[COSE] AD review draft-ietf-cose-key-thumbprint-04
Paul Wouters <paul.wouters@aiven.io> Wed, 13 March 2024 01:59 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4514CC14F614 for <cose@ietfa.amsl.com>; Tue, 12 Mar 2024 18:59:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeOFxuoMcxcy for <cose@ietfa.amsl.com>; Tue, 12 Mar 2024 18:59:55 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6225DC14F60B for <cose@ietf.org>; Tue, 12 Mar 2024 18:59:55 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a465df0d648so8439366b.1 for <cose@ietf.org>; Tue, 12 Mar 2024 18:59:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1710295194; x=1710899994; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=bkNej3n/zWuaGp8MTdhzutaQ2bP8hz1nyxzvuqfGUbs=; b=mlSKUGCGHDg91Bs+g6nltVAZMjDoyNrIG/JbBe4uFYvpyEtRhE+IXJJN4/LIFv1EgR 7aUcKilE3aq80Stsfgav16WMnoK5uQMvGRPatEclW4ur/JvHWL3W+mZrh92BgDo49y5X a8uiguULPpVThOCdemkCgA0YhcqtXew0Sorys=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710295194; x=1710899994; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=bkNej3n/zWuaGp8MTdhzutaQ2bP8hz1nyxzvuqfGUbs=; b=vFmtNZ6woCzegAj9Xzx6UKWl0hUDKgj0rgkcZh1B8BBDaSHUz3U13fA7jQDve/CboV wwchXzZjr/4CrtqwhQqqOINx4mmLg1ONPI0vLvov5ZIUZS48cQEREZ3kM2IBfRKj9dIo aQEKaE0bPkqYdHj1yWVaEY2fi5uQmaU66YUktDjwR/II4cP2ppOnHe77KCSGrtI1NAe2 NSJ5S9TG9GjGfNaNgw8wCmn8DaraZ1HXJqUC+2WE7GcmZxi2HG1dtmy4CaDph4Ico5Oh a5nWKUpC3dl4JS97+d3Pk/CaBjYx8iDWkyVj0AJcIwvWh60LIIDrPQbj+uE3HcfFmfe5 F5BA==
X-Gm-Message-State: AOJu0YwCQqDFXog9Zh8XjcFdPED+kBmCV3oqsBhFlV+3GI9PoigFX2rB 0urFB8DDjjVyqgdopndIYuljIMZ2c2KI4kdw4f0s74ZvqKtYbqsoYEzBfa3JNIdv703bTr+nGwh X/ZE9EyHDMXOmJMbWPHa0i7364Qs/ckJkz4Bbcw==
X-Google-Smtp-Source: AGHT+IF8j/6O4oB5TGdBDiDa5njuKmEG0plljf6DPBw6e0KsxCpZprqxRX2YFEAh8SrbYB7z507ydumAr5DvSplmYX8=
X-Received: by 2002:a17:906:2b17:b0:a46:5f74:f0b8 with SMTP id a23-20020a1709062b1700b00a465f74f0b8mr23295ejg.26.1710295193784; Tue, 12 Mar 2024 18:59:53 -0700 (PDT)
MIME-Version: 1.0
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 12 Mar 2024 21:59:43 -0400
Message-ID: <CAGL5yWagJmTUg++Otm9tzkSTRP995n6L3z8abVRuhkuMjbV=kg@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, isobekohei@gmail.com, Orie Steele <orie@transmute.industries>
Cc: cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007d1388061381217a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/9_WqmQDIpIYevJXfi5Ql2N-QzzM>
Subject: [COSE] AD review draft-ietf-cose-key-thumbprint-04
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 01:59:59 -0000
Thanks for the short clear document.
I only have two comments, which can be addressed as part of the IETF LC.
In the Security Considerations:
To promote interoperability among implementations, the SHA-256
hash algorithm is mandatory to implement.
This really belongs somewhere in the main specification document,
and not in the Security Consideration. Someone should be able to
implement the spec without reading the Security Considerations.
Using thumbprints with passwords (i.e. low-entropy secrets)
is dangerous and MUST be avoided.
"MUST be avoided" is an odd expression and leaves some wiggle room.
("it was unavoidable, so I did it anyway"). Can it not more plainly say
"Thumbprints MUST NOT be used with passwords" ?
Paul
- [COSE] AD review draft-ietf-cose-key-thumbprint-04 Paul Wouters
- Re: [COSE] AD review draft-ietf-cose-key-thumbpri… Michael Jones