[COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
"J.C. Jones" <jc@mozilla.com> Thu, 15 August 2019 21:15 UTC
Return-Path: <jjones@mozilla.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 942D81200CC for <cose@ietfa.amsl.com>; Thu, 15 Aug 2019 14:15:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wV1iMmhM34BH for <cose@ietfa.amsl.com>; Thu, 15 Aug 2019 14:15:24 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C09B51200C7 for <cose@ietf.org>; Thu, 15 Aug 2019 14:15:24 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id u34so3907826qte.2 for <cose@ietf.org>; Thu, 15 Aug 2019 14:15:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=3TG5xqdELfFhukfBLnRoCdILoHiyNTo6k4WkDzRNsmY=; b=drwYxiSDhZyJBLXtEGUy5aWZ6IwIexi5KwkJEt9pPtam7JOtN4zDAzQwz2MipFgV8H J+8B3UD7lkZJOX5gZQPRYGw4vk5ovcU/CI5VplfkkR0NhkG6wBX8CaXtEUol0+pNspuQ ndkacD8DHQEKu6iRZOH+QeeDlxN2n/yOK2bEU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=3TG5xqdELfFhukfBLnRoCdILoHiyNTo6k4WkDzRNsmY=; b=KdjX1VygYCMJHtNDxhtW9/TbzWGcypVVHN5O9cIAhMIBraj0ifAFE0kcMj3ixfx9Kr ayI0oY4fshxF2px61FnpBKHCsNZsqst5Oxhjtia6xXyKSSNlsLtRnSUxyZ4MM4zYrcso UkWDkMCSTTaqFqf0w2D4gKcpcZtbfG1Clnyqvhk8VqooIO7yV9oqk4HaUxO4QFTxeXhq +2wQCYMmQEITgBSgNNiL/T/TtvvAR9ZQSATcYyASBdYbLlQsYSeYE/1apl9iXGBPT6aR +PwAtAymXaJ6NAc4w0haTAjq5rTY2DMCTsLMthVQKJeFWjHvwWvtnVYwjlGgAO8eoQGn 7aqA==
X-Gm-Message-State: APjAAAUgYsYwJh9d28mVw1O7KTet0tz17kzfeE6qn6+0IzhOEkffy0jN op7CtL41/lCCBv5RA31nEO8lU5CuBHmcfWQUW9o8ydtUfeI=
X-Google-Smtp-Source: APXvYqxZ/y6edOIaG4VHbKkTb1j+UZbbb7lwnaK5H/c3qXXiUGNqQCmX21n5McgHTUxjqMOaK6eykeCp8pw6oEItRSc=
X-Received: by 2002:aed:3747:: with SMTP id i65mr5933297qtb.166.1565903723440; Thu, 15 Aug 2019 14:15:23 -0700 (PDT)
MIME-Version: 1.0
From: "J.C. Jones" <jc@mozilla.com>
Date: Thu, 15 Aug 2019 14:15:11 -0700
Message-ID: <CAObDDPADXoYn4N0jARibozT5NhWVb7JgNydyrEp_ytCR7pSs0A@mail.gmail.com>
To: cose@ietf.org
Cc: Kevin Jacobs <kjacobs@mozilla.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/9UxQ9JX6xPc0A3v-pBn6qBfU4ng>
Subject: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 21:15:27 -0000
All, We reviewed draft-ietf-cose-webauthn-algorithms-01 and only have pair of comments about the security considerations. Regarding section 5.3: While section 5.2 refers to RFC7518's guidance, currently 5.3 does not. Perhaps note in 5.3 something akin to "if you have an existing implementation, the exponent restrictions from RFC7518 also apply." Regarding section 5.4: The first sentence uses the FIPS186-3 form P-256 when everything else in this document would imply we'd refer to it as secp256r1, though rfc8152bis uses the P-256 form. Perhaps all readers of this document would be able to avoid confusion, but since it's a section _about_ confusion, it seems worth pointing out. Perhaps a parenthetical could be added? Kevin Jacobs and J.C. Jones