Re: [COSE] Adam Roach's No Objection on draft-ietf-cose-hash-sig-07: (with COMMENT)

Jim Schaad <ietf@augustcellars.com> Wed, 04 December 2019 04:25 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4056412009C; Tue, 3 Dec 2019 20:25:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lHts3GuJYZw2; Tue, 3 Dec 2019 20:25:34 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2DBE1200BA; Tue, 3 Dec 2019 20:25:33 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 3 Dec 2019 20:25:24 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Adam Roach' <adam@nostrum.com>, 'The IESG' <iesg@ietf.org>
CC: <cose-chairs@ietf.org>, <ivaylo@ackl.io>, <cose@ietf.org>, <draft-ietf-cose-hash-sig@ietf.org>
References: <157542964857.4747.788853927600346605.idtracker@ietfa.amsl.com>
In-Reply-To: <157542964857.4747.788853927600346605.idtracker@ietfa.amsl.com>
Date: Tue, 3 Dec 2019 20:25:22 -0800
Message-ID: <023901d5aa5a$da356a90$8ea03fb0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLJl4L4+IlKlTlFLcKP3dTjjyF3v6XBhf/w
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/SjFAVYFOknapBWT2c1ZbLNg8XVs>
Subject: Re: [COSE] Adam Roach's No Objection on draft-ietf-cose-hash-sig-07: (with COMMENT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2019 04:25:36 -0000


-----Original Message-----
From: COSE <cose-bounces@ietf.org> On Behalf Of Adam Roach via Datatracker
Sent: Tuesday, December 3, 2019 7:21 PM
To: The IESG <iesg@ietf.org>
Cc: cose-chairs@ietf.org; ivaylo@ackl.io; cose@ietf.org; draft-ietf-cose-hash-sig@ietf.org
Subject: [COSE] Adam Roach's No Objection on draft-ietf-cose-hash-sig-07: (with COMMENT)

Adam Roach has entered the following ballot position for
draft-ietf-cose-hash-sig-07: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-cose-hash-sig/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks for the work that went into creating this document. I have no comments on its contents (the crypto is somewhat outside my area of expertise), although I have a few observations regarding the examples.

---------------------------------------------------------------------------

Appendix A:

>  This appendix provides a non-normative example of a COSE full message  
> signature and an example of a COSE_Sign1 message.  This section  
> follows the formatting used in [RFC8152].

I would suggest that RFC 8610 might be a better reference here, as it is the document that actually defines the extended CBOR diagnostic format.
In particular my recommendation is:

  "This section is formatted according to the extended CBOR diagnostic
   format defined by [RFC8610]."

---------------------------------------------------------------------------

§A.1:

>  98(
>    [
>      / protected / h'a10300' / {
>          \ content type \ 3:0
>        } / ,
>      / unprotected / {},
>      / payload / 'This is the content.',
>      / signatures / [
>        [
>          / protected / h'a101382d' / {
>              \ alg \ 1:-46 \ HSS-LMS \
>            } / ,
>          / unprotected / {
>            / kid / 4:'ItsBig'
>          },
>          / signature / ...
>        ]
>      ]
>    ]
>  )

I think there are two things here that need to be addressed.

First, section 3 of this document specifies:

>     o  The 'kty' field MUST be present, and it MUST be 'HSS-LMS'.

I can't find a 'kty' field in this example.

[JLS] The 'kty' field occurs in a COSE_Key and not in a COSE signed message.  This is expected.

Also, this example uses '-46' as the identifier for HSS-LMS, while section 6.1 specifies the value as "TBD." This example needs a clear note added for the RFC editor that the "-46" needs to be replaced by the IANA-assigned value. A similar annotation will be required for the 'kty' field, regarding the value assigned for section 6.2.

[JLS]  The powers that be (me) have declared that -46 is going to be the IANA-assigned value.  Telling IANA to replace the "-46" with anything else would require that the example be re-generated or the signature would not verify.

---------------------------------------------------------------------------

§A.2:

Same comments as A.1, above.


_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose