Re: [COSE] IANA COSE assignments
Göran Selander <goran.selander@ericsson.com> Fri, 29 January 2021 15:01 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B05FB3A1049 for <cose@ietfa.amsl.com>; Fri, 29 Jan 2021 07:01:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L2oPr8SSDIJb for <cose@ietfa.amsl.com>; Fri, 29 Jan 2021 07:01:18 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70071.outbound.protection.outlook.com [40.107.7.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BC303A1042 for <cose@ietf.org>; Fri, 29 Jan 2021 07:01:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DFkgikSoWlQLgUubA/8IumPXo5BGZcDcieyIYYhYaiwHqfV8UzHMa70zkrMnszpUoObFNc5dMPYuwU+Gn2iBZn2dnndNGybuRGmfaOsIFIcyeAEsntmbE4PFoX05a3zU7SqIzQHlk/vUgbxHRL2YUZlLRmiRveqMytndvwDij1BqD39SIxJ60CiImxmLVniuPBKplQ357u2YrpFl5bMwR3p14o2pNHkv5t8jmgA4JIRyKy9xbpQOFHjKKn95jQ5WmfDbMPflut617HzQUvqzv6Npqy8fabP5eU/M4rf0SHIWyuW5zjW2PfuwLrD0iBIJT+b/Z8rW2Qbd1uECmCA2KQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mVkjQPDVbmWm/63b0c7Q3DPMG/5Y90/IVp3C5u7Wj/Y=; b=LvcU+pVskvtyexFJxuBCruPeypaC026Pbmd45iM68Kozg29C8M8RyS9PEyLdaLUCRzWzpaFe/5y2jbTt3Cx7u/kTKHaRMqelpz8OvuLXEKPXGkJlQKEi3deT03SF/MqTlo87BqqdGyHuOVIk/dv3q10JGjC4uIw9q4YwmHe4hH5sZ+QemqEkL0dqj0LzcOPE7vvFNTyt1S07f2fNCg09QSlbfuORln+ua9pWMbeApXh01cBLhoHy9xXkJEv7Y6uxO2UNjbz9+CZC1f84BZqfMV8O6Uq7oEhHW65agrmn6GWerJjiG3YUDjOVd/qCD/MSmN2pHvbQxmGGO7XDHctigg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mVkjQPDVbmWm/63b0c7Q3DPMG/5Y90/IVp3C5u7Wj/Y=; b=ZQGusNxbEueSij6fq27f0RhG/YiRI6znqzD1mqu4LLp4+tvZt60M6Xo0p8PDDuHiAhXy6KVtg5XAin6z95HTBRah8tB2uu2NrE6gSMf0IUEobTYebIfnpIbF4jXR2f8FQAe762AZBWeM+VV1W1j6iIJLk1rqZ7yMNQ5fp7DdGZo=
Received: from (2603:10a6:7:82::14) by HE1PR07MB3065.eurprd07.prod.outlook.com (2603:10a6:7:35::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.14; Fri, 29 Jan 2021 15:01:15 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::fd09:b8f4:2698:e86]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::fd09:b8f4:2698:e86%6]) with mapi id 15.20.3805.016; Fri, 29 Jan 2021 15:01:15 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Russ Housley <housley@vigilsec.com>
CC: cose <cose@ietf.org>
Thread-Topic: [COSE] IANA COSE assignments
Thread-Index: AQHW9VZ3u246pmXHh0yf/qj8SOX5I6o9SGyAgAF82IA=
Date: Fri, 29 Jan 2021 15:01:15 +0000
Message-ID: <B4E16747-2BDB-4E65-BBDC-94E0F7068EFB@ericsson.com>
References: <41F03211-E3F5-493B-AC94-0F9DA26A1D9F@ericsson.com> <CEBAB906-22CF-4954-8BF1-F222C7E8EB41@vigilsec.com>
In-Reply-To: <CEBAB906-22CF-4954-8BF1-F222C7E8EB41@vigilsec.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21012005
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 60a02676-6a0a-49c4-f7db-08d8c466b9c3
x-ms-traffictypediagnostic: HE1PR07MB3065:
x-microsoft-antispam-prvs: <HE1PR07MB3065D73B615FE4DC32F9CC1AF4B99@HE1PR07MB3065.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EDobSQe2sr/a6CfZVcBgJDZ7FMA3AnX3Vq8zR+5dAQDgGEeXPOOvBrdY+otfT4R/MmJbLjlp55aXh5dNsfbo2le9vpU+nXS2ChRWnFgcpSlcOiSR85X4y561hbtRLkKL1JuLn9omUO7TZvhKxUGUoDTMIvQOFzMDBITeZX4tyFTk/ktpeB/gQzePRNRL12ce0k4HJlvrUUOg/1s8fvMswyPwo7UjyFcOTegoIeMAcXE8IK65aS6GEbSVbVblo7KiruD135jpocYFWE6crZU+oznpIZcUJLUp5UUkfCObU8G6dKQ84VNeX93u3PsR5iQxOnX/vRUjztatprQgcvET3stScMWZWQoY55FFqxBiFTiPKfD88urPyCGgmy+sGbE6kz1OIWiFCETFIQkgIIe0SDAElo/Ax9vgsu+NSpOyPLRCEVhiOBYTgFKTVL6E1YVmF1gLmx8uszFMbdCGnNxINgwi1PyzeT5xNEEvrtDfnaC8oqD73C5bs/sF8vZqrMCwTpeS0vOjope7F+KCYsdcyQfgZJ78VYMncylRm+9VFcNNAybOPLg23v1Q/eMdg/eP5WdgUPLImge4zZM9rgjY7w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(346002)(366004)(396003)(136003)(8936002)(4326008)(71200400001)(478600001)(6486002)(83380400001)(33656002)(2616005)(66574015)(85182001)(6916009)(66446008)(66946007)(36756003)(5660300002)(6506007)(76116006)(66556008)(64756008)(186003)(66476007)(2906002)(26005)(85202003)(86362001)(6512007)(316002)(8676002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: iuJOK0WTtiNQ7bJJlnkyYorK8z93+h/9XWTVMrPUvEAtWQwheAN3RpmgcREYxFjChDfmiVcodEKefYGmb/SmoBKwRklVdVNZUTJgn5xV/lRleBZ34LCi109cNPG/6F0qo5GXgNg8FqT+cNHoNAnzDt9nxYWVECzCce+dOnS8CCDZaNFKcj9hn5LO4w+T7gcokOF+22i7XGdltnrKsiFImBdLCI3VV5QW1G0+njC+UqgMCSx3LBi54C/sE7cu1GvzXvU0CgWWNBhjp7dxrftumOnQM42h6D/6U8OkJucajtuFxEEiAKxMmqUwNlIZcpStrakedqqXU1DblfOI/IL5AGbyGxtBClfXuxXtGjEkXr98plRtoDz1FXRqjIDG+bowa2lvofiGKmk3HkUbMcqsXtF6+uGuedrhXESvuNNzhlBn/Km9r4hN4hpquh1b0Ay07v6UHEdQYfj8r8/Onu323ZXwjOlsVxG+1xNmSODCuT5+SuNWJJHi0ENayMUTd8pHBg/qxVkjBrSapKu96qdEBFXzF8KMMhDwoKx72+zkL4r3pMFLmVIyVogOhV0hp2+CTFUThi2NbCuP+2drFDTTauZGsXw3hhn5c74bq+b/n3rvfPhBtDw79NsdybwCKktgh7+q1l0OQKik4tP1L81XKymQtjJWSTEUYEQpQXWIuTo/9QQx97U2FgRtLpTe7BKAlJH9sj6WVhFYBYABjyaDKYJ7y9aw6OHamLrYGpejaLdzJ0tveHT0ntjT0j3FVLCbQjwqqOQSJuutrth8mJn6F2l26zu+/jJNNHTvVys6YpwA2vOi761s+ghAofqIKZTpiBJUXYzMBsbyg5sveYAbOnIeBSxWC6EhzaS5U334iMzFcDg7N5ymrljVWTNYullQSTw7EFwJuenr2eVclDoaYT+LCDIP9/Aa6skGxjFwOgAhAQRFdsaPtlHgmjT5oNMXt4w9DyvkxkkJe41iMNXWRmMYvd6RKavzEOc8u0s7Iy7y8NGnEReNa/AcD2IiGe93U501qnJQMw1KgC9PsooUVW+qC8oB9s6eoBTApoTT9UAM7w8IlKgn1WCvlX7HRN6b6ZIvJ0DyrXKICH84LuayTg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <55BD5598648D304E8CC3B1AEF8763E4D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 60a02676-6a0a-49c4-f7db-08d8c466b9c3
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2021 15:01:15.4271 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Sgl5paAx+SM4DYCI8NggyZMZWnAn/4wIvE+ruoM8oYgzcVkiZAbywzta431IvpeAAoQRqZl8jF9mD+UAFAx2J7r52YYLoCkxqfyWn1NM2L4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3065
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Ogi20kgAupwy_84T1gq8FomazXc>
Subject: Re: [COSE] IANA COSE assignments
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2021 15:01:21 -0000
Thanks Russ! Good feedback. Some comments inline. On 2021-01-28, 18:18, "Russ Housley" <housley@vigilsec.com> wrote: Göran: > I'm one of the designated experts for the IANA registry of COSE algorithms and I need some guidance from the WG. > > 1. Current IANA assignments and instructions for COSE algorithms [1] intentionally bundles certain parameters whereas others are not bundled. > > For example, all COSE registrations of ECDH include key derivation, but ECDH algorithm and elliptic curve are not bundled. Section 6.3.1. states: > > ”The math used to obtain the computed secret is based on the curve selected and not on the ECDH algorithm. For this reason, a new algorithm does not need to be defined for each of the curves.” > > As another example, ECDSA is bundled with a hash function (see table 1) but not with the elliptic curve, see Section 2.1: > > ”This document defines ECDSA to work only with the curves P-256, > P-384, and P-521. Future documents may define > it to work with other curves and points in the future.” > > But then there are exceptions, like ES256K [2] which bundles signature algorithm, hash function and elliptic curve. > > It isn't clear to me when to follow the guidance in [1] and when to make an exception. Just because there is one exception doesn't seem like reason enough to register bespoke bundlings. > > There are different principles in action here. Security is one, where a bundling is made to ensure suitable combinations. Structure and economy of code points seems to be another, where it may become an issue managing the numbers if every potential bundling of parameters can get a unique assignment. > > As I see it, there should be a good reason to not assign according to the the intentions of [1], and if we deviate from those then we should preferably be able to explain according to what principle that assignment was made so that the new principle can be followed (until potentially other examples requires us to reconsider). > > Any views on that? I like the principle that a new algorithm does not need to be defined for each of the curves. That leads to a huge number of code points. So, I think you are right that exceptions should come with a rationale, [GS] OK, good. Anyone has a preference for how to document that? Perhaps it is enough to type it into the mail exchange between expert and IANA. > 2. Another point relates to how specifications use COSE code points. For example, [1] recommends the use of deterministic ECDSA. If that is not used, is that reason to register another ECDSA code point? Or, if the cofactor of the curve is not equal to 1, is that reason to register another ECDSA code point? In other words, to what extent is the IANA number registration bundled with certain properties for which there is no register? > > An alternative to make new assignments is that the referencing document re-uses existing code points and specifies how they are used, including why and how deviations are made from the math or the recommendations. > > Opinions? My reading of draft-ietf-cose-rfc8152bis-algs-12 is that implementations SHOULD use a deterministic version of ECDSA. This means that other ECDSA implementations are still consistent with the use of these code points. I think that Section 2.1.1 further supports this interpretation. [GS] Right, so this is in favor of reusing the existing assignments. > 3. ECDH-EE is not specified in [1], whereas ECDH-ES and ECDH-SS are carefully distinguished in the registries. I would be hesitant to register ECDH-EE algorithms without any supporting specification describing how it is expected to be used in general. What does the WG think? If someone has a use case for ECDH-EE, then the should write a document to get the code point(s). [GS] Agree. That use case is potentially of general applicability and would complement draft-ietf-cose-rfc8152bis-algs so I assume that document should be reviewed by the COSE WG. Göran
- [COSE] IANA COSE assignments Göran Selander
- Re: [COSE] IANA COSE assignments Michael Richardson
- Re: [COSE] IANA COSE assignments Göran Selander
- Re: [COSE] IANA COSE assignments Russ Housley
- Re: [COSE] IANA COSE assignments Ilari Liusvaara
- Re: [COSE] IANA COSE assignments Göran Selander
- Re: [COSE] IANA COSE assignments Göran Selander
- Re: [COSE] IANA COSE assignments Ilari Liusvaara
- Re: [COSE] IANA COSE assignments Benjamin Kaduk
- Re: [COSE] IANA COSE assignments John Mattsson