IETF Logo Mail Archive

Re: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06

Jim Schaad <ietf@augustcellars.com> Tue, 03 December 2019 06:21 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7E8F120106 for <cose@ietfa.amsl.com>; Mon, 2 Dec 2019 22:21:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HAtGG1taxMXA for <cose@ietfa.amsl.com>; Mon, 2 Dec 2019 22:21:36 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96A4B1200F1 for <cose@ietf.org>; Mon, 2 Dec 2019 22:21:35 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 2 Dec 2019 22:21:29 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'John Mattsson' <john.mattsson=40ericsson.com@dmarc.ietf.org>, cose@ietf.org
References: <E1082983-0F56-47BA-A548-7920F8AEDD95@ericsson.com>
In-Reply-To: <E1082983-0F56-47BA-A548-7920F8AEDD95@ericsson.com>
Date: Mon, 02 Dec 2019 22:21:26 -0800
Message-ID: <01bd01d5a9a1$e6481490$b2d83db0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIK7AZ7ZhCgpAnv67kbs957zahDPac9Fxrw
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/DSjz5dMV5BUAAcO_5DCKB8-b_ZM>
Subject: Re: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 06:21:37 -0000


-----Original Message-----
From: COSE <cose-bounces@ietf.org> On Behalf Of John Mattsson
Sent: Thursday, November 21, 2019 2:27 PM
To: cose@ietf.org
Subject: [COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06

Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06

General:

 - Minor note: The abstracts of the documents have minor differences and the subsections in the introductions have differ orders.

 - As RFC 8610 is published now, shouldn’t the documents be updated to match the final CDDL grammar?

[JLS] As far as I know, the grammar does match what is in RFC 8610.  What I wanted to avoid was a normative dependency on that document.

draft-ietf-cose-rfc8152bis-struct-07:

 - "There has been an increased focus on small, constrained devices"

   I think the document should mention constrained radio technologies as well

[JLS] I don't see the point to that.  This is a small throw away line to help provide motivation.  Adding a duplicate of the same case does not seem to provide any benefits. 

- "strings" are used in in various places. Should be changed to "byte string" or "text string" as CBOR has two types of strings.  I have added a line to the document terminology section.

[JLS] I just went through the document again and made sure that I was consistent.  I am always using either "byte string" or "string".  The latter is used for text strings.  I am not sure that 

- "3.  The content of the message.  The content is either the plaintext or the ciphertext as appropriate."

  This seems to only describe encryption. For signatures and MACs it would be payload, signature/tag.

[JLS]  I would be willing to change plaintext to a different term, but payload is way to overloaded to be placed there.  While plaintext is used in the context of encryption, it is still meaningful here as being something that is not the ciphertext and thus is the original text.  As such it is not inappropriate for signed and mac-ed contexts.

- "structure", "message", "object", "map", "array", "object structure", "message structure", "data object", "structure object", "map object", "array object", "data structure", "data item", "CBOR structures", "COSE structure", "COSE map", "CBOR map", "CBOR object", "COSE object"

  There is a large amount of terms used in the documents. I feel that they could be defined a bit more. Also, are all of them really needed?
[JLS] I cleaned some of these out.

- OLD "The set of protected header parameters wrapped in a bstr."
  NEW "The set of protected header parameters as a map wrapped in a bstr."

[JLS] I went with a slightly different wording.

- The draft has quite a lot of text on different types of signatures like signatures with message recovery. Would be good to have some sentences on signatures with and without state. The text on signatures is also missing that they provide data authentication, integrity protection, and provides non-repudiation.

[JLS] I don't see that information on stateful signatures is going to be relevant here.  A stateful signature algorithm does not change how any of the encoding/decoding of COSE is done. The only reason why I put in the text about message recovery signatures is that this affects how the code is written when one of these shows up and knowing in advance that it may be a problem is useful.

[JLS] Added some text on Data Origination and Data integrity.  As previously discussed, non-repudiation is a made up term with no meaning.

- "They provide either no or very limited data origination."
  This sentence occurs in several places. The term "data origination" seems to not be used very much and also have different meanings.
  E.g. the book "Information Security:   Dictionary of Concepts, Standards and Terms" defines it as
     "data origination. In computing, the translation of information from its original form into machine readable form or directly into electrical signals."

Could we replace "data origination" with "non-repudiation"?
[JLS] from RFC 4949

$ data origin authentication service
      (I) A security service that verifies the identity of a system
      entity that is claimed to be the original source of received data.
      (See: authentication, authentication service.)

Jim


- "digesst"
- "stucture"

draft-ietf-cose-rfc8152bis-algs-06

- "the the"

Cheers,
John

_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email