Re: [core] [COSE] empty KID values

[Esko Dijk <esko.dijk@iotconsultancy.nl>]

Agree here, the ‘kid’ field includes a hint as to which key to use to verify the COSE object.
If the hint is null, or an empty item, and the receiver isn’t able to use that as a hint, it can try to identify the key in some other way e.g. based on context.
If that’s not possible, then it will just fail the processing.

Specific applications of COSE may pose specific requirements on a ‘kid’ being present and what format it should have. In this case, absence of a proper ‘kid’ value may lead to an error straight away.

Esko


From: core <core-bounces@ietf.org> On Behalf Of Orie Steele
Sent: Tuesday, July 5, 2022 18:29
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org; cose <cose@ietf.org>; core@ietf.org
Subject: Re: [core] [COSE] empty KID values

> Should I treat a null/empty kid as if there were no kid field at all,

IMO Yes.

> and then use some other heuristic to find the right verification key

Or just throw an error, if your use case requires `kid`... or would benefit from requiring it.

I'd avoid offering to do work to process data where the issuer didn't bother doing their job (which is to make your job easier).

Regards,

OS

On Mon, Jul 4, 2022 at 12:29 PM Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca>> wrote:

RFC9254-to-be/yang-cbor says:
   Data nodes implemented using a CBOR array, map, byte string, or text
   string can be instantiated but empty. In this case, they are encoded with
   a length of zero.

When encoding/dealing with the COSE Sign0 in
draft-ietf-anima-constrained-voucher, we have some puzzling about what to do
with:

        kid: null
or:     kid: ""
or:     kid: h''

so, two remarks.  First, the kid: field is in the Sign0 structure, not
actually in the YANG-CBOR, so arguably the above comment does *NOT* apply!

My puzzling is about kid.  Should I treat a null/empty kid as if there were
no kid field at all, and then use some other heuristic to find the right
verification key, or should I treat it as a entry null, which must match
a null/""/h'' entry in a database for the key.
Normally, it might be a hash of a public key, so seeing h'xx..xx' would be
reasonable.

I'm curious what COSE people say.
KID is annoyingly use case specific :-(

--
Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr%2BIETF@sandelman.ca>>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide




_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose


--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>

[https://drive.google.com/a/transmute.industries/uc?id=1hbftCJoB5KdeV_kzj4eeyS28V3zS9d9c&export=download]<https://www.transmute.industries/>