Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
John Mattsson <john.mattsson@ericsson.com> Wed, 10 March 2021 18:18 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27F153A14EF for <cose@ietfa.amsl.com>; Wed, 10 Mar 2021 10:18:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.049
X-Spam-Level:
X-Spam-Status: No, score=-3.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YM34uei856J6 for <cose@ietfa.amsl.com>; Wed, 10 Mar 2021 10:18:01 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2068.outbound.protection.outlook.com [40.107.22.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D21643A14EC for <cose@ietf.org>; Wed, 10 Mar 2021 10:18:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G7YhsGTU1gJZBvEDLyw9880HhkzI8+qEk9+An2sUtuZOy2CO/N16/r28NKQW4sedwM1CFPO2YHMSTWOjj59ZeNi9Me8fHdvTpd0uiTXiLL9d0Dzt4puyR1XUCspWWl07fAKf1o5vQT37hrtPS/ZFBMZkscxVQX96isloVlKUY0WfxoaO/0CcCefJH7PxX+DkpKwUAX/F9neBijNVULVrlPLhTjjH6vg7ToTVtamllfDeQ9hLZvgBk9H6qTPfczxvhSx5JSpXG2qQteKMxBQrrSNTQe3FxTyW2QrUl2CHBDOloNmgTKSwEEKNsC/a9aPdHseLj/eEj/qFViVfJ2Yj3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uZQzTnpcXXwebV6CsnNmcI0Jp7eI8ysbkmSUuFLX2s0=; b=D2LJ+KEciuFmO7r4YCdjtDNjdmssflHBYKI4yuw1bjk6pu0Ex8lvPKMXpYHXIjQfPHlagaCWUiz7zyXU/8iLm6hAlxF0h+szenw3iNMnUqfc/rMfry2spnv0FDcz/lk38ePeevN6CIPTtFMiqj/LPqDAU/X46AaJoJhZngsHbOxVTRsOLlOLDzFaxmC1GCG9bij99+2aU/QTyUYyo9Zh9W5qteapPldTX61O7dXSdhwGBFMUrRUUrn/+QTBlgv7nagoa0uW4HGBdTxt8iaHGeUEzKv4FRFcwKDAt75HLW+ABmN75cNrwN/5cZMF1rkHPL1Welo1/yI9834VzjNvwoQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uZQzTnpcXXwebV6CsnNmcI0Jp7eI8ysbkmSUuFLX2s0=; b=adhoG4CrMcc+q3mczvokgoRZGZn4piMbUGsDFvF/+uKWFhFiqLG460NHNx9lt3K6JFVhWmDjy2+IEzuETHI/w47HjJClG64HCx4O/VlqMWAVcIZ7aclukpSm4ERA0mzl9d0s++DIrZx28+aVYLl44zK3+B9/ZQQ52BcVDnM4wLI=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR07MB3324.eurprd07.prod.outlook.com (2603:10a6:7:33::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.9; Wed, 10 Mar 2021 18:13:46 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536%4]) with mapi id 15.20.3933.013; Wed, 10 Mar 2021 18:13:44 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: cose <cose@ietf.org>
Thread-Topic: Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
Thread-Index: AQHXCpBcn0+aeGrwAEeSOQObBBLra6p9rdkA
Date: Wed, 10 Mar 2021 18:13:44 +0000
Message-ID: <AB18EE8A-EF5F-439D-B474-50CF8F78F140@ericsson.com>
References: <FE8C6CA0-DC5B-4A12-B467-957A9C1CD1BF@ericsson.com>
In-Reply-To: <FE8C6CA0-DC5B-4A12-B467-957A9C1CD1BF@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cba2f2d4-ba53-4aab-474e-08d8e3f03e3c
x-ms-traffictypediagnostic: HE1PR07MB3324:
x-microsoft-antispam-prvs: <HE1PR07MB33247EB49A88097D4F4D7E5A89919@HE1PR07MB3324.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Zi8tUHy4AXBShPjb1ntKpPlBaHmYoKMLaV64ozlliI1pFB6bGd/iH2XXjcSYUy/m/vBluOJhNjsJaL+j1sznqteVNV+LyksuwIYrRo+5jKVcoT2MHtSzJAxPvjAMO62gJtza6i7RmWJCOG+l1GW93o68o5AWdAiuZtiraWS3oTJ1rbGzWXQT70hu8TPN4oezaxQBaUrL60MoJ9p35fuRippLH/gixEdcRx5MR7k2UjAkR8iP9o5ihA8SgWjkVxcplkLmNqaliYONYtVgzo96of00yNLaR8u9X1s2sDrcchssbz3KyzUNjYzcGsoVHSeZy13vz1NY3gj4JB4b3GV7oH5VYXtwjGoXwXfMi6Qgqly4mC/aRvy3Hyp0ikofujZ9k1M1uRK4l6Lh4v8k454vojE3XeianVPv21sZIVlDxdvix3jkKCMnCxny1g0KhkFnOEsqTZdDjb5IlDeXa3l8nXzChJuzFpFi1hQ+9LtMLQYh3vjr8MPAc/OTUWa4Iyxu0lODtLc1iAlvgqKyPcBBZv3b6HqumhvZQkGo6KiDdRtVPYIA5wcptdxi4E7pxLz1+x0snIWaxU3MCXY8ju0ALpF+iH0bidywuIEq6HlENPwnVUfMsLq7lNo/yUlTk7DohqcIRFPF/oxzPyxDTwsLfSs5z77ln1F0jqsmh2tiQOQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(396003)(346002)(39860400002)(136003)(6506007)(5660300002)(6486002)(2616005)(44832011)(36756003)(76116006)(66556008)(66476007)(66946007)(53546011)(66446008)(64756008)(86362001)(83380400001)(71200400001)(33656002)(8676002)(66574015)(2906002)(316002)(6512007)(966005)(8936002)(478600001)(6916009)(26005)(186003)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: MPK8zAtIfVTd5LDDOz9Y0w7xUP8UaUihPXtmxLNi22PU1P/1PhCKW/Dk5xja8I2wTsa1ILHPhD2pEml2YN9bD8/QEpR1yuFPSK4BxtVzk2YRGc79Htn3D6o/ekVciW97pd8m1uGTFD37o2ekapppinz7YW+Vl/Usz0awYgzy9WWGCcbcaLjdPxPT6wW/SH5uID8Gc4V6GfP8ne1dVVyLnzsugm0Cdg/Dxs+3JUZ9kzpWFtJwQXFHt2s2S/xM2RdvKayyuAHmg4XgSAqKThIFgkOyGKAcDWl81GbFpYp3cgCUMkDDA+ltWY9t7n8DLyJFttezfpMHI4QN50vzE9NMnKeaEm6BKHgVJnfWmNejLdrURmnlNWOBQEl5KGAN/lHaA8AykA82VRy+1gagYFoqkIn2ZujDTN0eyxanrzfbWXIIaLqS9LMPUxlPkOBptpy6zdv07YoAyDoM3As3HRaA8jioIiZtFLcXnr8dJ9HKlwjWxl3Bxry5bD9EHT7XbBLOYUOvjPmLzU4xBsAnZ6wPIBih5YCrejih8DUkmygnoxaQ+bm4rqoPhpRYIA1cE3tswKpBPQzLDxf4WnFlO2DFjDxYo4k9madeLNEWHW74QoKYSfjuGZJDluBlaEeqp3tiQGMjdqo5DUjIBP7AU1V8Y5+YkfdXdEn7FVKfFLODTR/96DUOKS1+0vHc2mfb8FHAo/c6ykS1vRP5DM2ZsKh2odSZ08LNlVvld3dOQYpT2brPADbrW1MAsy04EjxQjAeOti2pXmYwcNLYrHKwSBgvDtqnvFHMQre5ILlkV4HbUU1tF9bfj7Pg+VAiNuuoRNDf8dO28Rnv4E1FPpzO1xPltl447ec4TaK1e7g7ZzKqXQ8UtDkwrQSf9kQicgTxj7Z5gv7xZ06mW5K3sb/xFYbqptehAe48vqfsO89HUzgl4xIF3rQm6rRWWdBoFTIJhfHbM+LvkFehaWbrJP6AuaqFmgbCrOshhIGnE+Xeh+m1+iPrvj+d2BW1EiMq/9PMlEt+SlqV7qffgUKTAtw3fZMNix1Et25llrXmzkNBUiUF5B6y74LQKoWtG2gfnjTM+GWRmp9lp1XsCuYB6wpNIMRJyQdkN6M6YtR8pJKXKt+1m33DONcz6n5JYW/zRau1RUB7zBbqjuIfXraWrvtnrUH/vjeubbaa74OIGAXBEUNIFvNxci5t8xkg/9spF39N4EY1LwH3Qp972xfjDjxBz0Qw3j5Qmal03/FHP8zWuRL5OFm0l8d6oWwpkav8gOsFyHGqta/gCnV00phFDqVMfOhO8BiWdxKCzuP7iUBVSPp3QnK61qRkH6JzCFNemVi2pZbPEfhMc7BTVby0CHrAKhplZQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D7633E37BCAF6248A1D82C1410C88DEA@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cba2f2d4-ba53-4aab-474e-08d8e3f03e3c
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2021 18:13:44.7599 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xJo8AMKrYFySrKjwU+tCv/fXoBftp3iOzv/WLOWW75p9FHt0NKGAX8M0VAL0ImP7jJ47iGZwVkwyF16yOmo/T6CCkZNTIWhJEEJQJp7HMvM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3324
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/8Q7tnnlRKfJDroqexU-_ElhWfzM>
Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 18:18:03 -0000
Hi, I got some comments from Göran and updated the PR based on Göran's comments. The suggested pull request will be presented on the COSE WG meeting on Friday. Cheers, John -----Original Message----- From: John Mattsson <john.mattsson@ericsson.com> Date: Wednesday, 24 February 2021 at 10:35 To: cose <cose@ietf.org> Subject: Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08 Hi, At the last interim Ben asked me to make a first attempt at summarizing the discussion and conclusions in the issue tracker, the list, and during the interim. I just made a pull request (PR) doing that. https://github.com/cose-wg/X509/pull/35 The PR aims to aims to address issues #29 #30 #31 #33 based on the dicussion on the list and during the last interim. The solution is to use x5t together with the other parameters as suggested by Russ: - Added to x5bag, x5chain, and x5u that integrity protection in COSE is requiured unless it is known that the CA did proof-of-possession. - Added that integrity protection can be achieved by combining x5t with x5bag, x5chain, or x5u. - Added explanation that sending x5bag or x5cahing in unprotected allows an intermediary to remove or add certificates. - Added clarification that x5t refer to an end-entity certificate. - Added media type application/cbor for a COSE_X509 chain. - Added that when the end-entity certificate is intergrity protected by COSE, URI protection is not needed. - Security consideration on why integrity protection of the end-entity certificate is required is there was no proof-of-possession. - Security consideration on identity protection. I think this addresses all the related use case and security issues. - If the requirement are followed, it is secure. - No changes required to existing secure deployments. - It is still possible to send x5bag and x5chain in uprotected. - No extra overhead is required when used in EDHOC. - When used in EDHOC, plain unprotected CoAP can be used. I tried to make the changnes so that no existing secure deployment need to change their implementation. Could otherwise discussed if integrity protection should be a MUST, but that would change existing implementaions (which is they do proof-of-possession are already secure). Cheers, John
- [COSE] Pull-request addressing issues #29 #30 #31… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Carsten Bormann
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Laurence Lundblade
- Re: [COSE] Pull-request addressing issues #29 #30… Michael Richardson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Carsten Bormann