what to check when assigning new CoAP C-Fs based on application/cmw

[thomas-fossati]

Response attempt at @cabo's question: "How do application/cmw+cbor with cmwc_t parameters get Content format numbers?"

[deeglaze]

The intermediate node types for composite CMWs are not tagged. If we want to allow reflection on the CoAP content-format ID that is assigned, then we should add that specifically to the intermediate node type, and that only compound CMWs are allowed to be tagged this way.

When assigning a new CoAP Content-Format ID for a CMW media type that utilizes the cmwc_t parameter, the registrar must check (directly or through the Designated Expert) that:

Are you asking for specifically a CoAP Content-Format application/cmw+cbor;cmwc_t=<x> (or contains other permutations of parameter assignments) follow this? Does the contained compound cmw not require representation of the __cmwc_t key at that point? Also application/cmw+cbor without a parameter may still contain the key, yes?

Side note: is the cmw claim expected to be used instead of the measurements claim containing a CMW?

[thomas-fossati]

The intermediate node types for composite CMWs are not tagged. If we want to allow reflection on the CoAP content-format ID that is assigned, then we should add that specifically to the intermediate node type, and that only compound CMWs are allowed to be tagged this way.

Can you illustrate this with an example?

When assigning a new CoAP Content-Format ID for a CMW media type that utilizes the cmwc_t parameter, the registrar must check (directly or through the Designated Expert) that:

Are you asking for specifically a CoAP Content-Format application/cmw+cbor;cmwc_t=<x> [...] follow this?

Yes, the scope of this is purely collections which are explicitly typed.

(or contains other permutations of parameter assignments)

There are no other possible permutations because application/cmw+cbor and application/cmw+json only allow one parameter.

Does the contained compound cmw not require representation of the __cmwc_t key at that point?

Yes - although that's irrelevant from the C-F registrar's point of view.

Also application/cmw+cbor without a parameter may still contain the key, yes?

Yes - ditto.

Side note: is the cmw claim expected to be used instead of the measurements claim containing a CMW?

Yes.

[deeglaze]

The intermediate node types for composite CMWs are not tagged. If we want to allow reflection on the CoAP content-format ID that is assigned, then we should add that specifically to the intermediate node type, and that only compound CMWs are allowed to be tagged this way.

Can you illustrate this with an example?

It may be easier to bring back the application/cmw-collection+cbor Content-Type to account for this flip-flopping.

We have to separate the top level CMW from any intermediate CMW to ensure that we don't have boundless recursion of CoAP format ID tags for application/cmw+cbor. Let tbd be the assigned CoAP format ID for application/cmw+cbor without a parameter.

start = cmw / cbor-tagged-cbor<tbd, cmw>

Next we say that a leaf node may not use a CoAP format ID for a CMW itself. That's reserved for an intermediate node.

The two leaf node types are:

* A CMW using a CBOR or JSON record ([Section 3.1](https://ietf-rats-wg.github.io/draft-ietf-rats-msg-wrap/draft-ietf-rats-msg-wrap.html#type-n-val));

* A CMW based on CBOR tags ([Section 3.2](https://ietf-rats-wg.github.io/draft-ietf-rats-msg-wrap/draft-ietf-rats-msg-wrap.html#cbor-tag)) for non-CMW CoAP format ID.

We can allow for a CoAP format ID tag to name a collection that is either all in json (to not have to tunnel all leaves), or to make the cmwc_t more concise.

cbor-collection = #6.166854????(cddl-for-text-encoding-of-json-collection) / cbor-tagged-cbor<166854????, cbor-cmw-collection-map> / cbor-cmw-collection-map
cbor-cmw-collection-map = {
  ? "__cmwc_t": ~uri / oid
  + &(label: (int / text)) => cbor-cmw / j2c-tunnel
}

I don't know how to say that the wrapped type is a tstr that parses as JSON matching json-collection, since there's no .json directive the way there's a .cbor directive. Caaaaarl!

[thomas-fossati]

[...] to ensure that we don't have boundless recursion of CoAP format ID tags for application/cmw+cbor

Is this a problem in practice?

[deeglaze]

[...] to ensure that we don't have boundless recursion of CoAP format ID tags for application/cmw+cbor

Is this a problem in practice?

Never underestimate the failure modes of system integrations. If we want to recognize the tree structure under the tagged collection type, it should be clear that you only have to go through one tag to get to the map.

[thomas-fossati]

OK, so here's an example JSON collection with a plain-old CMW leaf, a tunnelled CMW CBOR collection and a JSON sub-collection:

collection
 │ media type: application/cmw+json; cmwc_t="tag:ietf.org,2024:X"
 │ value: N/A
 │ collection type: tag:ietf.org,2024:X
 │ collection key: N/A
 │
 ├── leaf node
 │   │ media type: application/eat-ucs+cbor
 │   │ value: b64u(0xa10a...)
 │   │ collection type: N/A
 │   │ collection key: "bretwaldadom"
 │
 ├── collection
 │   │ media type: application/cmw+json; cmwc_t="tag:ietf.org,2024:Y"
 │   │ value: N/A
 │   │ collection type: tag:ietf.org,2024:Y
 │   │ collection key: "murmurless"
 │   │
 │   └── leaf node
 │       │ media type: application/eat-ucs+json
 │       │ value: b64u({"eat_nonce": ...})
 │       │ collection type: N/A
 │       │ collection key: "polyscopic"
 │
 └── tunnel node
     │ type: #c2j-tunnel
     │ value: b64u(0xa1008219...)
     │ collection type: N/A
     │ collection key: "photelectrograph"

It's not impossible that a real composite device would produce something similar to this.

Could you tell me where you think the type system breaks? (Feel free to tweak it to illustrate your case.)

(I could create a very similar CBOR collection if needed.)

[thomas-fossati]

We may also consider requiring that content coding is "identity". This would make it safer - avoiding e.g., decompression-related attacks.

[cabo]

Requiring for what? C-f registrations with content codings need to be possible.

[thomas-fossati]

C-f registrations with content codings need to be possible.

Sure, in general. But we may decide that RATS-related payloads have this restriction.