Drop top level tagging requirement #337
Conversation
Tagged type choices are not typical. I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up. This patch drops * the need to tag the type choice * the extensibility of concise-rim-type-choice, since extensibility is governed by a profile, and the profile is not known at this point in parsing. * the need to tag the signed corim, since it is a COSE-sign1 with an unambigiuous content-type, and COSE-sign1 already has its own tag. Addresses Issue ietf-rats-wg#333, but 500 removal is TBD. Signed-off-by: Dionna Glaze <[email protected]>
Fixed PR so that it builds.
|
This PR probably should have some examples that tests the new functionality. The section "Concise Reference Integrity Manifest (CoRIM)" may need to be updated to describe the possibility for unsigned payloads. |
deeglaze
force-pushed
the
topleveltag
branch
2 times, most recently
from
00f2fe3 to
74cd2da
Compare
|
Added a small change to the section about the specific #6.501 tag. |
|
Note that this PR would allow four different tags (500, 501, 502, 18) instead of one (500) to represent a top-level CoRIM. |
I think this is the pattern for CBOR though. There’s no single top level tag for COSE objects either. 500 and 502 are for theoretical encoding options that I don’t understand the justification for either. |
In fact, I'd drop 500 for sure, and may also be convinced to drop 502 if offered one or two pints of Guinness :-) |
|
Would the proposed solution allow both If #6.500 is dropped then wouldn't corim be defined as: If 502 is used, then the cose payload would use |
|
We can say 502 is for signing envelopes that don't have their own CBOR tag or need further disambiguation. 500 is generally a confusing representation choice, so I think we've lost that one.. |
The easiest, and most consistent, would be to always require 501 (even when found in 502) and 502. |
|
Am I to understand that the MUST language in sec-corim-signed is not intended, and 502 is an anything-goes tag so long as the protected payload is a 501-tagged CBOR-encoded corim-map? |
Which MUST-language are you referring to?
Not sure, but at the moment we seem to have an inconsistency between CDDL and prose. In S4.2 we say: "payload: A CBOR encoded tagged CoRIM.", whilst the CDDL allows a "naked" |
|
It was concluded in CoRIM Meeting 30th october to drop tag for #6.500 and propose the same change in TCG. Also remove type extensibility from top level $concise-rim-type-choice, i.e. make it |
|
We should return to this when the DICE errata has been accepted to remove the top level tags as well. |
cddl/cbor-tags.txt
Outdated
| tagged-corim-map = #6.501(corim-map) | ||
| tagged-signed-corim = #6.502(signed-corim) | ||
| tagged-signed-corim = #6.502($signed-corim) |
There was a problem hiding this comment.
I think we've agreed to drop the extensibility of the signing format.
| @@ -259,7 +259,7 @@ For more detail, see {{sec-corim-profile-types}}. | |||
|
|
|||
| A CoRIM can be signed ({{sec-corim-signed}}) using COSE Sign1 to provide end-to-end security to the CoRIM contents. | |||
| When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer. | |||
| Alternatively, CoRIM can be encoded as a CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. | |||
| Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. | |||
There was a problem hiding this comment.
TODO: Drop 500, 502, deprecate 501 but allow it for the TCG spec conformance.
We change the IANA request to have a single content type, application/rim+cbor.
There was a problem hiding this comment.
TODO: Drop 500, 502, deprecate 501 but allow it for the TCG spec conformance.
We change the IANA request to have a single content type, application/rim+cbor.
IIUC, the gist of the proposed way forward is:
| media type | CBOR tag | data item |
|---|---|---|
application/rim+cbor |
501 | tagged-corim-map |
application/rim+cbor |
18 | signed-corim |
This looks asymmetrical because in the case of 18, absent a media type indication from the transport/wrapping channel, the parser needs to unpack the potential signed-corim, unpack the protected header, fetch the content-type element value, and make sure it's application/rim+cbor.
I suggest instead (as I did in #337 (comment)) to keep both 501 and 502.
There was a problem hiding this comment.
The media type for signed-corim would be application/cose. The unprotected header for the payload's media type would be application/rim+cbor.
Tagged type choices are not typical. I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up. This patch drops the need to tag the type choice the extensibility of concise-rim-type-choice, since extensibility is governed by a profile, and the profile is not known at this point in parsing. the need to tag the signed corim, since it is a COSE-sign1 with an unambigiuous content-type, and COSE-sign1 already has its own tag. Addresses Issue ietf-rats-wg#333, but 500 removal is TBD.
deeglaze
force-pushed
the
topleveltag
branch
from
7f35ed6 to
ae65445
Compare
|
Discussed in our meeting that we're going with 1 content type and dropping 500 and 502. |
CI doesn't have envsubst or openssl tools.
|
@nedmsmith @henkbirkholz @thomas-fossati @yogeshbdeshpande @andrew-draper please take a look. |
| # Commented since CI doesn't have openssl | ||
| #examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag | ||
| # payload="$$(cat examples/payload-corim-4.diag)" \ | ||
| # protected="$$(cat examples/protected-header-map.diag)" \ | ||
| # envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag | ||
|
|
||
| #examples/testkey.pem: | ||
| # openssl ecparam -name secp384r1 -genkey -noout -out examples/testkey.pem | ||
|
|
||
| #examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem | ||
| # openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor | ||
|
|
||
| #examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag | ||
| # payload="$$(cat examples/payload-corim-4.diag)" \ | ||
| # protected="$$(cat examples/protected-header-map.diag)" \ | ||
| # signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \ | ||
| # envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag | ||
|
|
There was a problem hiding this comment.
This bit is important: we need complete, signed examples too.
Please make this conditional instead.
I suggest adding a check for the openssl CLI in cddl/tools.mk and then a corresponding ifeq ($(strip $(openssl)),) here.
(You probably need a check for envsubst too.)
Besides, add the autogenerated files to the CLEANFILES variable.
PS: maybe this is worth a separate PR.
cddl/cbor-tags.txt
Outdated
| @@ -16,3 +14,4 @@ tagged-cert-thumbprint-type = #6.559(digest) | |||
| tagged-bytes = #6.560(bytes) | |||
| tagged-cert-path-thumbprint-type = #6.561(digest) | |||
| tagged-pkix-asn1der-cert-type = #6.562(bstr) | |||
| tagged-integral-predicate= #6.563(integral-predicate) | |||
There was a problem hiding this comment.
This looks spurious.
cddl/examples/corim-4.diag
Outdated
| / protected / << / header_map / { | ||
| / alg: / 1 : -35, | ||
| / content-type: / 3 : "application/rim+cbor", | ||
| / corim-meta: / 8 : << / corim-meta / { | ||
| / signer: / 0 : / corim-signer-map / { | ||
| / signer: / 0 : "ACME Ltd." | ||
| } | ||
| } >>, | ||
| / kid: / 4 : h'f8ccd2b49fdba32cd94498030fdc8e5010358919' | ||
| } >>, |
There was a problem hiding this comment.
Indentation needs some care
cddl/examples/payload-corim-4.diag
Outdated
| @@ -0,0 +1,46 @@ | |||
| 501(/ corim-map / { | |||
There was a problem hiding this comment.
send the corim-map to L2
Also, ts=2 et
There was a problem hiding this comment.
I don't understand your second comment. ts=2?
|
|
||
| Subtype name: | ||
| : `corim-unsigned+cbor` | ||
| : `rim+cbor` |
There was a problem hiding this comment.
Two observations:
- The registration is now invalid: we cannot just drop all the registration template fields except the subtype name;
- Let's call it
corimrather thanrim- we don't want to create confusion with TCG's "Reference Integrity Manifest (RIM)."
There was a problem hiding this comment.
I didn't see that application/rim+cbor was taken. What made it invalid?
There was a problem hiding this comment.
Let's call it
corimrather thanrim- we don't want to create confusion with TCG's "Reference Integrity Manifest (RIM)."
There are a variety of TCG specs that refer to themselves as "rim", but I don't believe any have registered media types. The DICE Endorsement Architecture spec (that defines corim) includes "application/rim+cbor" which is published (but didn't yet request a media type - this could be done immediately if necessary).
TCG regards the published spec as having priority over subsequent specs. But it really comes down to what's registered by IANA.
Pragmatically, should the TCG corim and the IETF corim have different media types. For any given release of the specs one spec may be a subset of the other's functionality (due to processing idiosyncrasies). Can they both have the same media type name? Conversely, when the specs are aligned, but they have different media type names - is that desirable?
Note that TCG DICE Endorsement appendices are not normative. The normative expressions are cddl-like (but not cddl). The intent was the I-D would make the cddl normative. If there are separate media types for each, then that seems to say the TCG should create normative cddl.
Readd trailing whitespace.
Change 4 spaces to \t
Tagged type choices are not typical.
I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up.
This patch drops
Addresses Issue #333, but 500 removal is TBD.