Re: [COSE] Gap in registration of application/cwt?

[Jim Schaad]

 

 

From: Laurence Lundblade  
Sent: Friday, August 14, 2020 1:59 PM
To: Jim Schaad 
Cc: Ace Wg ; cose 
Subject: Re: [COSE] Gap in registration of application/cwt?

 

Here’s a series of scenarios that I think are legal CWT. These are allowed by 
RFC 8392, right?

 

1) Explicitly tagged, no external type info needed

- Has CWT tag

- Has COSE type tag

[JLS] Yes

 

2) CWT identification by label, COSE type tagged

- The CWT is a CBOR data item with a label. The definition of the label says 
the contents of the label are always CWT

- No CWT tag necessary as it is implied by the label

- Has a COSE type tag

[JLS] Yes, the label could be internal to the CBOR object or external such as 
an media-type

 

3) CWT and COSE by label

- The CWT is an item with a label. The definition of the label says the 
contents of the label are always CWT and of a specific COSE type

- No tags necessary

[JLS] Yes that would be fine

 

4) Application/CWT identifies content as CWT, tagging for COSE type

- No CWT tag

- Has a COSE tag

[JLS] This is the same as 2?  I don’t think that it would be restricted to just 
that media type.

 

5) Application/CWT identifies content as CWT

- Has CWT tag even though it is redundant 

- Has a COSE tag

[JLS] Yes

 

6) Application/CWT; cose-type=COSE_Sign1 (or Mac0 or …)

- No tags are used

- Identification is completely by the MIME type header

- (I understand that the cose-type MIME parameter is not defined, but it could 
be. 8392 doesn’t forbid it)

[JLS] Yes you could do that, and as I stated in a previous mail this is not a 
good idea for the CoAP world.

 

7) A protocol like FIDO identifies a protocol element that is an attention type 
the type of which is CWT with COSE_Sign1

- No tags are used

[JLS] yes

 

8) A protocol like FIDO identifies a protocol element that is an attention type 
the type of which is CWT; the COSE type is determined by tag

- No CWT tag

- Has a COSE tag

[JLS] yes

 

The one thing you can’t do is have a CWT tag without a COSE type tag. 8392 
section 6 forbids this.

 

[JLS] There however is a set of nested cases that you might need to look at.  
That is 6.CWT ( COSE_Encrypt_Tagged ( COSE_Sign ))  You would also need to 
think about the requirements for nested COSE layers.

 

Jim

 

 

LL

 

 

 

 





On Aug 11, 2020, at 12:20 PM, Laurence Lundblade mailto:l...@island-resort.com> > wrote:

 

 





On Aug 10, 2020, at 5:49 PM, Jim Schaad mailto:i...@augustcellars.com> > wrote:

 

This is all based on my understanding that the surrounding protocol for must 
specify exactly when CBOR tags are to be used and when they are not to be used 
and that the surrounding protocol must not leave it as an optional 
implementation choice. In this case application/cwt is the supporting protocol.

 

[JLS] What is the text that says that this is true.  This would be a surprising 
statement for me.

 

Here’s three things that lead me to this.

 

CBORbis

The sentence of the first paragraph in 4.2.2 
<https://tools.ietf.org/html/draft-ietf-cbor-7049bis-14#section-4.2.2>  very 
clearly states this, though this is only for deterministic encoding.

 

Typical CDDL

Most CDDL that describes tagged data describes it only as tagged or untagged, 
not as optionally tagged.  COSE is one example of this. 

 

Email threads

This thread 
<https://mailarchive.ietf.org/arch/browse/cbor/?gbt=1=Hz7VjeBab9DxPas9E5_KfOmZwN0>
  and this thread 
<https://mailarchive.ietf.org/arch/browse/cbor/?gbt=1=y1EZ-IylFpJ3_MndQGADSbKhx0s>
 .

 

I summarized this behavior in this email 
<https://mailarchive.ietf.org/arch/msg/cbor/Hz7VjeBab9DxPas9E5_KfOmZwN0/>  and 
no where in the rest of the thread was it indicated differently.

 

So, it is not a hard requirement because 4.2.2 is only for deterministic 
encoding, but seems like a “should" in spirit. It is the preferred way to 
design a CBOR protocol.

 

However you slice it, I think it is up to the surrounding protocol to say 
whether a tag is always required, never required or optionally required. If the 
protocol doesn’t say, then it defaults to optionally required.

 

Defaulting or explicitly allowing optional tagging means the receiver has to 
allow for all the tagging scenarios and makes possible the error case where the 
surrounding protocol says the data is of one type and the tag conflicts with 
it. (e.g. an application/cwt that contains a tagged CoSWID).

 

I don’t think optional tagging is of any advantage in a protocol design. It 
doesn’t enable anything.

 

It has some disadvantage because it introduces error conditions and potential 
confusion.

 

I think there are several scenarios with section 6 and application/cwt that 
could be more clear.

 

Can you use tag 61 or not? I think the current answer is that in 
application/cwt, tag 61 is optional.

 

How do you know what the COSE type is? It is somewhat obvious that COSE tags 
will work, but there is no requireme

Re: [COSE] Gap in registration of application/cwt?

[Laurence Lundblade]

Here’s a series of scenarios that I think are legal CWT. These are allowed by 
RFC 8392, right?

1) Explicitly tagged, no external type info needed
- Has CWT tag
- Has COSE type tag

2) CWT identification by label, COSE type tagged
- The CWT is a CBOR data item with a label. The definition of the label says 
the contents of the label are always CWT
- No CWT tag necessary as it is implied by the label
- Has a COSE type tag

3) CWT and COSE by label
- The CWT is an item with a label. The definition of the label says the 
contents of the label are always CWT and of a specific COSE type
- No tags necessary

4) Application/CWT identifies content as CWT, tagging for COSE type
- No CWT tag
- Has a COSE tag

5) Application/CWT identifies content as CWT
- Has CWT tag even though it is redundant 
- Has a COSE tag

6) Application/CWT; cose-type=COSE_Sign1 (or Mac0 or …)
- No tags are used
- Identification is completely by the MIME type header
- (I understand that the cose-type MIME parameter is not defined, but it could 
be. 8392 doesn’t forbid it)

7) A protocol like FIDO identifies a protocol element that is an attention type 
the type of which is CWT with COSE_Sign1
- No tags are used

8) A protocol like FIDO identifies a protocol element that is an attention type 
the type of which is CWT; the COSE type is determined by tag
- No CWT tag
- Has a COSE tag

The one thing you can’t do is have a CWT tag without a COSE type tag. 8392 
section 6 forbids this.

LL





> On Aug 11, 2020, at 12:20 PM, Laurence Lundblade  
> wrote:
> 
> 
> 
>> On Aug 10, 2020, at 5:49 PM, Jim Schaad > > wrote:
>> 
>> This is all based on my understanding that the surrounding protocol for must 
>> specify exactly when CBOR tags are to be used and when they are not to be 
>> used and that the surrounding protocol must not leave it as an optional 
>> implementation choice. In this case application/cwt is the supporting 
>> protocol.
>>  
>> [JLS] What is the text that says that this is true.  This would be a 
>> surprising statement for me.
> 
> Here’s three things that lead me to this.
> 
> CBORbis
> The sentence of the first paragraph in 4.2.2 
>  very 
> clearly states this, though this is only for deterministic encoding.
> 
> Typical CDDL
> Most CDDL that describes tagged data describes it only as tagged or untagged, 
> not as optionally tagged.  COSE is one example of this. 
> 
> Email threads
> This thread 
> 
>  and this thread 
> .
> 
> I summarized this behavior in this email 
>  and 
> no where in the rest of the thread was it indicated differently.
> 
> So, it is not a hard requirement because 4.2.2 is only for deterministic 
> encoding, but seems like a “should" in spirit. It is the preferred way to 
> design a CBOR protocol.
> 
> However you slice it, I think it is up to the surrounding protocol to say 
> whether a tag is always required, never required or optionally required. If 
> the protocol doesn’t say, then it defaults to optionally required.
> 
> Defaulting or explicitly allowing optional tagging means the receiver has to 
> allow for all the tagging scenarios and makes possible the error case where 
> the surrounding protocol says the data is of one type and the tag conflicts 
> with it. (e.g. an application/cwt that contains a tagged CoSWID).
> 
> I don’t think optional tagging is of any advantage in a protocol design. It 
> doesn’t enable anything.
> 
> It has some disadvantage because it introduces error conditions and potential 
> confusion.
> 
> I think there are several scenarios with section 6 and application/cwt that 
> could be more clear.
> 
> Can you use tag 61 or not? I think the current answer is that in 
> application/cwt, tag 61 is optional.
> 
> How do you know what the COSE type is? It is somewhat obvious that COSE tags 
> will work, but there is no requirement to use them. A MIME parameter or other 
> is entirely allowed here.
> 
> Section 6 does say that determination that something is a CWT is application 
> dependent, but doesn’t say that the COSE type is also application dependent. 
> Section 7 does address this.
> 
> Said another way, my fully general CWT decoder that is called by some 
> application needs an input parameter to indicate the COSE type because there 
> is no requirement in 8392 that a CWT indicate which COSE type is in use. 
> Sometimes the caller will be able to provide the COSE type and sometimes they 
> won’t. Sometimes there will be an error of conflicting COSE type and 
> sometimes the error will be that the COSE type can’t be determined.
> 
> I think it would have been cleanest if CWT always indicated the COSE type be 
> used and the tagging 

Re: [COSE] Gap in registration of application/cwt?

[Laurence Lundblade]

> On Aug 10, 2020, at 5:49 PM, Jim Schaad  wrote:
> 
> This is all based on my understanding that the surrounding protocol for must 
> specify exactly when CBOR tags are to be used and when they are not to be 
> used and that the surrounding protocol must not leave it as an optional 
> implementation choice. In this case application/cwt is the supporting 
> protocol.
>  
> [JLS] What is the text that says that this is true.  This would be a 
> surprising statement for me.

Here’s three things that lead me to this.

CBORbis
The sentence of the first paragraph in 4.2.2 
 very 
clearly states this, though this is only for deterministic encoding.

Typical CDDL
Most CDDL that describes tagged data describes it only as tagged or untagged, 
not as optionally tagged.  COSE is one example of this. 

Email threads
This thread 

 and this thread 
.

I summarized this behavior in this email 
 and 
no where in the rest of the thread was it indicated differently.

So, it is not a hard requirement because 4.2.2 is only for deterministic 
encoding, but seems like a “should" in spirit. It is the preferred way to 
design a CBOR protocol.

However you slice it, I think it is up to the surrounding protocol to say 
whether a tag is always required, never required or optionally required. If the 
protocol doesn’t say, then it defaults to optionally required.

Defaulting or explicitly allowing optional tagging means the receiver has to 
allow for all the tagging scenarios and makes possible the error case where the 
surrounding protocol says the data is of one type and the tag conflicts with 
it. (e.g. an application/cwt that contains a tagged CoSWID).

I don’t think optional tagging is of any advantage in a protocol design. It 
doesn’t enable anything.

It has some disadvantage because it introduces error conditions and potential 
confusion.

I think there are several scenarios with section 6 and application/cwt that 
could be more clear.

Can you use tag 61 or not? I think the current answer is that in 
application/cwt, tag 61 is optional.

How do you know what the COSE type is? It is somewhat obvious that COSE tags 
will work, but there is no requirement to use them. A MIME parameter or other 
is entirely allowed here.

Section 6 does say that determination that something is a CWT is application 
dependent, but doesn’t say that the COSE type is also application dependent. 
Section 7 does address this.

Said another way, my fully general CWT decoder that is called by some 
application needs an input parameter to indicate the COSE type because there is 
no requirement in 8392 that a CWT indicate which COSE type is in use. Sometimes 
the caller will be able to provide the COSE type and sometimes they won’t. 
Sometimes there will be an error of conflicting COSE type and sometimes the 
error will be that the COSE type can’t be determined.

I think it would have been cleanest if CWT always indicated the COSE type be 
used and the tagging optionality didn’t span two protocol layers, but that 
would be an incompatible change.  Maybe a recommendation that CWT’s SHOULD 
always indicate their COSE type?

LL___
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose

Re: [COSE] Gap in registration of application/cwt?

[Jim Schaad]

 

 

From: COSE  On Behalf Of Laurence Lundblade
Sent: Monday, August 10, 2020 1:25 PM
To: Ace Wg ; cose 
Subject: [COSE] Gap in registration of application/cwt?

 

It doesn’t seem clear what the CBOR tagging requirements are when 
application/cwt is used to indicate a message is a CWT.

 

This is the text that I think it missing:

 

The CBOR CWT tag (61) must NOT be used. It is unnecessary because the media 
type already indicates it is a CWT.

 

The COSE type indicating tag MUST be present. It is necessary to determine 
whether what the COSE type is, whether it is COSE_Sign1, COSE_Mac0...

 

Another solution could be a MIME parameter added to the application/cwt 
indicating the COSE type.

 

[JLS] Yes that would have been an alternative that would work – However this 
option would require either that you use text content types for CoAP or you 
allocate N different integer content types one for each possible set of options 
that could be placed there.  The current solution is cleaner and smaller.

 

Step 3 in section 7.2 also seems wrong. It doesn’t make it an error for the 
COSE type tag to be absent when the CBOR CWT tag is present.

 

 

This is all based on my understanding that the surrounding protocol for must 
specify exactly when CBOR tags are to be used and when they are not to be used 
and that the surrounding protocol must not leave it as an optional 
implementation choice. In this case application/cwt is the supporting protocol.

 

[JLS] What is the text that says that this is true.  This would be a surprising 
statement for me.

 

Jim

 

 

LL

___
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose