IETF Logo Mail Archive

Re: [COSE] Last Call: <draft-ietf-cose-countersign-06.txt> (CBOR Object Signing and Encryption (COSE): Countersignatures) to Internet Standard

Benjamin Kaduk <kaduk@mit.edu> Sat, 06 August 2022 21:50 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1D54C15C525; Sat, 6 Aug 2022 14:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKSFW-8JK48g; Sat, 6 Aug 2022 14:50:24 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 900D5C15C526; Sat, 6 Aug 2022 14:50:24 -0700 (PDT)
Received: from kduck.mit.edu (c-73-169-244-254.hsd1.wa.comcast.net [73.169.244.254]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 276Lo7Mc031456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 6 Aug 2022 17:50:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1659822618; bh=7MazKu5RAGVvTsBbbctkaCIi7laWwskRiPE0zOdbUOU=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=gVVLBJbqWtmx++m5Jed4PfqlYox6ktWDdIF6Bc+WX5yCccxmKHP1Q6SUcD5Y5f5Qv bPwIHFXHe7K1CKcG/mJ+gi56ks2HmSHmUQCv4ZwxnBGME6nDnREa64R87NQzCz4g8M omzYWajxJz8/X6LwrZ5Gcl1pvbx/9D0ppSx879KABQB3eX0bnbSlqOjv92VmXm/XMQ vCmMzeMuuNlt4bNRiVEKWY7BMGGL2L2KfUwL6UQuiVncUMxHzv7sjCP5vVOhR5pcCz /izFGHry4T0jbJXi3a+RImUMbsLtdXMQNUoYQ7dhXtJGFEjGuHoDQzqP9f7fxScVAc uIqGpSj3jo6Qw==
Date: Sat, 06 Aug 2022 14:50:07 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: last-call@ietf.org
Cc: cose-chairs@ietf.org, cose@ietf.org, draft-ietf-cose-countersign@ietf.org, mcr+ietf@sandelman.ca, rdd@cert.org
Message-ID: <20220806215007.GG69009@kduck.mit.edu>
References: <165833389628.37532.10513614174107478186@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <165833389628.37532.10513614174107478186@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/MzWKtY3NlmgBUsmhSv0uW12j-w4>
Subject: Re: [COSE] Last Call: <draft-ietf-cose-countersign-06.txt> (CBOR Object Signing and Encryption (COSE): Countersignatures) to Internet Standard
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Aug 2022 21:50:29 -0000

On Wed, Jul 20, 2022 at 09:18:16AM -0700, The IESG wrote:
> 
> The IESG has received a request from the CBOR Object Signing and Encryption
> WG (cose) to consider the following document: - 'CBOR Object Signing and
> Encryption (COSE): Countersignatures'
>   <draft-ietf-cose-countersign-06.txt> as Internet Standard
> 
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org mailing lists by 2022-08-10. Exceptionally, comments may
> be sent to iesg@ietf.org instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.
> 
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-cose-countersign/

This draft fills a claer need, providing "actual countersignature"
semantics for COSE.  However, it's also intended to play a second role,
namely to deprecate the original "countersignature" functionality from RFC
8152 (which did not always provide "actual countersignature" semantics).

I think we probably need to expound further on what exactly is done to
achieve this deprecation: the current version uses the stem "deprecate"
only twice, once in text that is essentially duplicated from
draft-ietf-cose-rfc8152bis-struct, and the final time in the IANA
considerations, where IANA is to add "(Deprecated by [[This Document]]" to
the existing registrations.  (Note: the mismatched parentheses are in the
original.)  There is no discussion of what the deprecation means in
practice for implementations, which is a rather serious omission.

In particular, the current state of affairs gives the COSE header parameter
with label 7 ("counter signature") privileged treatment in that senders are
free to assume that recipients can understand and process it, even if it is
not listed in the "crit" header's value.  While a reasonable reader might
assume that being marked as "deprecated" directs a sender to not omit the
parameter (though more concrete guidance on that point seems apropos to
me), I do not think that there is a clear implication about whether an
impelementation must continue to implement support for processing this
header parameter.  In order to ensure a smooth deprecation process, I think
this document needs to make a specific statement about whether the
requirement on implementations to understand this parameter remains.
(I am currently grappling with how to describe this situation for RFC-to-be
9052, that does not discuss "counter signature" but does retain RFC 8152's
guidance that labels 0-7 SHOULD be omitted from the "crit" value.  I
believe that the requirement on implementations to understand and be able
to process "counter signature" must remain for the purposes of RFC 9052.)

Since I'm posting to last-call, I did make an attempt to read the rest of
the document, and have some additional remarks.

Prior to sending to the RFC Editor, please do a pass to compare the specific
wordings used for definitions and other shared text between this document and
RFC 9052, to avoid needless divergence in phrasing.  A few specific areas
stuck out to me as meriting this comparison (but this should not be assumed
to be an exhaustive list): the introduction in general, but most notably
around "to be a schema-free decoder"; the security considerations, and the
document terminology section.

Section 1

   countersignature, were those that the working group desired, the
   decision was made to remove all of the countersignature text from
   [I-D.ietf-cose-rfc8152bis-struct] and create a new document to both
   deprecate the old countersignature algorithm and to define a new one
   with the desired security properties.

We should probably specifically indicate that the "new document" is this
one, in some fashion.

   The new algorithm is designed to produce the same countersignature
   value in those cases where the cryptographic computed value was
   already included.  This means that for those structures the only
   thing that would need to be done is to change the value of the header
   parameter.

It's not entirely clear to me on first read that this is a feature.
Creating ambiguity about how a given ciphertext was created or should be
processed has historically given rise to vulnerabilities.  That said, since
in this particular case the actual cryptographic content is the same and
this is the scenario where the construction being deprecated did provide
the intended "actual countersignature" semantics, maybe there is not really
any grounds for "confusion" here.

Section 3

   timestamp, a time point at which the signature exists.  When done on
   a COSE_Sign, this is the same as applying a second signature to the
   payload and adding a parallel signature as a new COSE_Signature is
   the preferred method.  

I don't think I understand what this is trying to say, as what it seems to say
to me doesn't make sense.  In particular, this seems to say that the act of
applying a countersignature to a COSE_Sign structure is functionally
equivalent to just appending to the "signatures" array of the COSE_Sign
object, and indeed that appending to "signatures" is preferred.  But that
seems to provide semantics that are not the (desired) semantics of a true
countersignature, which would cover the existing (primary) signature in
addition to the content!


NITS

Section 1.2

   CBOR grammar in the document is presented using CBOR Data Definition
   Language (CDDL) [RFC8610].

singular/plural mismatch

   The collected CDDL can be extracted from the XML version of this
   document via the following XPath expression below.  (Depending on the
   XPath evaluator one is using, it may be necessary to deal with &gt;
   as an entity.)

   //sourcecode[@type='CDDL']/text()

Carsten pointed out for 9052 that the type needs to be lowercase in order to
work.

Section 2

         Generic_Headers /= (
         ? TBD10 => COSE_Countersignature / [+COSE_Countersignature]
         ; V2 Countersignature
         ? TBD11 => COSE_Countersignature0  ; V2 Countersignature0
         )

Since only one of the comments fits to the right, I'd suggest making both be
on their own line, and appearing before the content they describe.

-Ben

v2.23.0 | Report a Bug | By Email