Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop top level tagging requirement #337

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

deeglaze
Copy link
Collaborator

Tagged type choices are not typical.
I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up.

This patch drops

  • the need to tag the type choice
  • the extensibility of concise-rim-type-choice, since extensibility is governed by a profile, and the profile is not known at this point in parsing.
  • the need to tag the signed corim, since it is a COSE-sign1 with an unambigiuous content-type, and COSE-sign1 already has its own tag.

Addresses Issue #333, but 500 removal is TBD.

@nedmsmith
Copy link
Collaborator

nedmsmith commented Oct 23, 2024

This PR probably should have some examples that tests the new functionality.

The section "Concise Reference Integrity Manifest (CoRIM)" may need to be updated to describe the possibility for unsigned payloads.

@deeglaze deeglaze force-pushed the topleveltag branch 2 times, most recently from 00f2fe3 to 74cd2da Compare October 25, 2024 03:36
@deeglaze
Copy link
Collaborator Author

Added a small change to the section about the specific #6.501 tag.

@thomas-fossati
Copy link
Collaborator

Note that this PR would allow four different tags (500, 501, 502, 18) instead of one (500) to represent a top-level CoRIM.

@deeglaze
Copy link
Collaborator Author

Note that this PR would allow four different tags (500, 501, 502, 18) instead of one (500) to represent a top-level CoRIM.

I think this is the pattern for CBOR though. There’s no single top level tag for COSE objects either.

500 and 502 are for theoretical encoding options that I don’t understand the justification for either.

@thomas-fossati
Copy link
Collaborator

Note that this PR would allow four different tags (500, 501, 502, 18) instead of one (500) to represent a top-level CoRIM.

I think this is the pattern for CBOR though. There’s no single top level tag for COSE objects either.

500 and 502 are for theoretical encoding options that I don’t understand the justification for either.

In fact, I'd drop 500 for sure, and may also be convinced to drop 502 if offered one or two pints of Guinness :-)

@nedmsmith
Copy link
Collaborator

Would the proposed solution allow both 500(signed-corim) and 502(signed-corim)? Would that be confusing?

corim = (tagged-concise-rim-type-choice / concise-rim-type-choice)
tagged-concise-rim-type-choice = #6.500(concise-rim-type-choice)
tagged-signed-corim = #6.502(signed-corim)
concise-rim-type-choice /= tagged-corim-map
concise-rim-type-choice /= tagged-signed-corim
concise-rim-type-choice /= signed-corim
tagged-corim-map = #6.501(corim-map)
tagged-signed-corim = #6.502(signed-corim)
signed-corim = #6.18(COSE-Sign1-corim)
COSE-Sign1-corim = [
  protected: bstr .cbor protected-corim-header-map
  unprotected: unprotected-corim-header-map
  payload: bstr .cbor (tagged-corim-map / corim-map)
  signature: bstr
]

If #6.500 is dropped then wouldn't corim be defined as:

corim = concise-rim-type-choice
concise-rim-type-choice /= #6.501(corim-map)
concise-rim-type-choice /= #6.502(signed-corim)

If 502 is used, then the cose payload would use corim-map instead of tagged-corim-map?

@deeglaze
Copy link
Collaborator Author

deeglaze commented Oct 30, 2024

We can say 502 is for signing envelopes that don't have their own CBOR tag or need further disambiguation.

500 is generally a confusing representation choice, so I think we've lost that one..
I can be convinced to have the payload always be 501-tagged for simplicity, it'll just invalidate cocli-signed CoRIMs. That's fine.

@thomas-fossati
Copy link
Collaborator

We can say 502 is for signing envelopes that don't have their own CBOR tag or need further disambiguation.

500 is generally a confusing representation choice, so I think we've lost that one.. I can be convinced to have the payload always be 501-tagged for simplicity, it'll just invalidate cocli-signed CoRIMs. That's fine.

The easiest, and most consistent, would be to always require 501 (even when found in 502) and 502.

@deeglaze
Copy link
Collaborator Author

Am I to understand that the MUST language in sec-corim-signed is not intended, and 502 is an anything-goes tag so long as the protected payload is a 501-tagged CBOR-encoded corim-map?

@thomas-fossati
Copy link
Collaborator

Am I to understand that the MUST language in sec-corim-signed is not intended,

Which MUST-language are you referring to?

and 502 is an anything-goes tag so long as the protected payload is a 501-tagged CBOR-encoded corim-map?

Not sure, but at the moment we seem to have an inconsistency between CDDL and prose. In S4.2 we say: "payload: A CBOR encoded tagged CoRIM.", whilst the CDDL allows a "naked" corim-map alongside the tagged one. Besides, "CoRIM" should be "corim-map".

@yogeshbdeshpande
Copy link
Collaborator

It was concluded in CoRIM Meeting 30th october to drop tag for #6.500 and propose the same change in TCG.

Also remove type extensibility from top level $concise-rim-type-choice, i.e. make it
only: concise-rim-type-choice

@deeglaze
Copy link
Collaborator Author

We should return to this when the DICE errata has been accepted to remove the top level tags as well.

tagged-corim-map = #6.501(corim-map)
tagged-signed-corim = #6.502(signed-corim)
tagged-signed-corim = #6.502($signed-corim)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we've agreed to drop the extensibility of the signing format.

@@ -259,7 +259,7 @@ For more detail, see {{sec-corim-profile-types}}.

A CoRIM can be signed ({{sec-corim-signed}}) using COSE Sign1 to provide end-to-end security to the CoRIM contents.
When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer.
Alternatively, CoRIM can be encoded as a CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel.
Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: Drop 500, 502, deprecate 501 but allow it for the TCG spec conformance.

We change the IANA request to have a single content type, application/rim+cbor.

Tagged type choices are not typical.
I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up.

This patch drops

the need to tag the type choice
the extensibility of concise-rim-type-choice, since extensibility is governed by a profile, and the profile is not known at this point in parsing.
the need to tag the signed corim, since it is a COSE-sign1 with an unambigiuous content-type, and COSE-sign1 already has its own tag.
Addresses Issue ietf-rats-wg#333, but 500 removal is TBD.
@deeglaze
Copy link
Collaborator Author

Discussed in our meeting that we're going with 1 content type and dropping 500 and 502.

CI doesn't have envsubst or openssl tools.
@deeglaze
Copy link
Collaborator Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants