Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
John Mattsson <john.mattsson@ericsson.com> Thu, 13 May 2021 11:07 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 377AA3A098C for <cose@ietfa.amsl.com>; Thu, 13 May 2021 04:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.499
X-Spam-Level:
X-Spam-Status: No, score=-3.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z9ZGGqpBG3gn for <cose@ietfa.amsl.com>; Thu, 13 May 2021 04:07:34 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150074.outbound.protection.outlook.com [40.107.15.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D234C3A097E for <cose@ietf.org>; Thu, 13 May 2021 04:07:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VMG6y5b5JhP5MMfhQyJFbdRryUj7VmkIW8rcTUuYGQkMsxzAw105xzUbIRYE/qh1xQCY4X8cLOl+Rs1qsWtucZCjiVK/mbNVOasaEIb7heoirDzi9HXOCz1mOFZN0L58k8nb8VBcu1SYw7QK1u8fHihOmsGzquHaolBtAzy2q1wylWGQKfKGSnr5ClGUi4ceOsfKV0htLiXHL/aH3rXWZyoMVohVlH4yoI63wUjsI6SXmUBOzb1+itVlmMNt8F2cABxwi5CEyIYEYaeJgxYQCbRw7cGP3tZPyb809z57Czz8knSCuLDnruDKAehzn2p37KWygpqcFcS0EjLMaFIfCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I6LNlsePPnNY2xXPnv79QNpQjXEHrS3vUhdUwSOY52c=; b=WKcpIKpQRMTuZBBc2GrkV1t3ebfbfncv2vO3muKdiYZYhAx/6k5FqpRVUcRH8jAMWq1zHz7BFG9tdqBJ61e2dtjwGk87JgbrB/ba5CKuzt+KBOBFZrttG6Ugg84+EUSWqSBMCSVGLDwNW/aX9mMIFLlE2VzihPJhqFMTQWen+IHpQ+5r+4ShWMAT2gMZxvM0Vk58sas+fis388Ni+qerYt4iFqn83D23IFYd1kFIPHw5J+XITcaqLm5ialI0zW9DPxRUz8Wy00t7l18BdKxyYU3ML6GRZu03S+1sFjAk93WCdHUFh9EBFJpfTyVv2zz+5d+qfJo7Sek9T7iVOkz7Vg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I6LNlsePPnNY2xXPnv79QNpQjXEHrS3vUhdUwSOY52c=; b=LFIyuAkwwUNkEcT9h/nAojldXaeJXOfqZNAP7o096lRMgcpwHmvEQpPFHq1NzHhAJNANY6v167FAT+zvwjuAVLm/VSK+iFF+MUGV6G7SmbKLAbhOu6K4Bleu4OkLoOR907PmGM+9wgN2TCcMY0IlaGLlzvQeBt1D8DN07Amt13A=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2825.eurprd07.prod.outlook.com (2603:10a6:3:53::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.23; Thu, 13 May 2021 11:07:17 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4129.026; Thu, 13 May 2021 11:07:17 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: cose <cose@ietf.org>
Thread-Topic: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
Thread-Index: AQHXCpBcn0+aeGrwAEeSOQObBBLra6p9u4wAgADRy4CAAZLbgIAAnlIAgGEeJgA=
Date: Thu, 13 May 2021 11:07:16 +0000
Message-ID: <9EFBA428-88C0-4BF2-8F8D-3B7B0D52557B@ericsson.com>
References: <FE8C6CA0-DC5B-4A12-B467-957A9C1CD1BF@ericsson.com> <394D515A-62ED-4C0A-A2F0-B8686904F979@tzi.org> <43FF858C-455F-4A3E-8FC0-1B64D715518E@ericsson.com> <8D49BABD-474A-4FD8-B1EF-967A9D30E646@ericsson.com> <D0A8ED69-115A-48F9-8FD3-FDBEF24AEE69@island-resort.com>
In-Reply-To: <D0A8ED69-115A-48F9-8FD3-FDBEF24AEE69@island-resort.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3e992daf-ec50-4403-2f66-08d915ff454c
x-ms-traffictypediagnostic: HE1PR0701MB2825:
x-microsoft-antispam-prvs: <HE1PR0701MB2825B8C314E6B6FA824DD6BD89519@HE1PR0701MB2825.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FS76VFmvYQTVNzJIzZF/aNsMH2ydiM9MdvZbBRRzJjUv0jufSqNp4uUSTqMkpCMeaZ89cURZY3Rk3Fp/i0a4BAD/7xkAlRfrnTSng5fiyU1ZPXZI4q299YkXbeV5jo0Jwf8OQ4WXhQQ1hkKY2JwoTnqGgDSVsuyTxPzU19j+gTFtkNH8PfKLCOQvg7dtFyUSR4lfoBKcNCnxenU+bL4USOhhD4tBEUIfxLLAkygCj8puauULwY/vNFDdp3MAKHeZYtCwvK/lRVFd1OrCcOfpMbXvNtab8XHgDnyPf8sYDsEys2IkRaMOQbjBrOHYhWPBd2cAtUYooPAuFlHhKF+oB41Kz5nXRjn7DLrrA0C5HN+se+JVxTrbHMoetp1TffULRvYXiadkmXLIBoX0uaVQDi0yt6v0gjcC4eignANmJi04wU4NW9GpexMsXib83nwMIvdIbJqWyWKI497UjQuiiq/EIq7/2beatKIhVZ1RobwgK5CTxqSUZYAvF8OXpaDBj69gGpC2JwvTOoJGEgcyrneNYcfhjbN/UT0zIacvavvyuRLLx0pBLz1OkSFOzvuyP8vgPhYfrN3A79I37tB9sISeiw13+krA9znsS7GMThEPGIk5DZt2lWy37diMregC3Qa5kCFOprlmqm2vqW5BOhXhnSFDiyg18fxBDDZUVBi7JSXc8PswkZ7o7li0ib92ZjUojuzFvHsECgg/o5qL4Njx+lVABLSIVhi/aenNdbWrnelVgQ6dv9kXgX2XSgBJ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(39850400004)(366004)(396003)(2616005)(76116006)(5660300002)(66946007)(966005)(33656002)(122000001)(38100700002)(64756008)(36756003)(66476007)(6486002)(6506007)(86362001)(6916009)(71200400001)(66446008)(6512007)(66556008)(8676002)(186003)(83380400001)(2906002)(44832011)(8936002)(508600001)(26005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: QTABpxVPUSh5RAEug4MrxrNNczuFWy+cz/69RUk+T4qC/mYUtBXcUYae73wOw5ja773yF1wX/bgMPviUfjqGBABH9lmuRbWBWfqLXLQ5EUsdP3ZANVef3/McJNik4qTJEZmo25z3n8eAQxQY4ckm4y96BwbbVdez4KzYImho93MKKwWHf2bnceEY+tI4lP+LEeFA1E6S/3RRRP3WdouExxV6iw5hu3iT+bApveA3m8b2l8YzTT6dVZyfXh+vF2NbxGWYCs0PT5fatVH+wgiLgnnXY3KH8smV7iVAvJLR7qSpSkLtAUW2qE+Xqnhs/qUoda9h0H217D+v5mDwgF9SK7V4UrTqtEkSNFyedwJD/O1pa1tNNzoFz0zGynk7RXnrNq7TRygxiSDYCP36+Sbv7NPOFkrW0ZEbdI6YrH/++A2UyIYEmM9BEPaDn2rwz6Y6bGTxIzxVfucektBPqTvML2jsx9CIqAmsD811S55/oR/4erNSw6pc0DFYdr+du4HNvgR6xnsXpuaTugl1qU2g8+OkhyEoPHFZTvx9lwhyJZkUlmbaBw3VCNS3zepiECyk7UEF7xJ0HLExpYADKg4YBDAA1Rm2n+ZwiPIvsrqa4BlT1LUh2kjqgscMJ/egk7egDR1OgsOwRDuERh7/6oAIXLsLPTgP5WeQZQT0RoC7jW4TmKsXjk0TlV83g3sT9pzlAJwe35ObvhcJpy+MzhDcEfbI6T2MpGhRnnwR2j0+I66zvYPrxtwCSRIWeXRyzXGHNBKeKqYWKPHJnERT1qWDy5AhYB9jf5KsT81D4jR6yqfP/39IdoxSAZw61zU14XcswQiEoU7DoXMD5scAnlUWXNeurX+QBW6clHjp4GjrUpgLTUuJ9KzSF2bEJWJUFCuyW3MW2XK/mp4O8DX+uWfxSqfRrb9o8IIQZzGg6fF9e0nAecG62YCOqcK1s4FGL5BZHDrLeWz/ufLZsfDEJCi6ShFljbETzf3Lk00v2oWr1sFROLc09oagjWeRVW1Qb4rEW0TTCFqp4kKm/XubqJTdKQ5IAeosjaKOc4hPSX4razDp0VZkgp75K5FZz2QkdSXAjwQ6kKDUv35PbCVWA98wN1+FkG6kXjBT9Mjnd0vjKqlBWoeRZfVWLROZEqtrmW8t3XUpsjkVPXkHEOJfKN5uF8JlXZSO03LV9WyxAN1TWaLgs2Ipws+SW9WhpM3P2WDrukMOyEg26OX52nREx/tJvlaIFCpZ2nTijN6wb/s9i5EoQMDy1SzabU+i5GDmrphwgtUZOEk02Ses22yJrMajDwzqzlXiiNWEcWxFjjHOxHeG87oPjw0UDU3LbUCz+7oGlLZvCFO/WQrIQCCYGlddlQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <6ADA5EA6B3B1E94AA223A8F72A9BF7AB@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e992daf-ec50-4403-2f66-08d915ff454c
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 11:07:17.0341 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tfhoLIaSNEJ9ofG6mm0TtmobI9wvxUmcbvqNEfUPPpSqkhXYa8QNfIFPQOn3yuQ+G+I84ECHJWGn8FCh5chTc2UAnE857jGAPQ9kiWuzXLw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2825
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/AeUeOuty3zrOX6bac5YnEXcrVGo>
Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 11:07:39 -0000
Hi, https://github.com/cose-wg/X509/pull/35 There are three remaining discussions related to the PR that has to be concluded before merging the PR. - Two of the discussion are more editorial comments from Ben. - The third discussion is in my understanding more high-level and depend on what COSE can require/expect/get information about from the CA(s). It also depends on how much COSE should protect people from shooting themselves in the foot. The current text is "Unless it is known that the CA required proof-of-possession of the subject's private key to issue an end-entity certificate, the end-entity certificate MUST be integrity protected by COSE." Laurance commented that this is not enough and that the endpoints should agree on which end-entity certificate is used. CAs may issue several certificates with the same public key, and different CAs may issue several certificates with the same public key. Michael commented that this is overkill. There is also a discussion whether the requirement should be MUST or SHOULD. At a minimum I think the draft needs security consideration that discusses that there might be many certificates with the same public key and unless things are put in the protected header, the two endpoints might have different views on which certificate was used. I think this needs to be discussed on the list. Cheers, John
- [COSE] Pull-request addressing issues #29 #30 #31… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Carsten Bormann
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Laurence Lundblade
- Re: [COSE] Pull-request addressing issues #29 #30… Michael Richardson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Carsten Bormann