Determine if CBOR map key sort order setting should be updated because RFC 9052 obsoleted RFC 8152

[fxamacker]

I used cbor.SortCanonical setting in mozilla-services/go-cose before RFC 8949 (CBOR) and RFC 9052 (COSE) were published. More recently,

• RFC 8949 (CBOR) obsoleted RFC 7049 (CBOR).
• RFC 9052 (COSE) obsoleted RFC 8152 (COSE).

RFC 8152 required Canonical encoding from RFC 7049, which uses length-first sort order for map keys.

RFC 9052 specifies, "The new encoding restrictions are aligned with the Core Deterministic Encoding Requirement" from RFC 8949. Additionally, the narrowed down requirements in RFC 9052 doesn't mention the old length-first sort order.

RFC 8949 specifies Core Deterministic Encoding Requirements with a newer sort order for map keys (bytewise lexicographic order of deterministic encoding).

RFC 8949 refers to the length-first-ordered version of "Canonical CBOR" specified in RFC 7049 as "Old Canonical CBOR".

Given this, go-cose can:

• Use the newer sort order defined in RFC 8949 (CBOR) for Core Deterministic Encoding Requirements, or
• Continue using length-first sort order from obsoleted RFC 7049, or
• Maybe not sort map keys (for faster encoding speed at the cost of deterministic encoding).

For example, go-cose can specify cbor.SortCoreDeterministic here for map keys:

https://github.com/veraison/go-cose/blob/ac30917645090cb2fa087cbf785d01df9c7a5292/cbor.go#L30-L33

Just wanted to provide some context (not a recommendation to choose a specific sort).

[qmuntal]

Thanks for the heads up @fxamacker. I don't recall having discussed this topic with the go-cose team, we should take a conscious decision before cutting a new release.

[cabo]

COSE does not rely on deterministic (was: canonical) encoding for maps. So moving to RFC 8949's deterministic encoding should not make a difference. Or not deterministically encoding, for that matter. You do need to keep to deterministic encoding for length encoding, but any reasonable CBOR library does that already.

[fxamacker]

I agree with Carsten about COSE requirements for encoding maps. :+1:

There are 3 choices and a tradeoff as mentioned in the issue. Since deterministic encoding can simplify testing, fuzzing, and troubleshooting, it would be helpful to know if the cost of sorting map keys, etc. outweighs those benefits for go-cose.

[yogeshbdeshpande]

@qmuntal: @shizhMSFT We agreed to change the Encode Option to cbor.SortCoreDeterministic @qmuntal to modify and test the change!