monday, March 3, 2025 2:56 PM > To: [email protected] > Cc: [email protected] > Subject: [EXT] [COSE] I-D Action: draft-ietf-cose-cbor-encoded-cert-13.txt > > APL external email warning: Verify sender [email protected] before > clicking links or attachments > > Internet-Draft draft-ietf-cose-cbor-encoded-cert-13.txt is now available. It > is a > work item of the CBOR Object Signing and Encryption (COSE) WG of the IETF. > > Title: CBOR Encoded X.509 Certificates (C509 Certificates) > Authors: John Preuß Mattsson > Göran Selander > Shahid Raza > Joel Höglund > Martin Furuhed > Name: draft-ietf-cose-cbor-encoded-cert-13.txt > Pages: 77 > Dates: 2025-03-03 > > Abstract: > > This document specifies a CBOR encoding of X.509 certificates. The > resulting certificates are called C509 Certificates. The CBOR > encoding supports a large subset of RFC 5280 and all certificates > compatible with the RFC 7925, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA > eUICC, and CA/Browser Forum Baseline Requirements profiles. When > used to re-encode DER encoded X.509 certificates, the CBOR encoding > can in many cases reduce the size of RFC 7925 profiled certificates > with over 50% while also significantly reducing memory and code size > compared to ASN.1. The CBOR encoded structure can alternatively be > signed directly ("natively signed"), which does not require re- > encoding for the signature to be verified. The TLSA selectors > registry defined in RFC 6698 is extended to include CBOR > certificates. The document also specifies C509 Certificate Signing > Requests, C509 COSE headers, a C509 TLS certificate type, and a C509 > file format. > > The IETF datatracker status page for this Internet-Draft is: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cose-cbor-encoded-cert%2F&data=05%7C02%7Cgoran.selander%40ericsson.com%7C22cead1a3f31436834f308dd5b28dc2c%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638766953247156492%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=7zoUeBAQCP60vezGHIx2R40XiPnB3pYj44AsgzqmKHs%3D&reserved=0<https://datatracker.ietf.org/doc/draft-ietf-cose-cbor-encoded-cert/> > > There is also an HTML version available at: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-cose-cbor-encoded-cert-13.html&data=05%7C02%7Cgoran.selander%40ericsson.com%7C22cead1a3f31436834f308dd5b28dc2c%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638766953247170234%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Ir0FLLuv8LjL4LwUX69xQj2k%2Fy6wauvw%2BhFD%2BhXP4C4%3D&reserved=0<https://www.ietf.org/archive/id/draft-ietf-cose-cbor-encoded-cert-13.html> > > A diff from the previous version is available at: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-cose-cbor-encoded-cert-13&data=05%7C02%7Cgoran.selander%40ericsson.com%7C22cead1a3f31436834f308dd5b28dc2c%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638766953247182721%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=oBHjkj%2BBou2qw%2BSbnsde4g3YwKKU%2F6bbaJw8x2LR5iU%3D&reserved=0<https://author-tools.ietf.org/iddiff?url2=draft-ietf-cose-cbor-encoded-cert-13> > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
