Re: [Ace] RATS Entity Attestation Tokens (EAT) - to be a CWT or not to be a CWT?

Thu, 05 Mar 2020 14:44:02 -0800 

{ I found Jim's very interesting email very hard to read without good
quoting, I'm repeating the important part }

    henk> 2.) go to ACE and ask for an "unsigned token" option, or

Jim Schaad <i...@augustcellars.com> wrote:
    jls> I don't have a problem with this, I am not sure that I see any
    jls> reason for it however.  See below.

    henk> 3.) go to CBOR and ask for a tag for "naked" CWT Claim Sets (i.e.,
    henk> that are not signed).

    jls> I don't see any difference between this and option #2

    jls> 4.) Just write your CWT code in a sensible manner.

    jls> My CWT code base does not make any assumptions about the number or
    jls> order of COSE security wrapping layers on a token.  It thus looks
    jls> like

    jls> while (true) {
    jls> if input has a COSE_Encrypt tag { decrypt it; set input to the 
content; save the encryption information if needed e.g. shared key 
authentication; continue; }
    jls> if input has a COSE_MAC tag { validate it; set input to the content; 
save the MAC information if needed e.g. shared key authentication; continue;}
    jls> if input has a COSE_Signature tag { validate it; set input to the 
content; save the signer information; continue }
    jls> if input is a map - return input as the set of claims;
    jls> throw an exception because it is not the correct format.
    jls> }

    jls> This does not require a tag for a naked set of claims and would
    jls> allow that set of claims to be pass in the same place as a CWT can
    jls> be passed.  What you are suggesting would require extra code to
    jls> exist someplace that is going to check for an additional tag.

    jls> IT IS
    jls> ALSO GOING TO LEAD TO PEOPLE THINKING THAT THIS NEW TAG SHOULD BE
    jls> LEGAL TO PLACE INSIDE OF A CWT.  After all it makes more sense to
    jls> always include it than to just sometimes include it.

Emphasis mine.
So your suggestion is to do nothing.
I also wondered why that wouldn't work, but I hadn't written enough code to
ask the question intelligently.

--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Reply via email to