Re: [COSE] AD Review of draft-ietf-cose-countersign-05
Russ Housley <housley@vigilsec.com> Thu, 12 May 2022 15:13 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6526C157B4A for <cose@ietfa.amsl.com>; Thu, 12 May 2022 08:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfU5wq7TNyxa for <cose@ietfa.amsl.com>; Thu, 12 May 2022 08:13:44 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBE90C14F725 for <cose@ietf.org>; Thu, 12 May 2022 08:13:43 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 8D0C016C67F; Thu, 12 May 2022 11:13:42 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 7BE5816CBDA; Thu, 12 May 2022 11:13:42 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <E9F23493-B607-46D0-8B1D-34BFCB451A35@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_494F45D8-8FAC-4859-B66E-F4E3CDE6147A"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Thu, 12 May 2022 11:13:42 -0400
In-Reply-To: <BN2P110MB110783804C36D19F2B440E83DCC39@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Cc: "cose@ietf.org" <cose@ietf.org>
To: "Roman D. Danyliw" <rdd@cert.org>
References: <BN2P110MB110783804C36D19F2B440E83DCC39@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/H1p_TjtfVFODWo3CKIFM3oCufao>
Subject: Re: [COSE] AD Review of draft-ietf-cose-countersign-05
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 15:13:47 -0000
Roman: > -- The text of this document doesn't seem to explicitly say what section of RFC8152 is being updated and in what way. The closest is the guidance of the revised IANA table. Typically, an explicit statement would be made. Could something to the effect of "The countersignature approach described in Section 4.5 of RFC8152 is deprecated" be added somewhere. Please provide some guidance on this one. This document defines a countersignature algorithm along with the needed header parameters and CBOR tags for COSE. As the document Introduction says: During the process of advancing COSE to an Internet Standard, it was noticed the description of the security properties of countersignatures was incorrect for the COSE_Sign1 structure. Since the security properties that were described, those of a true countersignature, were those that the working group desired, the decision was made to remove all of the countersignature text from [I-D.ietf-cose-rfc8152bis-struct] and create a new document to both deprecate the old countersignature algorithm and to define a new one with the desired security properties. draft-ietf-cose-rfc8152bis-struct-15 is in AUTH48. See https://www.rfc-editor.org/cluster_info.php?cid=C416 As best I can tell, this cluster is waiting for the COSE WG Chairs to approve for Jim Schaad. Assuming that happens soon, should this document now update the RFC that comes from draft-ietf-cose-rfc8152bis-struct-15? If so, then a small rewording to the above paragraph to: During the process of advancing COSE to Internet Standard, it was noticed the description of the security properties of countersignatures was incorrect for the COSE_Sign1 structure. Since the security properties that were described, those of a true countersignature, were those that the working group desired, the decision was made to remove all of the countersignature text from [I-D.ietf-cose-rfc8152bis-struct]. This document defines a new countersignature with the desired security properties. Note that [I-D.ietf-cose-rfc8152bis-struct] obsoletes RFC 8152. If you agree, then this document will update the RFC that comes from draft-ietf-cose-rfc8152bis-struct-15, not RFC 8152. Russ
- [COSE] AD Review of draft-ietf-cose-countersign-05 Roman Danyliw
- Re: [COSE] AD Review of draft-ietf-cose-countersi… Russ Housley
- Re: [COSE] AD Review of draft-ietf-cose-countersi… Michael Richardson
- Re: [COSE] AD Review of draft-ietf-cose-countersi… Russ Housley
- Re: [COSE] AD Review of draft-ietf-cose-countersi… Benjamin Kaduk