IETF Logo Mail Archive

Re: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06

John Mattsson <john.mattsson@ericsson.com> Tue, 26 November 2019 10:18 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87952120891 for <cose@ietfa.amsl.com>; Tue, 26 Nov 2019 02:18:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i0x4PJVMah9v for <cose@ietfa.amsl.com>; Tue, 26 Nov 2019 02:18:45 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20074.outbound.protection.outlook.com [40.107.2.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C52E12085E for <cose@ietf.org>; Tue, 26 Nov 2019 02:18:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eCzK2KoGIwttwCpEnS4IUVsZm04J4qO1Y7JajAR7wdUUPVo/+3HZdLwUxlZoCbBOWXHyOHlLX45gqciQ8YhvgUl7KfVGP91vcIYr0F3FeCqtEe0NVoaOg/EmcQdfgX/T3zqpzJ4HHmmBwGqssfcU5G7CYiMZv+/ga1qbX2ATeMDezPmYevZF44lYBFiP8dzypDfAqeonlz3G8029tdYE7slYkwJyQbOs/mDXOjMqx1Ww39bFaxu6xSogDj63fekBjt8PEwGvPkBO2QiguZR8gnRA3aUkNMHl3Uuxm4QTI1wJBBPHY9U7mH0CtwrI5II6Y8jKzrknjnP8YVikFQoH9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1vxdESEG1cygCKYP9DXG7AMp4hiZa6R7fAW3a1HKyaA=; b=UUW8O9lq5ZmesJKID0vHt/ter2VnP7WsMXEjN5EUS2iQd9bhbsS9JT5KzB6SVAVM3o+hnM3fJ6q2T0ugyXkRITxFRxgviM6glyV4MWxh8NFsfrdgml7RkHbD2NBmqTKJbNxwGfgQhJqMFNJ2mYKcUmtjv0wQvExKoNsQgvUT1ET3CTRz3TXqVlXVnmyQFXAXvgzIyyLQFdivjj9zymHboeHnSerKaXOUET2prk3BDPu/za5sDoGaIxCKx4NDHaYmfEg3HimJfWyoOL3aUDyzaXsPHyW//sp+KNRiq2XLocNDD11R5wla/6CBB5ImCbsrv5ls9/O+9KFLc1AsBpUAlQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1vxdESEG1cygCKYP9DXG7AMp4hiZa6R7fAW3a1HKyaA=; b=Ssk0q3OBgnXJsxzxjRyo4eIutxW+pruG+ix+8HfGgNYzMmqD/zrKb9Z+edF5W3tewzrjZYpV5hpoNFgWIqUzle29IplI+5VJnxwnThCJMtdg2/6Ncr4NpwTDMg2vNLZ+azrhwhPkl7VuTy2ZCDjX2Lbi0/ueUG1xwDGbOBBti9s=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3418.eurprd07.prod.outlook.com (10.170.247.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.10; Tue, 26 Nov 2019 10:18:42 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::21e5:eaae:99ed:41ac]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::21e5:eaae:99ed:41ac%3]) with mapi id 15.20.2495.014; Tue, 26 Nov 2019 10:18:42 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Carsten Bormann' <cabo@tzi.org>
CC: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06
Thread-Index: AQHVoLrS7Dy1+bemvUCJEOEpTfhbd6eWN64AgAAvQoCABu4dgA==
Date: Tue, 26 Nov 2019 10:18:42 +0000
Message-ID: <CEB5F5B8-8ABF-4A35-ACBA-3406D0221174@ericsson.com>
References: <E1082983-0F56-47BA-A548-7920F8AEDD95@ericsson.com> <83C79D72-5CA0-41D8-ABE8-A9321FD9BA50@tzi.org> <03cd01d5a0d4$353f7600$9fbe6200$@augustcellars.com>
In-Reply-To: <03cd01d5a0d4$353f7600$9fbe6200$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3553ebda-95cb-46b3-27ad-08d7725a0363
x-ms-traffictypediagnostic: HE1PR07MB3418:
x-microsoft-antispam-prvs: <HE1PR07MB34188F22994A92DA4EBB401F89450@HE1PR07MB3418.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(39860400002)(376002)(366004)(136003)(189003)(199004)(13464003)(3846002)(66446008)(8676002)(6116002)(2906002)(8936002)(81166006)(81156014)(305945005)(86362001)(33656002)(7736002)(6512007)(6306002)(6486002)(229853002)(6246003)(25786009)(478600001)(91956017)(71190400001)(76116006)(6436002)(256004)(966005)(4326008)(66476007)(102836004)(26005)(14454004)(446003)(64756008)(66066001)(11346002)(2616005)(58126008)(36756003)(66556008)(76176011)(53546011)(99286004)(6506007)(44832011)(66946007)(110136005)(316002)(71200400001)(5660300002)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3418; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9SGn9wgjpJTijZUNOMS+/PNK8OwAQpeW/W4MpZFuckjY151hWYeU6YVOboPoumn5LD3cs3wbQQ9u3wP1iTvthGYFGOcQNffXb1djAIlFNl/8hzgs+QsCq02TGqIp9RxVFrUJqIsxBkAxRYe7D2au84Q187waf73d0H5Z2p7DuSei+e4IbhAeF3KVbC6d5RImA/6goPN/IGf8V1VAJ3iM8D6nt5Qixc4SQrE+VZsbSLhoIYju/7zYo1yJSNIfe24bpyIh0YPSTt+vlGv+0V7QU3oCQv2xx3vKU3ydzw6PrJ5Zm+ZhqLyVu8FTtNqG1XxLzK1F9dH1ph1pqpaEWZaTcnRz1SdXkJlH43xzEt9MDQ5N6/xOopbP+POBxE4pwyaosRjPcJC38qtWcS2ZCc1y2OqWUY05cYoI7ULWUKqRd9KWr9xwsMMd5SnxNVNtJZ9sW6A4O88rG4OlndnaYsN+xEyxZjbxemyb1K/rJYo9ccM=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3C8F85D71ED1EF47A33A03BDA17F10EF@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3553ebda-95cb-46b3-27ad-08d7725a0363
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2019 10:18:42.4987 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b4r8p93BTPRWSQh3h+XPA16YI6/f7C71DHxgw2DOkZkF2+oLPbXFJkwXilMBb6XvNVqmIzi83YaAHbUV16LEv0/R4kIVeKi14tNeqkyAJ4s=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3418
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/0m6GnOIH7exAQJh4oHSUdogSOqs>
Subject: Re: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 10:18:47 -0000

“third party verifiability” would be good. In the current text, I do not understand what the four "data origination"/"weak data origination" sentences want to say except “third party verifiability” "and data authentication". 

   "Message Authentication Codes (MACs) provide data authentication and
   integrity protection.  They provide either no or very limited data
   origination.  A MAC, for example, cannot be used to prove the
   identity of the sender to a third party."

    "They provide
     integrity on the data that was encrypted; however, they provide
     either no or very limited data origination.  (One cannot, for
     example, be used to prove the identity of the sender to a third
     party.)  The ability to provide data origination is linked to how the
     CEK is obtained."

   "The use of key wrap loses the
     weak data origination that is provided by the direct encryption
     algorithms."

   "The use of static keys allows for the
     recipient to get a weak version of data origination for the
     message."

/John

-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com>
Date: Friday, 22 November 2019 at 02:29
To: 'Carsten Bormann' <cabo@tzi.org>, John Mattsson <john.mattsson@ericsson.com>
Cc: "cose@ietf.org" <cose@ietf.org>
Subject: RE: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06

    
    
    -----Original Message-----
    From: COSE <cose-bounces@ietf.org> On Behalf Of Carsten Bormann
    Sent: Friday, November 22, 2019 6:40 AM
    To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
    Cc: cose@ietf.org
    Subject: Re: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06
    
    On Nov 22, 2019, at 06:27, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
    > 
    > Could we replace "data origination" with "non-repudiation"?
    
    Preferably not.
    [JLS]  No really, really not.
    
    If you want the thing that often is identified incorrectly by the latter, please use a more precise term such as “third party verifiability”.  Non-repudation is a legal term.
    [JLS] Non-repudiation is not a legal term.  Repudiation is a legal term.  There is no such thing as non-repudiation, just a legal argument that you can or cannot repudiate something.   I repudiate this signature because Carsten was holding a gun to my head when I made it.  That is a repudiate argument and not the reverse.  Non-repudiation originally had some really weird ideas around having a technological way of proving things like:  It was proven that the key was in my possession. It was proven that only I could have made the signature.  I knew what I was signing a the time.   That is things that cannot be shown.
    
    Jim
    
    
    Provenance is often a term used for the former.
    
    BTW, the text might be easier to read when constructs such as “bistro”, oops, “bstr”, are replaced by “byte string” outside of the CDDL (where byte strings are indeed called “buster”, oops, “bstr”, or also simply “bytes”).  In the previous sentence, for demonstration, I left in the autocorrects as they actually happened :-)
    
    Grüße, Carsten
    
    _______________________________________________
    COSE mailing list
    COSE@ietf.org
    https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email