Use CWT Claims in Headers #108
Conversation
OR13
requested review from
henkbirkholz,
ad-l,
fournet and
yogeshbdeshpande
as code owners
|
This PR also aligns with the terminology used in W3C, where:
W3C requires additional structure for the identifiers of issuers and subjects, they need to be https://www.w3.org/TR/json-ld11/#node-identifiers JOSE and COSE do not restrict I don't see why we would invent a new label for the "identifier which the statements are in relation to", when we already have |
|
The reason to have a new label is to avoid conflating it with something it isn't. Or at least something that it only imperfectly reflects. As a trusted service implementor interested in making strong and clear assertions about completeness and non-equivocation over a series of statements, what do I do if I also see 'exp' or 'iat' in the context of 'iss' and 'sub' ? When I read a standard, from the perspective of a TS implementor again, that mentions just iss, and sub do I get to assume that I will never deal with those ? If those are not permitted how is this actually a CWT ? These things possibly have answers but I don't think my confusion will be an isolated one. What I would really like to see for feed id is wording like this: I believe that permits issuers and relying parties full flexibility of expression in the context of a very clearly articulated series of statements. In otherwords, if we use 'sub' but define it that way, I don't see how it really is anything to do with 8392. And this would imply the restoration of DID. So we continue to have both |
Signed statements are not CWTs, unless the payload content type is a CBOR map that uses registered claim names. You can use CWT Claims in headers for payload that are xml files, this was discussed on the related draft, in the mailing list discussion I linked.
The only reason not to use |
Ok, in that case, what is the TS expected to do ? I mean, it seems to force the TS to take account of the content type when before it did not ? |
The TS has a registration policy that answers this question. content type has always been a parameter the TS might use to deny a registration, for example, my TS might accept XML SBOMs and reject JSON ones, or vice versa. Regardless of how you structure the info in a protected header, the registration policy and the architecture document have to make this clear. It seems easier to make it clear, by reusing other specs, that provide context for implementers. |
|
Aligning with existing specs is 💯 part of the SCITT Charter.
This covers a few things we've discussed, such as:
The thing I'd like to test with this discussion is whether two or more parties can make statements about the same artifact.
As a consumer, ACME Rockets can
ACME Rockets (the consumer) can choose to trust the statements because they trust the independent identities making statements. Which endpoints they query is up to them. They could equally choose to NOT trust Coyote Security, (because who trusts the Coyote), or because they're not tailored to the unique needs Cosmic Security addresses. Can |
|
Ok, so I think I understand where this PR is trying to go. With respect I just don't agree with what I understand of its intent :-) Is there something you can’t achieve where the CWT is just binary encoded in the feed id ? Provided everyone agrees the envelope feed id is an opaque string nobody needs to refer to the combination of other standards and specific reg policies to get base line confidence over the context for a series of statements. I beleive having any structure in the feed id will gaurantee divergent and incompatible combinations of TS, issuer, series-of-statements. In particular, regarding the re-use of 'sub', I base this assertion on significant practical exposure to iss/sub in the context of identity providers & JWT's. If we go the structured road we will lose the opportunity to define a single universal means to identify a complete series of statements in the envelope of the statement. With a single property, defined as an opaque byte string, I believe we will get a simplicity that is enabling rather than limiting: On top of that base, richer interpretations can be built for TS's and issuers that wish to be mutualy content aware. And all TS implementations can guarantee a base level of utility before considering added value. Yet consumers of those same feeds, regardless of origin, will still enjoy the base line ability to correlate the series of statements and demonstrate completeness and so on.
Speaking as a prospective implementor I feel the opposite.
Provided that its value is opaque to the TS for the purposes of defining the complete series, yes I believe so. And very much think this is a good thing to aim for. That is my stall set out as clearly as I can make it :-) |
|
I left some comments in #104 related to this. tl;dr: I agree with @robinbryce that a Obviously, any tag can be reused to mean anything you like. We can declare that Do I understand that the intention is to not put |
|
Fixes #11 |
Co-authored-by: Steve Lasker <[email protected]>
Co-authored-by: Steve Lasker <[email protected]>
Co-authored-by: Henk Birkholz <[email protected]>
| ; TBD, Labels are temporary | ||
| 391 => tstr ; DID of Issuer | ||
| 392 => tstr ; Feed | ||
| 393 => Reg_Info ; Registration Policy info |
There was a problem hiding this comment.
why is 393 still in, when there is 13 in?
This PR shows that feed is redundant to CWT Claims in headers.
If this approach gains consensus we won't need to register special tags in the protected header, and can instead use the RFC that allows this to happen.
For context, see this discussion from the list:
https://mailarchive.ietf.org/arch/msg/cose/KNRge3vxXF3A2LY24DNo6ZQxrNc/