On 01/06/2019 02:51, Jim Schaad wrote:
I would argue that the first draft using such a media type would be the right place to specify it. However I'm not sure using JSON is the right approach for an ACE specification at all, aren't we supposed to cater for the constrained world?Ludwig,I have been doing some adaptions of my codebase for dealing with the MQTT specification. In the process of this, I have identified the following items that I think needs some discussion. They may not need changes in any documents and maybe should get a new document. 1. The MQTT document is using the content type "application/json" over HTTPS for transporting messages. Does there need to be an "application/ace+json" defined as a media type, but not necessarily a CBOR media type? I think the answer may be yes, but it could be a new document.
What is there to prevent us from transporting CBOR over HTTP?
2. If I use a "COSE_Key" confirmation method inside of an application/ace+json message, there is a potential problem and it could be dealt with in a number of different ways. * The JWT confirmation method is identified as "jwk". The COSE key must be translated into JOSE even if there is no equivalent key in JOSE. I.e. that is a fatal error * This does not make sense and the confirmation method should be changed to "cwk" so that either key format could be used in either encoding.
If we use JSON messages mixing in COSE becomes awkward. If the use case calls for JSON, I'd argue it should also use RFC7800 instead of draft-ietf-ace-cwt-proof-of-possession.
3. If the confirmation is changed, you would need to convert the COSE key to a binary string, base64 encoded it and pass as a string when occurring in a JSON encoding. There is not any other valid way to do this (except see above of just converting the key format). However, the opposite of putting a JOSE key into a COSE confirmation has three different options that could be used. * Encode the JOSE key to a string and pass as a string * Encode the JOSE key top level map as CBOR but leave all of the elements alone. * Encode the JOSE key in CBOR including conversion of base64 strings to binary data. (My first preference is probably the second option, but either of the first two make sense.) Jim
I'm still unsure that there is a good use case for transporting JOSE keys in CBOR, but if such a case turns up, I would agree that touching the encoding as little as possible is a good idea (=option 1 or 2).
/Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
