[COSE] Review draft-ietf-cose-webauthn-algorithms-02.txt
Jim Schaad <ietf@augustcellars.com> Tue, 29 October 2019 19:39 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C7261208EA for <cose@ietfa.amsl.com>; Tue, 29 Oct 2019 12:39:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gu9VFwYNgkpQ for <cose@ietfa.amsl.com>; Tue, 29 Oct 2019 12:39:35 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E9AE120AB1 for <cose@ietf.org>; Tue, 29 Oct 2019 12:39:35 -0700 (PDT)
Received: from Jude (192.168.0.11) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 29 Oct 2019 12:39:28 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: cose@ietf.org
Date: Tue, 29 Oct 2019 12:39:27 -0700
Message-ID: <041a01d58e90$9449ff90$bcddfeb0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdWKzH1ZtLW2gCD0TXmPehr3YYoMsA==
Content-Language: en-us
X-Originating-IP: [192.168.0.11]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/0S95gJYb5wuKt3PFX8zOw7bR5AQ>
Subject: [COSE] Review draft-ietf-cose-webauthn-algorithms-02.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 19:39:44 -0000
1. The document needs to have a short title added to it. 2. Abstract - The text "FIDO Alliance FIDO2 Client to Authenticator Protocol" needs to get cleaned up. It is not clear to me if FIDO2 is supposed to be an abbreviation of the previous FIDO Alliance or not. Flip the sentence to use from or insert specification earlier. 3. Section 1 - I am not sure why you are using the term "related" rather than "the" in this section. This seems to be different than the abstract in that feature. Relate makes me think that it is something that is different but similar in this case. 4. While I guess it is reasonable to have the description of why things are not recommended in the security considerations, I myself would not really think of them as such. However not having a pointer from section 2 to that information seems harsh as we are saying the are not recommended without have a pointer to the discussion. 5. I have problems with the following text: "Implementation of this algorithm is RECOMMENDED because of its widespread use in decentralized systems and those that chose it over the NIST curves." Firstly, this is an incorrect use of the RFC 2119 language, this is not a protocol statement. Secondly, this is not what the recommended column in table 2 means and thus is trying to overload that column with something that is not real. Third, the fact that people chose this over the NIST curves is not necessarily a reason for the IETF to recommended it's implementation. 6. I still want to see in the text the reasoning behind not just using the current ECDSA algorithm in COSE. 7. Add text on checking point is on the curve to section 5.4 -----Original Message----- From: COSE <cose-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org Sent: Thursday, October 24, 2019 2:35 PM To: i-d-announce@ietf.org Cc: cose@ietf.org Subject: [COSE] I-D Action: draft-ietf-cose-webauthn-algorithms-02.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the CBOR Object Signing and Encryption WG of the IETF. Title : COSE and JOSE Registrations for WebAuthn Algorithms Author : Michael B. Jones Filename : draft-ietf-cose-webauthn-algorithms-02.txt Pages : 13 Date : 2019-10-24 Abstract: The W3C Web Authentication (WebAuthn) specification and the FIDO Alliance FIDO2 Client to Authenticator Protocol (CTAP) specification use CBOR Object Signing and Encryption (COSE) algorithm identifiers. This specification registers the following algorithms in the IANA "COSE Algorithms" registry, which are used by WebAuthn and CTAP implementations: RSASSA-PKCS1-v1_5 using SHA-256, SHA-384, SHA-512, and SHA-1, and ECDSA using the secp256k1 curve and SHA-256. It registers the secp256k1 elliptic curve in the IANA "COSE Elliptic Curves" registry. Also, for use with JSON Object Signing and Encryption (JOSE), it registers the algorithm ECDSA using the secp256k1 curve and SHA-256 in the IANA "JSON Web Signature and Encryption Algorithms" registry and the secp256k1 elliptic curve in the IANA "JSON Web Key Elliptic Curve" registry. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-cose-webauthn-algorithms/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-02 https://datatracker.ietf.org/doc/html/draft-ietf-cose-webauthn-algorithms-02 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-cose-webauthn-algorithms-02 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ COSE mailing list COSE@ietf.org https://www.ietf.org/mailman/listinfo/cose