Re: [COSE] A couple of COSE questions

Laurence Lundblade <llundbla@qti.qualcomm.com> Thu, 11 January 2018 20:59 UTC

From: Laurence Lundblade <llundbla@qti.qualcomm.com>
To: Jim Schaad <ietf@augustcellars.com>
CC: cose <cose@ietf.org>
Thread-Topic: [COSE] A couple of COSE questions
Thread-Index: AQHS5hG1oa0lkD9YRUqsmyhba1JpMqIm3jmAgAADpQCAAAjXAIFKDUUA
Date: Thu, 11 Jan 2018 20:59:00 +0000
Message-ID: <DAA01F06-3E93-4959-9238-92EC1C460420@qti.qualcomm.com>
References: <E60C729E-0212-4C01-B442-B8E31836FB0C@qti.qualcomm.com> <000601d2e61a$84840b30$8d8c2190$@augustcellars.com> <05AB593B-CAE8-4229-AE51-8A701C049C5E@qti.qualcomm.com> <001601d2e620$c17fdd10$447f9730$@augustcellars.com>
In-Reply-To: <001601d2e620$c17fdd10$447f9730$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.80.80.8]
Content-Type: multipart/alternative; boundary="_000_DAA01F063E934959923892EC1C460420qtiqualcommcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Ys-ZFeBS97zEzKNaqILjf4XFE58>
Subject: Re: [COSE] A couple of COSE questions
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2018 20:59:24 -0000

Any progress on registered identifiers for bare SHA-256, SHA-384? Doesn’t look like it, but I thought I would ask. I’m definitely still interested.

Thanks!

LL


On Jun 15, 2017, at 2:45 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:

No id assignment for the algorithms yet because the draft has not gone to IANA.

Jim


From: Laurence Lundblade [mailto:llundbla@qti.qualcomm.com]
Sent: Thursday, June 15, 2017 2:14 PM
To: Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>
Cc: cose <cose@ietf.org<mailto:cose@ietf.org>>
Subject: Re: [COSE] A couple of COSE questions

Thank you Jim,

A few comments below.


On Jun 15, 2017, at 2:01 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:

See in line comments

Jim


From: COSE [mailto:cose-bounces@ietf.org] On Behalf Of Laurence Lundblade
Sent: Thursday, June 15, 2017 12:58 PM
To: cose <cose@ietf.org<mailto:cose@ietf.org>>
Subject: [COSE] A couple of COSE questions

Hello I have a few questions…

Registration of hash algs
There’s no assignments for hash algs (SHA-256.. SHA-512, SHA3-256…) in the IANA registry here<https://www.iana.org/assignments/cose/cose.xhtml#algorithms>. I assume this is because the COSE protocol doesn’t have a need because they are bundled up with the signing alg identifiers.  For non-COSE protocols that use CBOR and do have a need to identify a hash, would it be reasonable to add them?  The COSE registry seems like it is the place to register algorithm IDs for use in CBOR in general.  I assume the process would be to write a simple RFC, publish and then add to the registry.

[JLS]  Yes the reason that there are no hash algorithms is that they were not needed for any of the core COSE functions.  I am in the process of registering two hash functions as part of ietf-schaad-cose-x509.  These are a SHA-256 and a truncated SHA-256.  If you want to write up a more complete RFC for this that would be fine with me.

SHA-256 will do for now for me.  Do you have the value for it yet?  I don’t have time for a more general write of more algs at the moment.




Registration of tagging for COSE messages
Why isn’t there a registry section for the tags for these different COSE messages?

   COSE_Tagged_Message = COSE_Sign_Tagged / COSE_Sign1_Tagged /

       COSE_Encrypt_Tagged / COSE_Encrypt0_Tagged /

       COSE_Mac_Tagged / COSE_Mac0_Tagged


[JLS] Not too sure what registry you are looking for here.  But I think you want this registry https://www.iana.org/assignments/cbor-tags/cbor-tags.xhtml#tags

That’s what I was looking for.




Tagging of bstr wrapped data
It seems like it would be helpful to use an option tag on the bstr-wrapped payload for COSE_Sign and such to tell general purpose parsers and translators to remove the bstr wrapping and keep going. Tag 55799 seems like the best fit so far, but it may not be a perfect fit and it would be nice to use a tag less than 24.

[JLS]  I am not sure that you would find this generically helpful.  The problem is that the parser needs to provide both the encoded version and the unencoded version if you are going to do an automatic recursion of the CBOR decoder.  You need the first in order to do the signature validation processing.  This means that there does not seem to be a real point to making the recursion occur automatically that I can see.  We have not provided all of the cues that would be needed to do a stream decode and validation at the same process ala how CMS does it (and even then there are cases where you need to go back and restart the process again).

I figured the answer would be along these lines.

To be more clear on the use case, it seems you could have a small chunk of SW that just does signature verification, that doesn’t really understand the details of the payload.  Its output is a yes or no.   Then you use a general purpose off-the-shelf CBOR-to-JSON translator on the payload.  It only runs if the sig verification passed.

LL

Re: [COSE] A couple of COSE questions Laurence Lundblade
[COSE] A couple of COSE questions Laurence Lundblade
Re: [COSE] A couple of COSE questions Jim Schaad
Re: [COSE] A couple of COSE questions Jim Schaad
Re: [COSE] A couple of COSE questions Laurence Lundblade