[COSE] Comments on draft-ietf-cose-x509-01
John Mattsson <john.mattsson@ericsson.com> Fri, 22 March 2019 09:07 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB1F3130EC2 for <cose@ietfa.amsl.com>; Fri, 22 Mar 2019 02:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=V1bC2TG5; dkim=pass (1024-bit key) header.d=ericsson.com header.b=S9eLS2xz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_Cur4KSdGJg for <cose@ietfa.amsl.com>; Fri, 22 Mar 2019 02:07:08 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B08F130EC1 for <cose@ietf.org>; Fri, 22 Mar 2019 02:07:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1553245625; x=1555837625; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=BSlcPlaHz5F4J2oX0lKoFWUW3t7PKyoXBtPzDe3HnXw=; b=V1bC2TG5Kd+IHbdc63vk66Vnp0SE0b3okXp1io0qLA/iJe458fe6cM/cahJlPzgS WuzIshgtI4NJTm6n8Diwsdw8GNx7q4NQ6wGmUOFziXpXKAwGQA+0Wa5tSjJVNKe0 VDEWCYAjn+MaTOYA64vsgGTT2oQfsUGRZ7p91r9QjiY=;
X-AuditID: c1b4fb2d-42aae9e000002218-2b-5c94a5b9474c
Received: from ESESBMB505.ericsson.se (Unknown_Domain [153.88.183.118]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id DC.97.08728.9B5A49C5; Fri, 22 Mar 2019 10:07:05 +0100 (CET)
Received: from ESESSMB504.ericsson.se (153.88.183.165) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Fri, 22 Mar 2019 10:07:02 +0100
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB504.ericsson.se (153.88.183.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5 via Frontend Transport; Fri, 22 Mar 2019 10:07:02 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BSlcPlaHz5F4J2oX0lKoFWUW3t7PKyoXBtPzDe3HnXw=; b=S9eLS2xzUcAUA9mslCEeXjcP9cPY8VL7D5bjnRRC3xINmHSb6mC3b/ZdTohGdcFs3gEVhx1HgX9QDEj3dt10aH9hgci5gap77WH+cgm5Utf/Za0Zsz17BeDbibb39yyLe1WNiN8cy12PUhQY29zZseGz9LCEOm8inVD8YqO3b5w=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB4299.eurprd07.prod.outlook.com (20.176.166.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.10; Fri, 22 Mar 2019 09:07:02 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::ace2:9258:766:85a8]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::ace2:9258:766:85a8%3]) with mapi id 15.20.1730.013; Fri, 22 Mar 2019 09:07:02 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: Comments on draft-ietf-cose-x509-01
Thread-Index: AQHU4I6c8y7W2G5GW0KQl9jzIlrMrg==
Date: Fri, 22 Mar 2019 09:07:01 +0000
Message-ID: <A7A895AD-2E0D-46D2-AA40-EF34AE28242D@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.1.190220
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e688e7ff-250b-4ef1-15ca-08d6aea5bf34
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB4299;
x-ms-traffictypediagnostic: HE1PR07MB4299:
x-microsoft-antispam-prvs: <HE1PR07MB4299B0D16170B350AD674F0089430@HE1PR07MB4299.eurprd07.prod.outlook.com>
x-forefront-prvs: 09840A4839
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(366004)(39860400002)(346002)(376002)(396003)(136003)(189003)(199004)(486006)(14454004)(83716004)(25786009)(14444005)(2906002)(5660300002)(478600001)(86362001)(316002)(6116002)(97736004)(2501003)(105586002)(106356001)(58126008)(71190400001)(71200400001)(2351001)(256004)(6506007)(1730700003)(81166006)(66066001)(8676002)(81156014)(99286004)(3846002)(6436002)(102836004)(68736007)(26005)(5640700003)(82746002)(44832011)(33656002)(53936002)(6486002)(8936002)(6512007)(186003)(476003)(2616005)(7736002)(6916009)(305945005)(36756003)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4299; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: wFAQ8lVuAd25RbagChTvZcBtnPiaOVPZiNkln6b68RvRivTYAmgLCCxjzqToAbAKfm4S5LmozhPaR/3qDtSalLx7nvR4HmK9fWCVkJJLnNZZmJfp2uOsAb915TGXRkiwpAwuVztbhRuaRblKdiG0Cd0obiIEc2kjg6C7NdqMndf89/yeLlxJLPA5oQVUERHP8lg0hKBgT1J5D1yhSmfBpQU3Xobuc17hpsmnhPXRIGVYAqS5GRpI0wILIgfSMpBszs1f2u99snxTI40RrKyvWbnaZuDCiB6dy9Ru9Fz7RywBj+TmG829lTWhlPkJl7IFm9XTMuf4cWN61jQ7m6EOmxvUE7Sc+022NyqrhOvIbyUm7GFLUNL62BISGZUp4MRVmmEtadotnrffZHmZbIEMfyED9DfGwfdB9fIm0wKnibo=
Content-Type: text/plain; charset="utf-8"
Content-ID: <D72D2AE619C095448224B4A59E4E200C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e688e7ff-250b-4ef1-15ca-08d6aea5bf34
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2019 09:07:01.8281 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4299
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjleLIzCtJLcpLzFFi42KZGbG9THfn0ikxBttfGlhM2zqV1YHRY8mS n0wBjFFcNimpOZllqUX6dglcGRMWKBVc4K/YevcxawPjHP4uRk4OCQETiWlXXjN1MXJxCAkc YZR4d7+TBcL5xigx+cYLRghnCZPE482TwDIsAhOYJX5tX88MkZnCJLG07xUbhPOAUaJ3zxJW kMlsAgYSc/c0sIHYIgLKEpOONYPFhQV0JK62f4aKG0o0b/7ICmHrSTw8+pYJxGYRUJW4+vIw WA2vgL1E084/YDajgJjE91NrwGqYBcQlbj2ZzwTxhYDEkj3nmSFsUYmXj/+BzRQV0JfY0veA BaI3VqK1dTorRI2ixOl9K6DqZSUuze9mhLB9JQ5snMwGYd9klOjepwhha0lc2jwJqiZbYu3q DVBzZCSaDs5gBXleQuAvq0TP1lnsIAkhgVSJ5WtboRrkJFb1PmSBKDrPLLH8ASiIOYA+0JRY v0t/AqP2LCT/zELIQIQ9JGZ/3sACYStKTOl+yD4LHCyCEidnPmFZwMi6ilG0OLW4ODfdyFgv tSgzubg4P08vL7VkEyMwdRzc8lt3B+Pq146HGAU4GJV4eE2WTIkRYk0sK67MPcQowcGsJMK7 K3pyjBBvSmJlVWpRfnxRaU5q8SFGaQ4WJXHeP0KCMUIC6YklqdmpqQWpRTBZJg5OqQZG066r r21W3XJeU7ry6ftlM2NeHzYT/L1R+vTakJyOdW5RyZWdRocY/n7P2VVqG1d/M2xTbq4Gj1VM 9/9pd0/OMwk3qpu3sfDubW6Z2XbKZQwXnscYnPn3J9N3nqPGoulnG5/EHvovd+r+kvraJV8z ZBX2VB1Z82aKhpBf1p7zQZ8FLwV7tR+arMRSnJFoqMVcVJwIACqDdgAZAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/OoIDNs8Jn7R5fYz5sP7iOO93c6s>
Subject: [COSE] Comments on draft-ietf-cose-x509-01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 09:07:10 -0000
Very well-written and well needed document. My comments on x5u are likely things that should also be discussed in the security considerations. I think the x5u text should be divided into the two quite different use cases: - If the certificate is tied to an existing trust anchor, I see no security differences between sending x5chain in unprotected compared to sending a URL in unprotected and fetching the cert with an unprotected HTTP GET. In both cases an attacker can modify the information. In this case I think the requirements to send in protected and to use HTTPS can be removed. - If x5u is used to provide a new trust anchor, there is as stated strong requirements on the connection to the certificate distributer (integrity protection, authentication, configured as trusted). I do however not see why the x5u URL needs to be sent in protected. unprotected seems to work equally fine. I would like to a header parameter for CWT as well "cwt: This header attribute contains an CWT" "Revocation info?" OCSP stapling would be nice. Something like "ocsp: This header attribute contains one or more OCSP tokens" COSE_OCSP = bstr / [ 2*ocsp_token: bstr ] alternatively the OCSP tokens could be sent in the COSE_X509 array Nits: 6tish -> 6TiSCH 'sha256' -> SHA-256. OLD "The structure is the same as 'x5bag'." NEW "The structure is the same as 'x5chain'." Cheers, John
- [COSE] Comments on draft-ietf-cose-x509-01 John Mattsson
- Re: [COSE] Comments on draft-ietf-cose-x509-01 Jim Schaad