On 2025-03-07 13:50, Göran Selander wrote:
Thanks Brian, great feedback and proposal!
I recorded it as issue #222
<https://github.com/cose-wg/CBOR-certificates/issues/222>.
Let’s think this over soon so we could make the update before WGLC.
The reason for bstr-ing X.509 certificates is because they are in ASN.1.
Anders
Göran
*From: *Sipos, Brian J. <[email protected]>
*Date: *Tuesday, 4 March 2025 at 15:28
*To: *[email protected] <[email protected]>
*Subject: *[COSE] Re: [EXT] I-D Action: draft-ietf-cose-cbor-encoded-cert-13.txt
Authors,
I think the C509 contents and definition are in good shape. One comment / suggestion that I ran into when handling C509
data is related to the current "direct" CBOR form of the C509 certificate when carried in a COSE header as
either "c5c" or "c5b" (and referenced by a "c5u").
The current definition of this container is
COSE_C509 = C509Certificate / [ 2* C509Certificate ]
which requires the handlers of the container to either decode the C509 contents itself or
use a CBOR decoder to skip over the "C509Certificate" items (which likely
contain deeply nested structure and is not a trivial activity [1] and not universally
supported by CBOR libraries).
This is in contrast to the X.509 container, defined in RFC 9360 as
COSE_X509 = bstr / [ 2*certs: bstr ]
Which relieves the handler of that item of caring what are the exact contents
of the contained bstr item(s).
Would it seem sensible to rework the C509 container as (something equivalent
to) the following?
COSE_C509 = C509CertData / [ 2* C509CertData ]
C509CertData = bstr .cbor C509Certificate
This relieves the handler of the container from needing to decode the bstr
items, but also allows an aware handler to validate the embedded CBOR item just
as is required today. The expense is the bstr wrapper item, which for small-ish
certificates would be an overhead of 2-3 bytes per certificate.
I understand that one of the main purposes of C509 is to reduce encoded size,
but I think the current direct container contents also forces handlers to
expend processing/memory resources to skip or decode the certificate contents
even if that handler just passes the encoded certificate along to different
entities/layers.
Any thoughts about this alternative "bstr embedded" container?
Thanks,
Brian S.
[1]
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flaurencelundblade%2FQCBOR%2Fblob%2F83c4af09d3752afa64ae66e2a3382192bf682541%2Finc%2Fqcbor%2Fqcbor_decode.h%23L1014C1-L1014C28&data=05%7C02%7Cgoran.selander%40ericsson.com%7C22cead1a3f31436834f308dd5b28dc2c%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638766953247131877%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=oCl00L4uj%2F4dwioCXXZPGOA%2Fmn7ISju6lClbdS6uyys%3D&reserved=0
<https://github.com/laurencelundblade/QCBOR/blob/83c4af09d3752afa64ae66e2a3382192bf682541/inc/qcbor/qcbor_decode.h#L1014C1-L1014C28>
-----Original Message-----
From: [email protected] <[email protected]>
Sent: Monday, March 3, 2025 2:56 PM
To: [email protected]
Cc: [email protected]
Subject: [EXT] [COSE] I-D Action: draft-ietf-cose-cbor-encoded-cert-13.txt
APL external email warning: Verify sender [email protected] before
clicking links or attachments
Internet-Draft draft-ietf-cose-cbor-encoded-cert-13.txt is now available. It is
a
work item of the CBOR Object Signing and Encryption (COSE) WG of the IETF.
Title: CBOR Encoded X.509 Certificates (C509 Certificates)
Authors: John Preuß Mattsson
Göran Selander
Shahid Raza
Joel Höglund
Martin Furuhed
Name: draft-ietf-cose-cbor-encoded-cert-13.txt
Pages: 77
Dates: 2025-03-03
Abstract:
This document specifies a CBOR encoding of X.509 certificates. The
resulting certificates are called C509 Certificates. The CBOR
encoding supports a large subset of RFC 5280 and all certificates
compatible with the RFC 7925, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA
eUICC, and CA/Browser Forum Baseline Requirements profiles. When
used to re-encode DER encoded X.509 certificates, the CBOR encoding
can in many cases reduce the size of RFC 7925 profiled certificates
with over 50% while also significantly reducing memory and code size
compared to ASN.1. The CBOR encoded structure can alternatively be
signed directly ("natively signed"), which does not require re-
encoding for the signature to be verified. The TLSA selectors
registry defined in RFC 6698 is extended to include CBOR
certificates. The document also specifies C509 Certificate Signing
Requests, C509 COSE headers, a C509 TLS certificate type, and a C509
file format.
The IETF datatracker status page for this Internet-Draft is:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cose-cbor-encoded-cert%2F&data=05%7C02%7Cgoran.selander%40ericsson.com%7C22cead1a3f31436834f308dd5b28dc2c%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638766953247156492%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=7zoUeBAQCP60vezGHIx2R40XiPnB3pYj44AsgzqmKHs%3D&reserved=0
<https://datatracker.ietf.org/doc/draft-ietf-cose-cbor-encoded-cert/>
There is also an HTML version available at:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-cose-cbor-encoded-cert-13.html&data=05%7C02%7Cgoran.selander%40ericsson.com%7C22cead1a3f31436834f308dd5b28dc2c%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638766953247170234%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Ir0FLLuv8LjL4LwUX69xQj2k%2Fy6wauvw%2BhFD%2BhXP4C4%3D&reserved=0
<https://www.ietf.org/archive/id/draft-ietf-cose-cbor-encoded-cert-13.html>
A diff from the previous version is available at:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-cose-cbor-encoded-cert-13&data=05%7C02%7Cgoran.selander%40ericsson.com%7C22cead1a3f31436834f308dd5b28dc2c%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638766953247182721%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=oBHjkj%2BBou2qw%2BSbnsde4g3YwKKU%2F6bbaJw8x2LR5iU%3D&reserved=0
<https://author-tools.ietf.org/iddiff?url2=draft-ietf-cose-cbor-encoded-cert-13>
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
