Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup: drop #6.500 and #6.502 #339

Open
deeglaze opened this issue Oct 25, 2024 · 3 comments
Open

Cleanup: drop #6.500 and #6.502 #339

deeglaze opened this issue Oct 25, 2024 · 3 comments

Comments

@deeglaze
Copy link
Collaborator

The 500 tag is redundant with 501 and 502. The 502 tag is redundant with the COSE tags since the content-type is the disambiguating piece. It's kind of annoying to get a cose-signed corim that you can't just parse as a cose object because of irrelevant tags.
@nedmsmith
Copy link
Collaborator

I wouldn't drop 500 and 502 since there are other contexts besides COSE/JOSE that carry corim. Rather, it should be possible to use the untagged variant if that makes the most sense.
There may be cases where there isn't a media-type definition for the various possible $concise-rim-type-choice variants, hence having the tagged alternative might be needed.

We discussed doing something like:

corim = tagged-concise-rim-type-choice / $concise-rim-type-choice
$concise-rim-type-choice /= tagged-corim-map
$concise-rim-type-choice /= tagged-signed-corim
$concise-rim-type-choice /= corim-map
$concise-rim-type-choice /= signed-corim

tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice)
tagged-corim-map = #6.501(corim-map)
tagged-signed-corim = #6.502(signed-corim)
signed-corim = #6.18(COSE-Sign1-corim)

COSE-Sign1-corim = [
  protected: bstr .cbor protected-corim-header-map
  unprotected: unprotected-corim-header-map
  payload: bstr .cbor (tagged-corim-map / corim-map)
  signature: bstr
]

COSE payload as: payload: bstr .cbor (tagged-corim-map / corim-map) allows untagged form to be used if media type is supplied and sufficient.

It is unclear if media-types / CFs will have enough specificity to disambiguate the comid "tag" level thereby making the CBOR tags redundant but if so, we could define untagged variants.

$concise-tag-type-choice /= concise-swid-tag
$concise-tag-type-choice /= concise-mid-tag
$concise-tag-type-choice /= concise-bom-tag

$concise-tag-type-choice /= tagged-concise-swid-tag
$concise-tag-type-choice /= tagged-concise-mid-tag
$concise-tag-type-choice /= tagged-concise-bom-tag
tagged-concise-swid-tag = #6.505(bytes .cbor concise-swid-tag)
tagged-concise-mid-tag = #6.506(bytes .cbor concise-mid-tag)
tagged-concise-bom-tag = #6.508(bytes .cbor concise-bom-tag)

@deeglaze
Copy link
Collaborator Author

The extensibility of the $concise-rim-type-choice doesn’t make sense though. It’s signed or unsigned. The signing envelope is cose. I’m not saying to drop 501 for the case where you want to send around an unsigned corim.

@deeglaze
Copy link
Collaborator Author

If you're saying you'd like #6.500 to be an arbitrary "treat my contents as a corim" without any further information, I have a problem with that. You don't learn enough about the value to interpret the contents effectively.

If #6.502 is for signing envelopes that are more ambiguous to CBOR, then I'd like that better explained in the text, including the need to use #6.501 for the payload if there is no concept like a protected header to disambiguate the context of the signature. I'd also like to recommend that #6.502 NOT be used for COSE representations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deeglaze @nedmsmith