Re: [COSE] Recharter the COSE working group.
"Matthew A. Miller" <linuxwolf@outer-planes.net> Tue, 14 August 2018 15:20 UTC
Return-Path: <linuxwolf@outer-planes.net>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B323C130DD1 for <cose@ietfa.amsl.com>; Tue, 14 Aug 2018 08:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wufu6J2xCDf6 for <cose@ietfa.amsl.com>; Tue, 14 Aug 2018 08:20:39 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12EC4130DC9 for <cose@ietf.org>; Tue, 14 Aug 2018 08:20:38 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id j205-v6so34295571oib.4 for <cose@ietf.org>; Tue, 14 Aug 2018 08:20:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=e32eXnwRZP4/5fU4rGIOv5Sd/0ovcSt4tXE1nP5lCmo=; b=KEanR6PLAEIMdifaaUMufSWCRTySKfxnyoydSsl5+w+5q7kpR5nfRvr6FO5C1w5o8n 9+OOhJb3tVBSOgoCk6a5NEg4YF5Zqq0IbyDVzzEF/rC3x2LMlHDxX5NOl3SS5+3GrF30 zaEM96+rFEBPPbdEmPOZz7bP8B+AIrHn+wMDJ2fefv75v25yaVgby96Kr8f6HwSrPseA ytFaxiUJiEGjE/fl2aJHSq7gsave9oriqtrsfqMWa3uYNFCg5V1jEgZPTA646jGvlXxt 0O16i15SSZHZDNuQTjUfW6daBJhmglFxhQDQrP9wIHwbTd/j5ETDrgZPf5wWXAkxoDT5 0QRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=e32eXnwRZP4/5fU4rGIOv5Sd/0ovcSt4tXE1nP5lCmo=; b=O5YTmNO4BGXoGWBQhU5gCk12I9ALuiuScbjSzto7LdNlGXUGjFVLS93nIIrVYccX0L ex2cFJHlFwhrdyLCItUEiKqFXXtBpGFUnX1rV8FfNQ6qpJTAfFIPTnnlOXQUkyE+zD+J cTSsSs2WPNgC9Sc+zDqosNCw0uzQDsraXwt8fA/G+QJKfNDT1IuLxuMepgIWsrIH1Ciu MgDfuK3YETmHHJUhm2Ck0Al2UNE6PEnQ88YsNqfO5rgQw2LpYs/bohu3TX7UDi9GQlYc bH/pCAhXqM0gS/0I+Qmy3ZJqWo5wGfLI/Gxrqijivm7Uet+bYdNCibun39Q3wtxbgMgK 7+Kw==
X-Gm-Message-State: AOUpUlGoj+VGPaEY+xonpIdIHpRWd081Ng2ICH1bXpm02giRQqi4EUZF hdOxzc2g6p26CtkS10y7xOdTFT4yQRw=
X-Google-Smtp-Source: AA+uWPxRRIoEwiNs2KbixnpHZwzY1hAT1U0XW8nR+u2yjmTsyn+bk1MLOXklu7Skbt+h7pt8odvfkg==
X-Received: by 2002:aca:5e42:: with SMTP id s63-v6mr21655504oib.134.1534260037851; Tue, 14 Aug 2018 08:20:37 -0700 (PDT)
Received: from [10.6.21.160] ([128.177.113.102]) by smtp.gmail.com with ESMTPSA id b125-v6sm16573685oia.38.2018.08.14.08.20.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Aug 2018 08:20:37 -0700 (PDT)
To: Jim Schaad <ietf@augustcellars.com>
Cc: 'cose' <cose@ietf.org>
References: <000001d431b6$cb559720$6200c560$@augustcellars.com> <252453AB-2C28-437E-88D3-191AD2F37A8E@vigilsec.com> <0796519c-8232-9e02-5d2c-e4dde48bc129@outer-planes.net> <003201d43347$9d1aa250$d74fe6f0$@augustcellars.com>
From: "Matthew A. Miller" <linuxwolf@outer-planes.net>
Openpgp: preference=signencrypt
Autocrypt: addr=linuxwolf@outer-planes.net; prefer-encrypt=mutual; keydata= xsBNBFJoAooBCADQmEtpbpY/4wTeKgZIuyG7HkxIFgiUeqOvtiBKj/pCA73d7Q5hCvQdGcKJ 6uZsYz3Il9oKoKFxVt90iEXspbE39g6ek19e6RsB4j0Q10l4QvH+EqeD760gs0H2yf/eYj9i uk9/VY6axdQlPsmid1zoQgCNjSM7X4/K26WGMs03sbXJpKdoonelzIlJSNfzi0q546iplo72 D2cCm9BriMkQvcGnsm4B9eBIBn3GKmVx1tsmPNeNTyun2DvaLnrYxbA0Ivo1DzZReds9NZ25 uROI/+b+lcg9/kmHzhK+q8NMQCFWmqpS/lZRKxVBSijKGpGr5h8VLVf5iURHtwG+B/QxABEB AAHNLk1hdHRoZXcgQS4gTWlsbGVyIDxsaW51eHdvbGZAb3V0ZXItcGxhbmVzLm5ldD7CwIAE EwEKACoCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFCQvHJDEFAlirCeQCGQEACgkQ7PRy ThCeBbt+sAgAzUQokr+f+ArieIrv2JkiQLqiBaZX29Aph9YwG3OPLWSdESEKkFOSJT0LWbsC cAKHLrVfgl2+6iPhf4OOacTdqK7wS6vruPZC1ChdO7NZTgbVa0hP/Q/QKEoaMGNdfc1/lgxY 5kwh+bvGIF1+HyadytgCBBHxdVEhYI7G3ejKqA8iVwri1VW0Wjp8iWdjpF74swIHhid5GcAu 6VJgVNJw3P+WkTkNrkd2tx5yUfNXQuGyFhxwlpiuaOpIk3p74P6e8h/riMpkJ5mIH/ryGTH7 qxpEIuep2bLQZmGwBen8kf3MO/VbiA/NMY6OHdc93EBKr0g7n2BA5uFLdy79FqAA3M7ATQRS aAKKAQgAwP67h8GJUO6XYyWOrcJGXDJnnZEDS+q+bTQXkJMFa74rVIx0yioqY8QdpBJFGaMT 4DCNYe/3pw61ZTDDKqukSCfOh/ssdd8zSGTQZSX5lR4B4+00/LKWugP6iHHHYiETbBVb5bxc aR/LE41Wx3z2HsW3TkeZB6WVk82MTclS1zCuY3p9AeCvr424BSQL7KC38y2eQc95G+nabsVD c6oQ8oZOf1D2giBb2VgbYkSppKj8BKvBtmjCauWeEq/AkZKaDAdua8Qj0vEfgcoh8aavlPJi rqj1YNSyc3AO4R5prPGgTepcUpW8ip8xIPAFoJXfuvsZSV7uVP36gwApU4+ZnwARAQABwsB8 BBgBCgAmAhsMFiEEMddYjeyQaQ1rzJjg7PRyThCeBbsFAlpvpIsFCQvLWoEACgkQ7PRyThCe BbuNHAf/cchJ7kHoIr5i+jgVRuR71AGlxlMbVolnS5tza3bi9Ie63LRdOtMUE3pDUQo25cWd cP7pzwwRBCDD2GxfIuyMCWaES0xtQdTIyNOAFFOtBtCFOrsNEk+iLAu6GBr4QzSQKW1QW4/b vcfpM2pLQn7Zd6naUioEYfTHCMmYHr7hQXaPNEQ7V/J4pLVAN8bHyVgQ9ciQN91DUs6jnueM BUW7DNvuHq0RDzA+ufYdpQAjwl4z1v+rnJ79P3HTxfFdiTTAk9MjyVQklHxS067cmLYkSOku dnCOHhDmSFwkKd9EwOBNuztpjCzmM5SgOT+U/iHH+IM/Hv6bjVCiAQ5WOihe6Q==
Message-ID: <4719053b-b6a6-7d80-6782-e2e3c5e21229@outer-planes.net>
Date: Tue, 14 Aug 2018 09:20:36 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <003201d43347$9d1aa250$d74fe6f0$@augustcellars.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="kkAfLrwsulP9QGaBpBojtbCTNUG4mUcEm"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/3o2SpR1i3vFKkOLNvhFGY6nG7nA>
Subject: Re: [COSE] Recharter the COSE working group.
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2018 15:20:50 -0000
Thanks Jim, For whatever it's worth, these are roughly what I thought were worthwhile reasons to split before I asked. I wonder if it's really worth waiting for the WG to be formed before deciding to split, or if consensus to do so can be reached during chartering. It seems to me fairly uncontroversial and it can just be made so now. I'm confident the directorate reviewers would thank you in addition to the ADs. - m&m Matthew A. Miller < http://goo.gl/LM55L > On 18/08/13 14:52, Jim Schaad wrote: > There are two basic reasons for splitting the document. > > First, a shorter document is normally just easier to deal with and by and large one is only dealing with one of the documents at any given time. (We did get complaints from the IESG at the time about the document length.) > > Second, the structure document would not have any algorithm details or recommendations in it. The issue with having algorithms in a full standard is what happens when that algorithm suddenly because broken. Do you now need to de-list the standard because it is saying to do things that are no longer recommended? Having the algorithms separate from the structure make this problem moot. Protocols that reference the standard and make algorithm requirements would need to deal with this but no the core structure document. > > One unimportant reason is that not having the algorithms means that it is going to be easier (I think) to validate that we have implementations of all of the interesting parts of the structure document. > > Jim > > >> -----Original Message----- >> From: Matthew A. Miller <linuxwolf@outer-planes.net> >> Sent: Monday, August 13, 2018 1:12 PM >> To: Russ Housley <housley@vigilsec.com>; Jim Schaad >> <ietf@augustcellars.com> >> Cc: cose <cose@ietf.org> >> Subject: Re: [COSE] Recharter the COSE working group. >> >> I also support this effort. The COSE WG already closed, but that shouldn't stop >> the proposed COSEbis WG from using this mailing list (and/or hopefully just not >> adopting the -bis suffix). >> >> I am curious what rationales there are for splitting the document. Not >> opposed, mind you; just curious. >> >> >> - m&m >> >> Matthew A. Miller >> < http://goo.gl/LM55L > >> >> On 18/08/13 13:45, Russ Housley wrote: >>> I support this recharter activity. The SUIT WG does not want to specify the >> use of hash-based signature algorithms with COSE because they have much >> greater applicability than just signing software packages. I did write a draft >> <draft-housley-suit-cose-hash-sig-04> that could be used as a starting point for >> this portion of the work. >>> >>> Russ >>> >>> >>>> On Aug 11, 2018, at 5:03 PM, Jim Schaad <ietf@augustcellars.com> wrote: >>>> >>>> I have approached the Security ADs about progressing the COSE from >>>> Proposed Standard to Full Standard. They have indicated that they >>>> would be open to this. In addition to this, there are a couple of >>>> other documents related to COSE which are looking for homes and this >>>> would provide an opportunity for them to be dealt with as well. >>>> >>>> The charter text that I have proposed is: >>>> >>>> ********************************* >>>> >>>> CBOR Object Signing and Encryption (COSE, RFC 8152) describes how to >>>> create and process signatures, message authentication codes, and >>>> encryption use Concise Binary Object Representation (CBOR, RFC 7049) for >> serialization. >>>> COSE additionally describes a representation for cryptographic keys. >>>> >>>> COSE has been picked up and is being used both by a number of groups >>>> within the IETF (i.e. ACE, CORE, ANAMA, 6TiSCH and SUIT) as well as >>>> outside of the IETF (i.e. W3C and FIDO). There are a number of >>>> implementations, both open source and private, now in existence. >>>> The specification is now sufficiently mature that it makes sense to try and >> advance it to STD status. >>>> >>>> The standards progression work will focus on: >>>> 1. Should the document be split in two? One document for the >>>> structures and one document for the algorithm definitions. >>>> 2. What areas in the document need clarification before the document >>>> can be progressed? >>>> 3. What implementations exist and do they cover all of the major >>>> sections of the document? >>>> >>>> There are a small number of COSE related documents that will also be >>>> addressed by the working group dealing with additional attributes and >>>> algorithms that need to be reviewed and published. The first set of >>>> three are listed in the deliverables. A re-charter will be required >>>> to expand this list. >>>> >>>> The SUIT working group has identified a need for the use of hash base >>>> signatures in the form of Leighton-Micali Signatures (LMS) >>>> (draft-mcgrew-hash-sigs). This signature form is resistant to >>>> quantum computing and is low-cost for validation. >>>> >>>> The W3C Web Authentication working group has identified a need for >>>> the ability to use algorithms which are currently part of TPMs which >>>> are widely deployed. Many of the algorithms for this work are not >>>> expected to be IETF recommended algorithms. >>>> >>>> At the time COSE was developed, there was a sense that X.509 >>>> certificates was not a feature that needed to be transferred from the >>>> JOSE key document (RFC 7517). Since that time a better sense of how >>>> certificates would be used both in the IoT sphere and with COSE >>>> outside of the IoT sphere has been developed. The need to be able to >>>> identify X.509 certificates is now a feature that needs to be provided. >>>> >>>> Key management and binding of keys to identities are out of scope for >>>> the working group. >>>> The COSE WG will not innovate in terms of cryptography. >>>> The specification of algorithms in COSE is limited to those in RFCs >>>> or active IETF WG documents. >>>> >>>> The working group will coordinate its progress with the ACE, SUIT and >>>> CORE working groups to ensure that we are fulfilling the needs of >>>> these constituencies to the extent relevant to their work. >>>> Other groups may be added to this list as the set of use cases is expanded. >>>> >>>> The WG will have four deliverables: >>>> >>>> 1. Republishing a version of RFC 8152 suitable for advancement to >>>> full standard. >>>> 2. Use of Hash-based Signature algorithms in COSE using >>>> draft-housley-suit-cose-hash-sig as a starting point. >>>> 3. Placement of X.509 certificates in COSE messages and keys using >>>> draft-schaad-cose-x509 as a starting point. >>>> 4. Define the algorithms needed for W3C Web Authentication for COSE >>>> using draft-jones-webauthn-cose-algorithms and >>>> draft-jones-webauthn-secp256k1 as a starting point. >>>> >>>> ****************************** >>>> >>>> I don't currently have a set of milestones associated with this >>>> charter in part because I have not talked to everybody about what >>>> they believe they can do. >>>> >>>> For RFC 8152, assuming that the document is split into two pieces, I >>>> would expect that we should be able to get the split documents to the >>>> IESG prior to the Prague meeting. Assuming that the IESG requires >>>> that we wait an additional six months of the new document I would >>>> expect that roughly nine months later an updated document could go to the >> IESG for full standard. >>>> >>>> The hash-based signature algorithm document is probably in good >>>> shape, the big question would be should it be coordinated with the >>>> similar documents in the LAMPS working group. If that is not needed >>>> then this should take less than a year to finish. >>>> >>>> The X.509 certificates draft needs to get review, but I believe that >>>> it is good shape now and probably ready to go. >>>> >>>> I don't know what the state is for the two Web Authentication drafts >>>> as I have not read the first in a while and have never read the second. >>>> >>>> Jim >>>> >>>> >>>> >>>> _______________________________________________ >>>> COSE mailing list >>>> COSE@ietf.org >>>> https://www.ietf.org/mailman/listinfo/cose >>> >>> _______________________________________________ >>> COSE mailing list >>> COSE@ietf.org >>> https://www.ietf.org/mailman/listinfo/cose >>> > >
- [COSE] Recharter the COSE working group. Jim Schaad
- Re: [COSE] Recharter the COSE working group. Carsten Bormann
- Re: [COSE] Recharter the COSE working group. Jim Schaad
- Re: [COSE] Recharter the COSE working group. Carsten Bormann
- Re: [COSE] Recharter the COSE working group. Russ Housley
- Re: [COSE] Recharter the COSE working group. Matthew A. Miller
- Re: [COSE] Recharter the COSE working group. Jim Schaad
- Re: [COSE] Recharter the COSE working group. Matthew A. Miller
- Re: [COSE] Recharter the COSE working group. John Mattsson