IETF Logo Mail Archive

[COSE] Re: extending application/cose-x509

Carsten Bormann <cabo@tzi.org> Tue, 07 October 2025 14:05 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: cose@mail2.ietf.org
Delivered-To: cose@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D7D4B6EA40EF for <cose@mail2.ietf.org>; Tue, 7 Oct 2025 07:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.389
X-Spam-Level:
X-Spam-Status: No, score=-4.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tzi.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I5-DqRTbtfjW for <cose@mail2.ietf.org>; Tue, 7 Oct 2025 07:05:45 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E212F6EA40CB for <cose@ietf.org>; Tue, 7 Oct 2025 07:05:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tzi.org; s=2019; t=1759845943; bh=72Y5HAsCubRIGvsBYnDnESnh6HaspUKWkf/lLViHf24=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=mTNO63/r5bhhLa6OWqJgKk5N38lx0t3z1Tt1K8Gz9yWkEnZU6sDc7GTSncjCyYQjO fWraS8GND0TbXwX3irYpPJi2Csm4xiXKsuwOtAUlZ/I4AqhzmBQl6uzVJv06LTqNpu 7p2FLdlACNFTBajlA5DzniGE1M0ql2BuaLoUDwjo7Pe4rQKGzlkVZ8hQU6TDTziJHO 1HOFq8B44ZsRcpL5wH3qzyIjM7NapUoRIMIpyg1K2EA4q7GFPic3LTobe9l4H+pvrg /asQXwu6qi150wMKDBgfh4yb9sw6BkvB36cqvyEYLwia40rGN4WCP9Nvx1CwUGJmHz U+8mRkT8u9C8g==
Received: from [192.168.217.132] (p5dc5df6f.dip0.t-ipconnect.de [93.197.223.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4cgybC1p2rzDCbw; Tue, 7 Oct 2025 16:05:43 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CA+1=6yeb-43o=XHQR_cWkmSggdX=3HFO1dBUdQaA=wgeedYQeg@mail.gmail.com>
Date: Tue, 07 Oct 2025 16:05:42 +0200
X-Mao-Original-Outgoing-Id: 781538742.378436-d84bd005b9718f7d700c0e3ea670caa6
Content-Transfer-Encoding: quoted-printable
Message-Id: <D6AAE523-999B-420B-ABCB-CFA11D3483E2@tzi.org>
References: <CA+1=6ydHCGoDoUXS2ayHJ-TV2TXZex-Sw+e-Hb=oZ=4FgJWCvg@mail.gmail.com> <16285.1759508921@obiwan.sandelman.ca> <CA+1=6yc_eYwBizMpNP3WBCDYFN=SNMuEn8bErhrSsNOLXWtVjg@mail.gmail.com> <CA+1=6yfDfWefi6JWNmPXrYMC5=CCnPcvZLHx_aMPt2qvf9CEgg@mail.gmail.com> <0E5CAEF4-D82C-43EA-BBAC-C5F687BB3E86@tzi.org> <CA+1=6yevgBe54fHypGWpO7FXotNGf+ecLqVLJN7E6CxhmfK5mA@mail.gmail.com> <B1409B1B-F85E-4BF9-B2CF-0B8622DDB999@tzi.org> <CA+1=6yeb-43o=XHQR_cWkmSggdX=3HFO1dBUdQaA=wgeedYQeg@mail.gmail.com>
To: "thomas.fossati@linaro.org" <thomas.fossati@linaro.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
X-FromAuthMilter: ok
Message-ID-Hash: MTPAAQGL2EEL2ACZ2572ZBTQYGUKWS6J
X-Message-ID-Hash: MTPAAQGL2EEL2ACZ2572ZBTQYGUKWS6J
X-MailFrom: cabo@tzi.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>, cose <cose@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [COSE] Re: extending application/cose-x509
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/VG1aBMha0uY8S-QBLW-0ehANqfg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Owner: <mailto:cose-owner@ietf.org>
List-Post: <mailto:cose@ietf.org>
List-Subscribe: <mailto:cose-join@ietf.org>
List-Unsubscribe: <mailto:cose-leave@ietf.org>

On 2025-10-07, at 15:34, Thomas Fossati <thomas.fossati@linaro.org> wrote:
> 
> However, to be clear: what happens when COSE_X509 is used in a
> protected header (e.g., x5chain, x5bag, x5chain-sender)?  Should it
> obey §9 of RFC 9052, or can it be indefinite-length?

9.  CBOR Encoding Restrictions

   *  The restriction applies to the encoding of the Sig_structure, the
      Enc_structure, and the MAC_structure.

Any Sig_structure, Enc_structure, of MAC_Structure built out of the COSE data items containing that protected header needs to be built using common deterministic encoding (of which only a small part actually is used in these very simple data structures).
Nothing on the wire is influenced by the common deterministic encoding constraint.

Note that the common deterministic encoding constraint do not reach into the “empty_or_serialized_map” elements.  These byte strings are created in the over-the-wire structure as a byte string and then used verbatim in the Sig/Enc/MAC_structure computations.

E.g., in 4.4 of RFC 9052 [1]:

   How to compute a signature:

   1.  Create a Sig_structure and populate it with the appropriate
       fields.

(Note that the field computation does *not* mention Section 9.
body_protected/sign_protected simply are copies of the empty_or_serialized map that was sent for the protected header in the body/signer structure — this has therefore been sent as a byte string for direct use.)

   2.  Create the value ToBeSigned by encoding the Sig_structure to a
       byte string, using the encoding described in Section 9.

(This is the place, analogously for Enc_structure and MAC_structure, where Section 9 is applied.)

Grüße, Carsten

[1]: https://www.rfc-editor.org/rfc/rfc9052#section-4.4-5

v2.41.0 | Report a Bug | By Email | System Status