Hi Anders, > On 21. Feb 2022, at 07:17, Anders Rundgren <[email protected]> > wrote: > > Pardon the cross-posting... > > A pretty strange subject line, right? :) > > However, there is a reality in the form of constrained devices that in order > to use COSE must either turn to yucky infinite-length encoding
Indefinite-length encoding (infinite-length encoding would be much harder :-). No, it’s not yucky; it is there so you can use it if you need it. > (https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-11#section-8.3.1) > or create the entire payload in RAM, here assuming that the exact size of the > payload in bytes is not known in advance. To sign something you need to reify the signing input. I don’t know why you think COSE is different here. I’m not sure what you mean by "create the entire payload in RAM” — if you mean “at once” that is not the case. > X.509 certificates (that were created in a time when virtually all devices > were constrained) do not suffer from these problems due to their reliance on > deterministic encoding, followed by a separate signature item. A further > advantage of the X.509 approach compared to COSE/CWT, is that the claims are > not stuffed in a blob requiring yet another layer of decoding. However, > compared to ASN.1, CBOR is much more "RAM-friendly" since it doesn't impose a > byte-length over items enclosed in a map or array. Concatenation is all you > need! ASN.1 BER and CBOR have in common that a head precedes the data items controlled by this head. Both have definite-length and indefinite-length encoding variants. In definite-length BER (as used in DER), you need to know the lengths in bytes, so you need complex multi-pass strategies or back patching. In CBOR you don’t need a length in bytes (except for strings); but for CBOR’s definite length encoding you still need the to know the number of enclosed items at the time of generating the head. > I believe the time has come to seriously look into alternatives to COSE since > it was "inspired" by JOSE. CBOR <<>> JSON. COSE was inspired by JOSE, but it avoids most of JOSE’s disadvantages. Either because CBOR already trivially solves them, or by conscious design based on what we learned from the JOSE experience. Grüße, Carsten _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
