Re: [Anima] [media-types] Fwd: Thoughts on suffixes, single and multiple

2024-04-06 Thread S Moonesamy 

Hi Michael,
At 01:21 PM 04-04-2024, Michael Richardson wrote:

We in ANIMA have been struggling because we have an artifact, a voucher
(YANG defined in RFC8366, being revised/extended in 8366bis), which can be in
two major formats: JSON and CBOR (in theory, XML too), but can be signed by
three formats (CMS, JWS, COSE).

That gives us three major variations today:
1) application/voucher-cms+json  aka voucher+json+cms?
2) application/voucher+cose  or? voucher+cbor+cose?
3) application/voucher-jwt+json  aka voucher+json+jwt?

(because CMS signing CBOR seems dumb, as does mixing {JSON,CBOR} X {JWS,COSE})

We didn't know if we should resort to multiple suffixes or not, and the lack
of apparent progress on this has been a pain.  So, thank you for the decision
as it takes the options off the table, I guess, even if I'm bit surprised by
it.


My quick reaction is that using those variations is a bad idea.  The 
good news is that I cannot prevent the working group from moving 
forward with the registration.


The policy perspective is that someone will have to go through the 
registry, submit a policy change and figure out how to move it forward.


Regards,
S. Moonesamy 


___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] [media-types] Fwd: Thoughts on suffixes, single and multiple

2024-04-05 Thread Michael Richardson 

Michael Jones  wrote:
> Michael R., you wrote:
>> 1) application/voucher-cms+json aka voucher+json+cms?

> I don't think these make sense since CMS is X.509 - not JSON.  You
> could reasonably use application/voucher-cms or
> application/voucher+cms.

CMS signed JSON is in RFC8366.  It's useful to people who have a CMS library
that has gone through FIPS, but not a JWS or COSE library.  This was more
important in 2016 when the spec ws written.

>> 2) application/voucher+cose or? voucher+cbor+cose?

> application/voucher+cose would make sense.  I don't think the +cbor
> adds anything useful here.

I agree, I don't think it adds anything.

>> 3) application/voucher-jwt+json aka voucher+json+jwt?

> Neither of the above make sense.  JWTs are sequences of
> base64url-encoded characters separated by periods.  They are not JSON.

Neither is image/svg+xml+gzip actually XML, until you decode the GZIP.

> application/voucher+jwt would make sense.

--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide


signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] [media-types] Fwd: Thoughts on suffixes, single and multiple

2024-04-04 Thread Michael Jones 
Michael R., you wrote:
> 1) application/voucher-cms+json  aka voucher+json+cms?

I don't think these make sense since CMS is X.509 - not JSON.  You could 
reasonably use application/voucher-cms or application/voucher+cms.

> 2) application/voucher+cose  or? voucher+cbor+cose?

application/voucher+cose would make sense.  I don't think the +cbor adds 
anything useful here.

> 3) application/voucher-jwt+json  aka voucher+json+jwt?

Neither of the above make sense.  JWTs are sequences of base64url-encoded 
characters separated by periods.  They are not JSON.  application/voucher+jwt 
would make sense.

-- Mike

P.S.  Note that my response is about the specific possible media type names and 
doesn't really touch on the general questions being discussed in the thread.

-Original Message-
From: media-types  On Behalf Of Michael Richardson
Sent: Thursday, April 4, 2024 1:22 PM
To: media-ty...@ietf.org
Cc: anima@ietf.org
Subject: Re: [media-types] Fwd: Thoughts on suffixes, single and multiple


original, entire thread, for ANIMA people:
https://mailarchive.ietf.org/arch/msg/media-types/iWc8TLcWOyO0jyqeiuF9VCZClIs/

mnot> After the meeting in Brisbane, some of us went aside to continue to
mnot> the multiple suffixes discussion. There, we quickly came to the
mnot> conclusion that we should deprecate the concept of suffixes in
mnot> media subtypes -- i.e., they would still be syntactically allowed,
mnot> but would have no meaning or registry. Martin Thomson and I took an
mnot> action to write something down about this.

uhm. okay.
We in ANIMA have been struggling because we have an artifact, a voucher (YANG 
defined in RFC8366, being revised/extended in 8366bis), which can be in two 
major formats: JSON and CBOR (in theory, XML too), but can be signed by three 
formats (CMS, JWS, COSE).

That gives us three major variations today:
1) application/voucher-cms+json  aka voucher+json+cms?
2) application/voucher+cose  or? voucher+cbor+cose?
3) application/voucher-jwt+json  aka voucher+json+jwt?

(because CMS signing CBOR seems dumb, as does mixing {JSON,CBOR} X {JWS,COSE})

We didn't know if we should resort to multiple suffixes or not, and the lack of 
apparent progress on this has been a pain.  So, thank you for the decision as 
it takes the options off the table, I guess, even if I'm bit surprised by it.

mnot> The widespread use of +xml and +json in particular made me more
mnot> cautious about deprecating suffixes altogether -- especially since
mnot> we still sort-of believe that they are indeed used by (or at least
mnot> potentially useful to) things like editors to hint syntactic
mnot> conventions.

Also, +gzip makes it pretty clear you can maybe do something with it, if you 
just know how to decompress.

mnot> 1) Disallow more than one "+" sign in media subtypes, as floated at
mnot> the meeting. This would put a fair amount of pressure on the
mnot> registry's ability to reflect reality, depending on how widely
mnot> deployed some things get (although we could grandfather some types
mnot> in to ease the pressure here).

I suggest keeping +gzip and +xml.

mnot> 2) Syntactically allow suffixes before the last one, but not assign
mnot> them any meaning or register them; e.g., application/foo+bar+xml
mnot> would be an XML format, but who knows what bar is; effectively,
mnot> it's just part of "foo+bar". This would allow people to define
mnot> suffix-like things, but wouldn't give them any recognition or
mnot> coordination -- potentially leading to the need to formalise things
mnot> more down the road, just as we did in the first round of suffixes.

It doesn't seem any different than foo-bar+xml to me.

mnot> 3) Consider multiple suffixes, when they occur, to be unrelated
mnot> hints as to the syntax of the format -- i.e., there is no
mnot> processing model, there is no ordering (although a registrant would
mnot> have to choose an order; registrations with different orderings
mnot> should be refused). Effectively, suffixes would just be a 'bag of
mnot> hints' about the format being used.

Not that useful, but I could live with it.

mnot> ### Defining What Suffixes Are For (no matter how many there are)

mnot> After the discussion in Brisbane, I strongly believe that suffixes
mnot> should ONLY be for hinting about the syntax or format convention in
mnot> use, as an aid eg to editors, syntax highlighters, etc. This is the
mnot> proven use case for media type suffixes. Suffixes should not be
mnot> used to hint semantics; only syntax. We should have strong language
mnot> about the dangers of using suffixes to hint particular kinds of
mnot> processing; cf the previous discussion on the 'polyglot problem'
mnot> and the potential security issues around performing processing
mnot> based upon suffixes.

Well, it also helps