search

anima-wg / constrained-voucher

This is a repo for the IETF Internet Draft about constrained vouchers in CBOR
2 stars 4 forks source link

Use +cwt instead of +cbor in application/voucher-cose+cbor #263

Closed thomas-fossati closed 1 year ago

thomas-fossati commented 1 year ago

In RATS we are registering a +cwt SSS, which you may want to consider for the voucher media type.

E.g., application/voucher+cwt.

For context, see: https://mailarchive.ietf.org/arch/msg/rats/nRIhsD6hruWpB7_lyKemzqJx1zs/

EskoDijk commented 1 year ago

@thomas-fossati Sorry, I don't understand the issue here. Why would a voucher be a CWT? It uses a completely different format.

Maybe I would understand voucher-cbor+cose ;-) It's basically a plain CBOR document that gets wrapped into a COSE signed envelope. So that would mean the outer wrapper (COSE) needs to be behind the + sign right?

thomas-fossati commented 1 year ago

@thomas-fossati Sorry, I don't understand the issue here. Why would a voucher be a CWT? It uses a completely different format.

Maybe I would understand voucher-cbor+cose ;-) It's basically a plain CBOR document that gets wrapped into a COSE signed envelope. So that would mean the outer wrapper (COSE) needs to be behind the + sign right?

hi Esko!

I am not familiar with the constrained voucher document, I was just reacting to the linked email from MCR.

If I misunderstood Michael's input just chuck this issue in the bin :-)

mcr commented 1 year ago

A constrained voucher is a COSE signed CBOR artifact. That's what a CWT is, I think.

EskoDijk commented 1 year ago

@thomas-fossati Ok, thanks - I didn't know the background. So I think we can close this issue. @mcr Indeed, a COSE-signed CBOR artifact with a particular set of claims inside (see https://www.rfc-editor.org/rfc/rfc8392)

thomas-fossati commented 1 year ago

@thomas-fossati Ok, thanks - I didn't know the background. So I think we can close this issue. @mcr Indeed, a COSE-signed CBOR artifact with a particular set of claims inside (see https://www.rfc-editor.org/rfc/rfc8392)

Not to insist, but if it's indeed a CWT, then the +cwt SSS would fit like a glove.

mcr commented 1 year ago

@thomas-fossati Ok, thanks - I didn't know the background. So I think we can close this issue. @mcr Indeed, a COSE-signed CBOR artifact with a particular set of claims inside (see https://www.rfc-editor.org/rfc/rfc8392)

Not to insist, but if it's indeed a CWT, then the +cwt SSS would fit like a glove.

Vouchers do not use the same registry for claims (there is a YANG-SID process), but it is otherwise identical in form and function.

EskoDijk commented 1 year ago

Indeed so the main observable form is different: while CWT's use a claim structure per RFC 8392, based on JWT, a Voucher uses a YANG/SID based structure that looks completely different e.g. when written in CBOR diagnostic form.

Just as an example, there is a JSON-based voucher (draft-ietf-anima-jws-voucher-06) that uses JWS but is still not a JWT (JSON Web Token). In a similar way a Voucher using CBOR signed with COSE is not a CWT. There's an infinite number of formats possible that all use CBOR encoding with COSE signing.

EskoDijk commented 1 year ago

I've created a separate issue: https://github.com/anima-wg/constrained-voucher/issues/264 for the order of names.

EskoDijk commented 1 year ago

Closing this issue; #264 continues with examining if +cose should be used.