[Ace] Review of draft-ietf-ace-mqtt-tls-profile-06

[Jim Schaad]

Section 2.2.3 - /Clean Start to 0/Clean Start to 0, specify the previous
session number/  - I think it should be stated that the session number is
provided, which is what the state is associated with.

Section 2.2.4 - Last sentence.  There is a difference between the connect
and re-auth flows in that the first and last messages are going to be AUTH
'25', AUTH '0' not CONNECT/CONNACK.  Everything else does stay the same. -
Might just want to say a similar flow and point forward.

Section 2.2.6.1 - I am not sure where you got this from: "Note that this is
different in MQTT v5.0, the Broker is allowed to process AUTH packets even
if the Broker rejects the CONNECT)."  I think that if the broker rejects the
connect it must CONNACK and disconnect.  

Section 3.1 - Missed a case of "publish_+/topic3"

Jim


___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] [COSE] Gap in registration of application/cwt?

[Jim Schaad]

 

 

From: Laurence Lundblade  
Sent: Saturday, August 15, 2020 10:58 AM
To: Jim Schaad 
Cc: cose ; Ace Wg 
Subject: Re: [Ace] [COSE] Gap in registration of application/cwt?

 

 





On Aug 14, 2020, at 3:35 PM, Jim Schaad mailto:i...@augustcellars.com> > wrote:

 

 

 

From: Laurence Lundblade mailto:l...@island-resort.com> > 
Sent: Friday, August 14, 2020 1:59 PM
To: Jim Schaad mailto:i...@augustcellars.com> >
Cc: Ace Wg mailto:ace@ietf.org> >; cose mailto:c...@ietf.org> >
Subject: Re: [COSE] Gap in registration of application/cwt?

 

Here’s a series of scenarios that I think are legal CWT. These are allowed by 
RFC 8392, right?

 

1) Explicitly tagged, no external type info needed

- Has CWT tag

- Has COSE type tag

[JLS] Yes

 

2) CWT identification by label, COSE type tagged

- The CWT is a CBOR data item with a label. The definition of the label says 
the contents of the label are always CWT

- No CWT tag necessary as it is implied by the label

- Has a COSE type tag

[JLS] Yes, the label could be internal to the CBOR object or external such as 
an media-type

 

I was being very specific with the term label, meaning a label/key identifying 
an item in a CBOR map.





 

3) CWT and COSE by label

- The CWT is an item with a label. The definition of the label says the 
contents of the label are always CWT and of a specific COSE type

- No tags necessary

[JLS] Yes that would be fine

 

4) Application/CWT identifies content as CWT, tagging for COSE type

- No CWT tag

- Has a COSE tag

[JLS] This is the same as 2?  I don’t think that it would be restricted to just 
that media type.

 

You mean there could be other media types that also identify the content as CWT?

[JLS] Yes this could be done in the future.   One would normally expect this to 
be an application specific profile, but funny things happen.

 

5) Application/CWT identifies content as CWT

- Has CWT tag even though it is redundant 

- Has a COSE tag

[JLS] Yes

 

Additionally, one might interpret CBORbis 4.2.2 to say the the CWT tag should 
not be present.

[JLS] For deterministic encoding, but not  for general encoding.

 

6) Application/CWT; cose-type=COSE_Sign1 (or Mac0 or …)

- No tags are used

- Identification is completely by the MIME type header

- (I understand that the cose-type MIME parameter is not defined, but it could 
be. 8392 doesn’t forbid it)

[JLS] Yes you could do that, and as I stated in a previous mail this is not a 
good idea for the CoAP world.

 

7) A protocol like FIDO identifies a protocol element that is an attention type 
the type of which is CWT with COSE_Sign1

- No tags are used

[JLS] yes

 

8) A protocol like FIDO identifies a protocol element that is an attention type 
the type of which is CWT; the COSE type is determined by tag

- No CWT tag

- Has a COSE tag

[JLS] yes

 

The one thing you can’t do is have a CWT tag without a COSE type tag. 8392 
section 6 forbids this.

 

[JLS] There however is a set of nested cases that you might need to look at.  
That is 6.CWT ( COSE_Encrypt_Tagged ( COSE_Sign ))  You would also need to 
think about the requirements for nested COSE layers.

 

All but the most outer COSE type are always identified by a tag, per 7.1 step 5 
and 7.2 step 6, right?

[JLS] Yes I guess that is true.  I think my code is more generous that this in 
terms of what is accepted.

Jim

 

 

LL

 





 

Jim

 

 

LL

 

 

 

 






On Aug 11, 2020, at 12:20 PM, Laurence Lundblade mailto:l...@island-resort.com> > wrote:

 

 






On Aug 10, 2020, at 5:49 PM, Jim Schaad mailto:i...@augustcellars.com> > wrote:

 

This is all based on my understanding that the surrounding protocol for must 
specify exactly when CBOR tags are to be used and when they are not to be used 
and that the surrounding protocol must not leave it as an optional 
implementation choice. In this case application/cwt is the supporting protocol.

 

[JLS] What is the text that says that this is true.  This would be a surprising 
statement for me.

 

Here’s three things that lead me to this.

 

CBORbis

The sentence of the first paragraph in 4.2.2 
  very 
clearly states this, though this is only for deterministic encoding.

 

Typical CDDL

Most CDDL that describes tagged data describes it only as tagged or untagged, 
not as optionally tagged.  COSE is one example of this. 

 

Email threads

This thread 

  and this thread 

 .

 

I summarized this behavior in this email 
  and 
no where in the rest of the thread was it indicated differently.

 

So, it is not a hard requirement because 4.2.2 is only for deterministic 
encoding, but seems like a “should" in spirit. It is the preferred way to 

Re: [Ace] [COSE] Gap in registration of application/cwt?

[Laurence Lundblade]

> On Aug 14, 2020, at 3:35 PM, Jim Schaad  wrote:
> 
>  
>  
> From: Laurence Lundblade  > 
> Sent: Friday, August 14, 2020 1:59 PM
> To: Jim Schaad mailto:i...@augustcellars.com>>
> Cc: Ace Wg mailto:ace@ietf.org>>; cose  >
> Subject: Re: [COSE] Gap in registration of application/cwt?
>  
> Here’s a series of scenarios that I think are legal CWT. These are allowed by 
> RFC 8392, right?
>  
> 1) Explicitly tagged, no external type info needed
> - Has CWT tag
> - Has COSE type tag
> [JLS] Yes
>  
> 2) CWT identification by label, COSE type tagged
> - The CWT is a CBOR data item with a label. The definition of the label says 
> the contents of the label are always CWT
> - No CWT tag necessary as it is implied by the label
> - Has a COSE type tag
> [JLS] Yes, the label could be internal to the CBOR object or external such as 
> an media-type

I was being very specific with the term label, meaning a label/key identifying 
an item in a CBOR map.

>  
> 3) CWT and COSE by label
> - The CWT is an item with a label. The definition of the label says the 
> contents of the label are always CWT and of a specific COSE type
> - No tags necessary
> [JLS] Yes that would be fine
>  
> 4) Application/CWT identifies content as CWT, tagging for COSE type
> - No CWT tag
> - Has a COSE tag
> [JLS] This is the same as 2?  I don’t think that it would be restricted to 
> just that media type.

You mean there could be other media types that also identify the content as CWT?

>  
> 5) Application/CWT identifies content as CWT
> - Has CWT tag even though it is redundant 
> - Has a COSE tag
> [JLS] Yes

Additionally, one might interpret CBORbis 4.2.2 to say the the CWT tag should 
not be present.

>  
> 6) Application/CWT; cose-type=COSE_Sign1 (or Mac0 or …)
> - No tags are used
> - Identification is completely by the MIME type header
> - (I understand that the cose-type MIME parameter is not defined, but it 
> could be. 8392 doesn’t forbid it)
> [JLS] Yes you could do that, and as I stated in a previous mail this is not a 
> good idea for the CoAP world.
>  
> 7) A protocol like FIDO identifies a protocol element that is an attention 
> type the type of which is CWT with COSE_Sign1
> - No tags are used
> [JLS] yes
>  
> 8) A protocol like FIDO identifies a protocol element that is an attention 
> type the type of which is CWT; the COSE type is determined by tag
> - No CWT tag
> - Has a COSE tag
> [JLS] yes
>  
> The one thing you can’t do is have a CWT tag without a COSE type tag. 8392 
> section 6 forbids this.
>  
> [JLS] There however is a set of nested cases that you might need to look at.  
> That is 6.CWT ( COSE_Encrypt_Tagged ( COSE_Sign ))  You would also need to 
> think about the requirements for nested COSE layers.

All but the most outer COSE type are always identified by a tag, per 7.1 step 5 
and 7.2 step 6, right?

LL


>  
> Jim
>  
>  
> LL
>  
>  
>  
>  
> 
> 
>> On Aug 11, 2020, at 12:20 PM, Laurence Lundblade > > wrote:
>>  
>>  
>> 
>> 
>>> On Aug 10, 2020, at 5:49 PM, Jim Schaad >> > wrote:
>>>  
>>> This is all based on my understanding that the surrounding protocol for 
>>> must specify exactly when CBOR tags are to be used and when they are not to 
>>> be used and that the surrounding protocol must not leave it as an optional 
>>> implementation choice. In this case application/cwt is the supporting 
>>> protocol.
>>>  
>>> [JLS] What is the text that says that this is true.  This would be a 
>>> surprising statement for me.
>> 
>>  
>> Here’s three things that lead me to this.
>>  
>>> CBORbis
>>> The sentence of the first paragraph in 4.2.2 
>>>  very 
>>> clearly states this, though this is only for deterministic encoding.
>>>  
>>> Typical CDDL
>>> Most CDDL that describes tagged data describes it only as tagged or 
>>> untagged, not as optionally tagged.  COSE is one example of this. 
>>>  
>>> Email threads
>>> This thread 
>>> 
>>>  and this thread 
>>> .
>>>  
>>> I summarized this behavior in this email 
>>>  
>>> and no where in the rest of the thread was it indicated differently.
>>>  
>> So, it is not a hard requirement because 4.2.2 is only for deterministic 
>> encoding, but seems like a “should" in spirit. It is the preferred way to 
>> design a CBOR protocol.
>>  
>> However you slice it, I think it is up to the surrounding protocol to say 
>> whether a tag is always required, never required or optionally required. If 
>> the protocol doesn’t say, then it defaults to optionally required.
>>  
>> Defaulting or explicitly allowing optional tagging means the receiver has to