Re: [COSE] AD review draft-ietf-cose-key-thumbprint-04
Michael Jones <michael_b_jones@hotmail.com> Wed, 13 March 2024 02:09 UTC
Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88A56C14F61A for <cose@ietfa.amsl.com>; Tue, 12 Mar 2024 19:09:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.235
X-Spam-Level:
X-Spam-Status: No, score=-0.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8RYnW7r7n6k for <cose@ietfa.amsl.com>; Tue, 12 Mar 2024 19:09:15 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10olkn2033.outbound.protection.outlook.com [40.92.42.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 172F2C14F60B for <cose@ietf.org>; Tue, 12 Mar 2024 19:09:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AFiEVu2BVm8SwHYpUnso9x/aa0Q3Jwrw3li3NRLgCt0ZFZQZYT4hCFSt8iOM4gpx72FiFOu8R84o9FwzbdiPlefZHs6X7z9cgwGeX+/8H+yDar1kIxlE2PczC5hx2L4T3FrH5287Q92yqgrLKnSLBQZlwMnBJ8nsBtU4/iCR02zefREVPiQvf/dvKZ65N8igLKakDukpYvkwhQfkvqPQgmZwUCLwG8/LHPmuvQGDoIuzhtuov3tPe/73dIc9WmMwYEYE7o5KPj0FQxylKNgiVYuZzGxduoJzLu4k91DvOghGdVOEmOs8KsaNcQ5xJoUUmXgWxsTwWoqKXvVJLYkHhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tCZQxjuXiP6C/E1q97ye/nWHhx4cbO6XbxLrF32XwME=; b=CTAFwmpNePOA28fZ9XOXovuELiFSLhHIHwQIFrVWwC2y93zUSzSwe0LuLy3dEFR646SAWL08/+gHT3jVzgC/Tn8YhAgzud05loI1vWCYjFrFjuiyEA+pP8eZ3VFy9y5kwv+fZwCAXFjU0ixezQzFJYFPR5zO4gLYVjegRhC+iPymYj5C9aJJ6CdHzmxUYW6mAO29ScrfR+G+iO6SFMFy6HzyiJxv0Ul+idnyPKjEtchrgfS+wfveJ/VIp0vrLuNDHkjrYD76hi1UyOOWFvOjmw0ohYg0Yb+Qdi6fsbqMLHlXpEooEvwFLr8DiEP6a8VKWEQB+X/bA1WXvuGN+1/YAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tCZQxjuXiP6C/E1q97ye/nWHhx4cbO6XbxLrF32XwME=; b=fhI4azOohZvvxyUREPwyETg4e4yroDTfhcnR5Qr3PZpw4WfD1+unlsFjdIvks3RBySUmSWztlrUaePJaJYfDJDB9FQccTZHZrOZ1PEZvWWFDytO/p7ucGQLSwj8KVnzGTzrSsOlLLCc4SPkLi8yFiAL5bAxloz9RV5CNT8r04O5imAk+r2/XieUthgvr2sY4TLoZ8ghj5doYvrnfVttkdI6vhlVp1roL4pYeYvx2BDOOGZLAFMo70ktIBeRiActmk0pKaFalLYIvCA5VYeg3uprk1AslQtxXlQnYOuFqz5PLECSjl3sLHt1Gjxr8SM75CqnPnX7xQ3st9yyH/RZxVQ==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by PH0PR02MB8518.namprd02.prod.outlook.com (2603:10b6:510:10b::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.36; Wed, 13 Mar 2024 02:09:13 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::7c2c:4b2:7be3:4f66]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::7c2c:4b2:7be3:4f66%4]) with mapi id 15.20.7386.017; Wed, 13 Mar 2024 02:09:13 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "isobekohei@gmail.com" <isobekohei@gmail.com>, Orie Steele <orie@transmute.industries>
CC: cose <cose@ietf.org>
Thread-Topic: [COSE] AD review draft-ietf-cose-key-thumbprint-04
Thread-Index: AQHadOoqlm4s5jsl2EK+t6RhvZpNMLE07Ffh
Date: Wed, 13 Mar 2024 02:09:13 +0000
Message-ID: <SJ0PR02MB743949D686AFD7FFFB196F8CB72A2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CAGL5yWagJmTUg++Otm9tzkSTRP995n6L3z8abVRuhkuMjbV=kg@mail.gmail.com>
In-Reply-To: <CAGL5yWagJmTUg++Otm9tzkSTRP995n6L3z8abVRuhkuMjbV=kg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [k1HTtIJV1FdFYbbLmxl7SpC5+HINig2J]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|PH0PR02MB8518:EE_
x-ms-office365-filtering-correlation-id: 65c13eff-b67d-4456-000e-08dc43029426
x-ms-exchange-slblob-mailprops: 9IecXKUgicBi+y9zgxldS7PwI0HQFN+yygBOxxA/T8B1lfrHs7cnAEE8O/c7GuX8nPA7aIRB1D4NirzAPrUcHZfZsbB4F7ptHs/vXOKhBwCIZFdYg9l4uyZcFZtJxQXOhMZjlB/s3W6Znu9MbhqwEMfAXxR8VvMrC+av7pNSkOxbN8OrwWkPqTl2MwONgys0taQ1XcXh9CxiNvO9+IzwgvzvquVEjits8xizXCbdCrS70FzxYHv0eOzlfx/+05kHcgn0/qr62da3piy1jDNEttfqE+fsBBJYK+uMvlLCxXljJ9uq/ZFT4HPa/rvn/J8yx9Ip+mRV8r7rSLpFYndBoXfhTgtvICCkNTVB6LsWJRxs753hz1SvI2DmYpABZj3pZ8OqnN91Ser3dkYNtgwVNAVGSvFDKqWWLPoG/6feg62soXx64vDx/TTd5z9J5Gn3oqP/hgtiPBsU4xLVHw+/GoxV/X8YpxX85wTp56fLs28JCcPm34xoFCaNoCT5xgmoS8buUFdaoGUB1Dy6/1YcAiQoK+CKm2u9u/GeRA4vwZyRvdWqsmDOvyEZaF5DhnhGuBuRF3TDHb2lfkocpfrp7TmBNiHyOqKYfPINoNBIv3SYPsdpVM1EHwbbH/H49dipvSD/yOn0zL/pXOVP5WxKDERdGs4eY0vJnkV1f0L8NqR29+S1CbN3SHBIbhSrXhqVkiNFX/5uOSvT6/y966PXveaNg2OhLq3qAVDobD0ZkIk0AWMzhLFYig==
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EH13ItAIsT1TxJ+X5LSxkeseX6g+PXGWO53P4Pe0/i+ApQiBxXKMBhKPfIX7sOtZut0hLpLEVoZwCup6WQhZKxfSqG9Fm5RLR3mLYiboirFhUi0tX4gq747BWBRyZrXbKLmX6VwkskIU3J2q14uajZBbHtOOYu4+uXeu8ioG1HBqyRv8TjGFASpbCTVNeAAQsMokZfljO2Bggd0tlroUh87TOPSV5e8kAD1aK2VXjm5hNFTUD2f4+GeQ9852m4MB6VESIQrZmZRze6t3uBQW1jw84EA8GKrWdhVaMkZa3tJMaa09QNxS2W8pPlG00maLlm9TIo6Vksyh7Lf2uEBpXT7xF6vfJNE/zCZAezZZv9kHq+dSVaQ3dJQhJzcV50JitNspP7uHe+Q4Z5J6AjGMe/wTIEmULsJYdqwqNOuwlc/aLedpRqUACcbBB0dl1TjqHAHslvpkJMswzoOjdb0qDZyhf13rn2Afhh6+c0nCCt7O/aToOYQSQkgsM9uZOJojUDCpc7TvuOyZdP1v9z/9Lf1GvAmSVo99LobyaEvX4vQp4rhVPXmt+hpAf916h7FG
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cud9u+qUXS/tvUGb+HQeWEhHeUL3tOXYKszewoZaaGWEBsN7DWtbbbyL53zbT4FziVp1Y6HH4qAfoN3TbAHZSmVHZgBR638iJeR7a3EwtK4OC8K6FvdgThfQ5eQVIJW4uTaBDnINqEanSLwot7k565OOCHbDYolNNIUijWnPxTqRzlJGMZwrtaX9HeiHuGgx2RvEoOq7j8DjZpNnyuZoIde5WqzneEUCerygFGIAQoPKW+o/ZIMTmP939blFDbIR1X4jqHXFvk8ytpqe6kcbaDISX60ALAgoZnehQ7aniNUuqoF2ILdrz0/ZQKnEFTwXdeMoQYZL+ew8kELBplYkPG9ILnFUQ118FlT9SircP65KaZp4woULrLy3mDzC9C2VBKzYeyemkhaUX4NRP6i0kR6SN2b3lm2McIBcCfyidx8wC8Y14OkdlMOExgx75W6hLQKs8CY8YSgdnMNN93WTbOZfoGUTxuWhD2BqKI2x4RhNDa6gAFSpAcu9qU0wtlmXf46G2NHP01Kj2nWFhhOg5mKZ9JtTe1NL3yLnJTeg7HuRYa3FRYUTHV52EB3aFzRARrJqhFskH5JFpTux3AC+6L4ffLGaqeyo2qylftB82n3khKyBvbTpVt9/JvxfMqHcH58pqg9+nTrf6y4fluOXOGjNvS+i17raw1ON48taU0GUA/49EEd4EW7HgIN6a2O4b2ezWqzj7hrz9uO3vqYUgAtZNGogaQwcwS4oAdlvy73+t5655RjQXw3A8iChTecJXlhGHfpfM+UV9jznNGhDiTw6+4f9CN+csezM6dAyuzaMjkx0UmxrU/CF9nyX3e3oxwG2V6P7X7vEw3zsFzkcv1ZgXsh6/+bak3VgcySTLksf0wwXwkCNTkSQHrSWI5oKvBPYXsoMfLMwdpfmrxl4gCXz0JlGdwhQf+5I18wnpgN8gTwRm3yOF88NcPIagCGMIfeO94j85V/C+Qow+5xH7lDXaLvfvSGLnh2WPOfPMm86D+o0+6pnKBISZ43NebOdXvVw4EwyxjK+3kY4jacBLgemuvyCaYLGeURdIsvuDpqsGbUMEZZpABOiC0VSrNb/HMNJj83C37SskTZ6JrXfV1rDOoHVhA5OvC6BD3tvQ90vxgx1CL1YAucD8S2LwxeLeCp2UrUUf0sMcv2Q6KfpoNpl+v/slGhDF6NL3uveTG4vLNz1cTqWhRALs954Jz0590wNK/wGjg0rJPx4xP/z7qkaNjy2OY98A01GjaF/MkAcq1Q1SuSRoxnEwq9mTvXH12g3k/Mr3u2k+465afZ/yA==
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB743949D686AFD7FFFB196F8CB72A2SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 65c13eff-b67d-4456-000e-08dc43029426
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2024 02:09:13.4173 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR02MB8518
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/1DZisG2B4Czj8fFtE0BEVMAgV44>
Subject: Re: [COSE] AD review draft-ietf-cose-key-thumbprint-04
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 02:09:15 -0000
I agree with both comments. Authors, can you please publish an updated draft when the submission window reopens? Thanks, -- Mike 6 ________________________________ From: COSE <cose-bounces@ietf.org> on behalf of Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org> Sent: Tuesday, March 12, 2024 6:59:43 PM To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>; isobekohei@gmail.com <isobekohei@gmail.com>; Orie Steele <orie@transmute.industries> Cc: cose <cose@ietf.org> Subject: [COSE] AD review draft-ietf-cose-key-thumbprint-04 Thanks for the short clear document. I only have two comments, which can be addressed as part of the IETF LC. In the Security Considerations: To promote interoperability among implementations, the SHA-256 hash algorithm is mandatory to implement. This really belongs somewhere in the main specification document, and not in the Security Consideration. Someone should be able to implement the spec without reading the Security Considerations. Using thumbprints with passwords (i.e. low-entropy secrets) is dangerous and MUST be avoided. "MUST be avoided" is an odd expression and leaves some wiggle room. ("it was unavoidable, so I did it anyway"). Can it not more plainly say "Thumbprints MUST NOT be used with passwords" ? Paul
- [COSE] AD review draft-ietf-cose-key-thumbprint-04 Paul Wouters
- Re: [COSE] AD review draft-ietf-cose-key-thumbpri… Michael Jones