Re: [Anima] [COSE] [Rats] cose+cbor vs cwt in MIME types

[Esko Dijk]

> So you can read the subtype "eat" and then consider it as +cwt, +cose, +cbor, 
> for an example media type of "application/eat+cbor+cose+cwt"

It looks like in your example the order is reversed; given the existing 
examples defined in draft-ietf-mediaman-suffixes-03 Section 2.1?

Let’s assume it is the reverse, namely “application/eat+cwt+cose+cbor”. Then 
following the Section 2.1 examples a parser would go through these steps for 
example:


  *   Do I know “application/eat+cwt+cose+cbor” ? No.
  *   Do I know “+cbor” ? Yes, decode it as CBOR – ok it’s valid, proceed to 
next stage of the processing pipeline.
  *   Do I know “+cose” ? No. Processing stops here.
  *   End result: I’ll render it in CBOR diagnostic notation.

Another parser might do these steps:


  *   Do I know “application/eat+cwt+cose+cbor” ? No.
  *   Do I know “+cbor” ? Yes, decode it as CBOR – it’s valid, proceed to next 
stage of the processing pipeline.
  *   Do I know “+cose” ? Yes, that’s COSE semantics – decode it – it’s valid, 
and although I can’t verify the signature, go to next stage of the processing 
pipeline.
  *   Do I know “+cwt” ? No, stop here.
  *   End result: display it as a COSE object. Do not trust it as I can’t 
verify the signature.

Yet another parser:


  *   Do I know “application/eat+cwt+cose+cbor” ? No.
  *   Do I know “+cbor” ? Yes, decode it as CBOR – it’s valid, proceed to next 
stage of the processing pipeline.
  *   Do I know “+cose” ? Yes, that’s COSE – decode it – it’s valid, go to next 
stage of the processing pipeline.
  *   Do I know “+cwt” ? Yes, that’s a CWT – now checking that the COSE payload 
is correct CBOR with CWT structure inside – okay.
  *   End result: display it as a CWT.


Using the reverse way "application/eat+cbor+cose+cwt" seems not compatible with 
what’s currently written in draft-ietf-mediaman-suffixes-03 about “pipelines”.
For example, suppose a “CWT decoder” gets this media type first, and it then 
sends “eat+cbor+cose” to the next pipeline stage, that wouldn’t make sense 
since the ‘+cbor’ and ‘+cose’ parts were already decoded as part of ‘+cwt’.

For completeness here the example from the draft "image/svg+xml+gzip":

  *   Do I know "image/svg+xml+gzip" ? No.
  *   Do I know “+gzip” ? Yes, I can unzip the data – that works. Send the data 
to the next pipeline stage.
  *   Do I know “+xml” ? Yes, that’s just XML – can display it.
  *   Do I know “svg” ? No.
  *   End result: display the object in my XML viewer.

(Using here "image/svg+gzip+xml" would lead to incorrect results clearly.)

Esko

From: Orie Steele <orie@transmute.industries>
Sent: Tuesday, April 4, 2023 02:09
To: Smith, Ned <ned.sm...@intel.com>
Cc: Laurence Lundblade <l...@island-resort.com>; Esko Dijk 
<esko.d...@iotconsultancy.nl>; Michael Richardson <m...@sandelman.ca>; Thomas 
Fossati <thomas.foss...@arm.com>; Thomas Fossati <tho.i...@gmail.com>; cose 
<c...@ietf.org>; rats <r...@ietf.org>; anima@ietf.org
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

Per the JWT BCP, regarding typ.

https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing

The +jwt suffix goes on the end.

You would need to register +eat as a structured suffix otherwise.

My understanding is that you currently intend to register application/eat as a 
subtype, not a structured suffix (you can do both, see json).

The 116 meeting mentions that while it is the case today that most structured 
suffix are also registered subtypes, this might not be a reliable assumption in 
the future.

The current multiple suffixes draft makes it clear that processing of suffixes 
is right to left (confusing / surprising perhaps).

So you can read the subtype "eat" and then consider it as +cwt, +cose, +cbor, 
for an example media type of "application/eat+cbor+cose+cwt"

As I mentioned before, the multiple suffixes draft might not land... So it 
would be better to avoid multiple plus and follow the conventions from the JWT 
BCP, and avoid registering new or interesting suffixes, given the current 
confusion regarding them.

I'm not saying any of this is correct, just noting what the suffixes draft says 
today, and how it is related to the several +jwt media types that have already 
been registered.

Another interesting case to consider... Data URI of type "eat+jwt+gzip"... 
Since base64 URL encoding can quickly max out QR Codes / NFC or URL limits.

Decompress, verify, parse / validate.

OS


On Mon, Apr 3, 2023, 6:36 PM Smith, Ned 
<ned.sm...@intel.com<mailto:ned.sm...@intel.com>> wrote:
> application/eat+cbor+cose+cwt

EAT is a specialization of a CWT or a JWT. What in eat is encoded before the 
cbor (which encodes the token)?

If the conceptual message is identified by a message wrapper 
draft-ftbs-rats-msg-wrap-02 - RATS Conceptual Messages Wrapper 
(ietf.org)<https://datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/>, then 
the cbor bytes could be encoded in an cmw array. As in:
`[ “application/cbor+cose+cwt+eat”, bstr ]`

The discussion around cmw hasn’t concluded, but in theory, the array structure 
could be embedded in a conveyance protocol or message that would have some way 
to identify it as a cmw. The cmw I-D doesn’t try to define a media type name 
for `cmw-array`. Hopefully, that isn’t needed. But it is the outer most onion 
skin before talking about conveyance protocol / message framing.

-Ned

From: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Date: Monday, April 3, 2023 at 3:21 PM
To: "Smith, Ned" <ned.sm...@intel.com<mailto:ned.sm...@intel.com>>
Cc: Laurence Lundblade <l...@island-resort.com<mailto:l...@island-resort.com>>, 
Esko Dijk <esko.d...@iotconsultancy.nl<mailto:esko.d...@iotconsultancy.nl>>, 
Michael Richardson <m...@sandelman.ca<mailto:m...@sandelman.ca>>, Thomas 
Fossati <thomas.foss...@arm.com<mailto:thomas.foss...@arm.com>>, Thomas Fossati 
<tho.i...@gmail.com<mailto:tho.i...@gmail.com>>, 
"c...@ietf.org<mailto:c...@ietf.org>" <c...@ietf.org<mailto:c...@ietf.org>>, 
"r...@ietf.org<mailto:r...@ietf.org>" <r...@ietf.org<mailto:r...@ietf.org>>, 
"anima@ietf.org<mailto:anima@ietf.org>" <anima@ietf.org<mailto:anima@ietf.org>>
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

Inline:

On Mon, Apr 3, 2023 at 3:10 PM Smith, Ned 
<ned.sm...@intel.com<mailto:ned.sm...@intel.com>> wrote:
> there’s no standard for the key material and key identification
The observation is that the COSE block contains a key-id that can be used to 
locate the key material (e.g., I assume key material refers to the public key 
needed to verify the COSE signature given asymmetric crypto). The COSE parser 
(layer) would normally be equipped to handle this sort of thing. If the media 
type was ‘cwt’ the parser would have to support everything in the COSE layer as 
well as what’s in the token part as well. EAT adds additional parsing 
requirements on top of CWT.  Hence, the expression 
“application/cbor+cose+cwt+eat” isn’t unreasonable.

I would expect something more like this (according the current suffixes draft):
application/eat+cbor+cose+cwt

or simply:

application/eat+cwt (since cwt implies cbor + cose)

Closest JWT analogy currently in the registry:

- https://www.iana.org/assignments/media-types/application/at+jwt
- https://www.rfc-editor.org/rfc/rfc9068.html

keep in mind the multiple suffixes is not yet an RFC... if you can avoid 
multiple suffixes, I think it is very wise to do so.

The reason to use multiple suffixes is to signal that there is meaningful 
processing that can be done... for token formats, I feel this is less true than 
json flavors, such as "application/vc+ld+json".

I had a discussion with friends at IETF 116 about "sd+jwt" vs "sd-jwt", related 
to 
https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-03.html#name-iana-considerations-24

For example, sd-jwt implies normal jwt processing is not meaningful, whereas 
sd+jwt implies jwt processing is meaningful... There were good arguments on 
both sides.
Given the current state of consensus on multiple suffixes, I would potentially 
avoid taking a dependency on it if possible, sticking to just 1 plus.

Someone could argue that “…+cose+cwt…” doesn’t add anything, as “+cwt” alone 
could infer both. The same is true for “…cbor+eat…”.
But I think there is value in being able to describe a fully qualified 
representation that is the primitive representation after the various inferred 
representations have been computed.

> but that’s about the library, not dispatching some content arriving to a 
> particular application
I think the value is it doesn’t assume monolithic applications. A library or 
processor that is specific to the encoding between the pluses, e.g., “+cose+”, 
can be used in some sort of highly optimized pipeline, rather than presumed to 
be a monolith.

From: Laurence Lundblade <l...@island-resort.com<mailto:l...@island-resort.com>>
Date: Monday, April 3, 2023 at 12:44 PM
To: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Cc: "Smith, Ned" <ned.sm...@intel.com<mailto:ned.sm...@intel.com>>, Esko Dijk 
<esko.d...@iotconsultancy.nl<mailto:esko.d...@iotconsultancy.nl>>, Michael 
Richardson <m...@sandelman.ca<mailto:m...@sandelman.ca>>, Thomas Fossati 
<thomas.foss...@arm.com<mailto:thomas.foss...@arm.com>>, Thomas Fossati 
<tho.i...@gmail.com<mailto:tho.i...@gmail.com>>, 
"c...@ietf.org<mailto:c...@ietf.org>" <c...@ietf.org<mailto:c...@ietf.org>>, 
"r...@ietf.org<mailto:r...@ietf.org>" <r...@ietf.org<mailto:r...@ietf.org>>, 
"anima@ietf.org<mailto:anima@ietf.org>" <anima@ietf.org<mailto:anima@ietf.org>>
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

I’m not sure identifying something as COSE, or even CWT is that useful because 
there’s no standard for the key material and key identification that cuts 
across all uses of COSE or CWT.

For example with EAT the receiver probably will need an endorsement (a very 
specific thing with very specific semantics) with a public key to be able to 
process the CWT/COSE. If COSE is used for encrypted email (a future S/MIME), 
the key material identification will probably be really different. It’s hard 
for me to see what a generic COSE/CWT handler is going to do here. It’s good 
and well if an EAT processor uses the same COSE library as an S/MIME processor, 
but that’s about the library, not dispatching some content arriving to a 
particular application.

No objection to the work here. Just some observations.

LL



On Apr 3, 2023, at 11:14 AM, Orie Steele 
<orie@transmute.industries<mailto:orie@transmute.industries>> wrote:

Yes! That seems to have been one proposal, related to cleaning up the registry 
and clarifying interpretation.

If you have strong opinions on this, please help contribute to the dialog on 
this media types list:

https://mailarchive.ietf.org/arch/msg/media-types/qO72m31whV5QZmV6kj55KDqS8n8/

Regards,

OS

On Mon, Apr 3, 2023 at 1:12 PM Smith, Ned 
<ned.sm...@intel.com<mailto:ned.sm...@intel.com>> wrote:
Interesting!
It would be nice if I-D.ietf-mediaman-suffixes could define a backward 
compatibility convention that shows how existing / registered media-type-names 
can co-exist with I-D.ietf-mediaman-suffixes.


From: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Date: Monday, April 3, 2023 at 10:47 AM
To: "Smith, Ned" <ned.sm...@intel.com<mailto:ned.sm...@intel.com>>
Cc: Esko Dijk 
<esko.d...@iotconsultancy.nl<mailto:esko.d...@iotconsultancy.nl>>, Michael 
Richardson <m...@sandelman.ca<mailto:m...@sandelman.ca>>, Thomas Fossati 
<thomas.foss...@arm.com<mailto:thomas.foss...@arm.com>>, Thomas Fossati 
<tho.i...@gmail.com<mailto:tho.i...@gmail.com>>, 
"c...@ietf.org<mailto:c...@ietf.org>" <c...@ietf.org<mailto:c...@ietf.org>>, 
"r...@ietf.org<mailto:r...@ietf.org>" <r...@ietf.org<mailto:r...@ietf.org>>, 
"anima@ietf.org<mailto:anima@ietf.org>" <anima@ietf.org<mailto:anima@ietf.org>>
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

At IETF 116 this draft was discussed:

- 
https://datatracker.ietf.org/doc/draft-ietf-mediaman-suffixes<https://datatracker.ietf.org/doc/draft-ietf-mediaman-suffixes/>
- https://youtu.be/BrP1upACJ0c?t=1744

TLDR; there is work in progress to define multiple suffixes, and how they are 
interpreted.

This would be relevant to potential future +cwt media types, it is already 
causing us some concern with respect to special cases of +jwt.

Regards,

OS

On Mon, Apr 3, 2023 at 12:28 PM Smith, Ned 
<ned.sm...@intel.com<mailto:ned.sm...@intel.com>> wrote:
It seems the early registrations focused on encoding formats for content to the 
right of the "+" like '+xml', '+json', '+cbor', '+der', while later 
registrations seem to include schema formats like '+jwt', '+sqlite3', and 
'+tlv'.

It would have been nice if the registry defined the right side for encoding 
formats and let the left side contain content / schema formats IMHO. That way, 
the parsers could scan for the "+" to identify if it supports the encoding 
format as a first pass operation. If it can't decode the first byte, then 
there's no point in going further.

If it can decode, then the first byte/bytes may provide insight into what 
content is there. For example, a CBOR tagged structure. But additionally, the 
left hand side identifies schemas. Given many data structures can be integrity 
protected, signed, and encrypted. Supplying a value that describes a 
cryptographic enveloping schema / format seems like a reasonable requirement 
for the '-label' to the immediate left of the plus, e.g., "-cose+cbor".
The data within the cryptographic envelope may follow a well-defined schema 
such as the RATS ar4si. E.g., "ar4si-cose+cbor". I don't see a problem with 
omitting the cryptographic envelope label if no envelope is provided. E.g., 
"ar4si-+cbor".

JWT and CWT are both an envelope and a data model schema, so the cryptographic 
envelope could be inferred. But it wouldn't be incorrect to restate the obvious 
for the benefit of the parsers who only care about cryptographic wrapper 
processing. E.g., "jwt-jose+json" is still a reasonable way to encode 'jwt'.

If there are content schemas that are to the left of some other content schema, 
then that can be accommodate easily by prepending another 'label-'. E.g., 
"ar4si-jwt-jose+json".

This approach allows an initial parser / message router to get a view of all 
the parsers needed to fully inspect the message in advance of making an initial 
message routing decision which would enable efficient parser offload 
architectures. There could be different registries for the different types of 
structure "+label" for encoding formats only, "-label" to the immediate left of 
"+" for cryptographic enveloping, and application formats for the next left 
most content.

To make processing even more efficient, the content-type-name should reverse 
the order based on outer-most format. E.g., "json+jose-jwt-ar4si". This way 
buffer only needs to contain the first bytes up to the '+' and so forth.

I realize this goes beyond the initial focus of the discussion thread. But IETF 
is also concerned about the long-term future of the Internet and in optimizing 
wherever it makes sense. Content typing is just a form of deep packet 
inspection that goes beyond network framing.

Cheers,
Ned

On 4/3/23, 12:33 AM, "RATS on behalf of Esko Dijk" 
<rats-boun...@ietf.org<mailto:rats-boun...@ietf.org> 
<mailto:rats-boun...@ietf.org<mailto:rats-boun...@ietf.org>> on behalf 
ofesko.d...@iotconsultancy.nl<mailto:esko.d...@iotconsultancy.nl> 
<mailto:esko.d...@iotconsultancy.nl<mailto:esko.d...@iotconsultancy.nl>>> wrote:


Hi,


As for the questions mentioned on these slides:


1. "Is is '-cose+cbor' or '-cbor+cose'


The registry 
https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml<https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml>
 lists the subtypes that one have after the '+' sign.
'cbor' is there but 'cose' is not. 'cwt' is also not there.


So for the moment, registering a 'mytype+cose' or 'voucher+cose' or 
'voucher-cbor+cose' is not possible now unless you would also register the 
'+cose' as a subtype. RFC 9052 did not choose to register the subtype '+cose', 
for whatever reason.


Luckily because COSE is just "plain CBOR" itself , we can use the subtype 
'+cbor'. So having "voucher-cose+cbor" would be fine. Also "voucher+cbor" would 
be equally ok albeit a little bit less informative that it contains COSE.




2. "are they sufficiently different" (this is about 
application/voucher-cose+cbor and application/eat+cwt formats)


The voucher is not a CWT format, e.g. it does not use the standardized CWT 
claims at all. It defines an own format within the constraints of YANG CBOR, 
while CWT does not use any YANG semantics.


(Now converting the constrained Voucher format into a CWT based format would 
certainly be possible; but that's probably not the discussion intended by these 
slides.)


Regards
Esko


PS more detailed info at
https://github.com/anima-wg/constrained-voucher/issues/264 
<https://github.com/anima-wg/constrained-voucher/issues/264>
https://github.com/anima-wg/constrained-voucher/issues/263 
<https://github.com/anima-wg/constrained-voucher/issues/263>


-----Original Message-----
From: Anima <anima-boun...@ietf.org<mailto:anima-boun...@ietf.org> 
<mailto:anima-boun...@ietf.org<mailto:anima-boun...@ietf.org>>> On Behalf Of 
Michael Richardson
Sent: Monday, March 27, 2023 01:19
To: Thomas Fossati <thomas.foss...@arm.com<mailto:thomas.foss...@arm.com> 
<mailto:thomas.foss...@arm.com<mailto:thomas.foss...@arm.com>>>; Thomas Fossati 
<tho.i...@gmail.com<mailto:tho.i...@gmail.com><mailto:tho.i...@gmail.com<mailto:tho.i...@gmail.com>>>;
 c...@ietf.org<mailto:c...@ietf.org> 
<mailto:c...@ietf.org<mailto:c...@ietf.org>>; 
r...@ietf.org<mailto:r...@ietf.org> 
<mailto:r...@ietf.org<mailto:r...@ietf.org>>; 
anima@ietf.org<mailto:anima@ietf.org><mailto:anima@ietf.org<mailto:anima@ietf.org>>
Subject: Re: [Anima] [Rats] cose+cbor vs cwt in MIME types


Michael Richardson <mcr+i...@sandelman.ca<mailto:mcr%2bi...@sandelman.ca> 
<mailto:mcr+i...@sandelman.ca<mailto:mcr%2bi...@sandelman.ca>>> wrote:
> COSE CHAIRS: can we have 5 minutes for this discussion?
> I guess I can make two slides tomorrow and get Thomas to co-author them.


I guess we didn't get any time at COSE.


https://github.com/anima-wg/voucher/blob/main/presentations/ietf116-cose-mime-cwt.pdf
 
<https://github.com/anima-wg/voucher/blob/main/presentations/ietf116-cose-mime-cwt.pdf>


_______________________________________________
Anima mailing list
Anima@ietf.org<mailto:Anima@ietf.org> 
<mailto:Anima@ietf.org<mailto:Anima@ietf.org>>
https://www.ietf.org/mailman/listinfo/anima 
<https://www.ietf.org/mailman/listinfo/anima>


_______________________________________________
RATS mailing list
r...@ietf.org<mailto:r...@ietf.org> <mailto:r...@ietf.org<mailto:r...@ietf.org>>
https://www.ietf.org/mailman/listinfo/rats 
<https://www.ietf.org/mailman/listinfo/rats>



_______________________________________________
COSE mailing list
c...@ietf.org<mailto:c...@ietf.org>
https://www.ietf.org/mailman/listinfo/cose


--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>

Error! Filename not specified.<https://www.transmute.industries/>


--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries/>

Error! Filename not specified.<https://www.transmute.industries/>
_______________________________________________
COSE mailing list
c...@ietf.org<mailto:c...@ietf.org>
https://www.ietf.org/mailman/listinfo/cose



--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>

<https://www.transmute.industries/>

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima