[COSE] x5t with multiple hashAlg for interoperability
"Sipos, Brian J." <Brian.Sipos@jhuapl.edu> Fri, 11 February 2022 19:03 UTC
Return-Path: <Brian.Sipos@jhuapl.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9B53A09C1 for <cose@ietfa.amsl.com>; Fri, 11 Feb 2022 11:03:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-Nq9aBpBvYm for <cose@ietfa.amsl.com>; Fri, 11 Feb 2022 11:03:16 -0800 (PST)
Received: from aplegw01.jhuapl.edu (aplegw01.jhuapl.edu [128.244.251.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 649A03A09BA for <cose@ietf.org>; Fri, 11 Feb 2022 11:03:16 -0800 (PST)
Received: from pps.filterd (aplegw01.jhuapl.edu [127.0.0.1]) by aplegw01.jhuapl.edu (8.16.0.43/8.16.0.43) with SMTP id 21BJ3FuE124943 for <cose@ietf.org>; Fri, 11 Feb 2022 14:03:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : subject : date : message-id : content-type : mime-version; s=JHUAPLDec2018; bh=3xTo8BQfpRHYeGCX5YBCBsc69i1dozsEuIbX724yHwU=; b=N3aCwIEkAAgO0urJEDL9GXw2CVGF6BEBEGr8fWMipQ7Xy2sJgjjIho77UdMGkEDjSNo+ NcyyohWwmPtqGPSyHKtRkia6wUgETwx5VhZGYkg/PMknHQ8Z5mdULz3IxJ4kMwWKN8tS AXMdtHj8upCIMZbdjQTtGRQm2wrR+WUQXTmG1vCHclUO5MakhlqYric9vsehxYF158UO GJB0nFsAnCX7dz+R7g+Rqau92iaDrvQb9uQrovBW1Df2cKl0c3XdiMtZ27ii5pZQysCv BV/0UDneVdnzwzZ1OVmpntozJO1LZvPgxd5sUIoE0K60+KypcWeFxOjaNk2PHquJ9DaT fw==
Received: from aplex22.dom1.jhuapl.edu (aplex22.dom1.jhuapl.edu [10.114.162.7]) by aplegw01.jhuapl.edu with ESMTP id 3e493kjns6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <cose@ietf.org>; Fri, 11 Feb 2022 14:03:15 -0500
Received: from APLEX21.dom1.jhuapl.edu (10.114.162.6) by APLEX22.dom1.jhuapl.edu (10.114.162.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.20; Fri, 11 Feb 2022 14:03:14 -0500
Received: from APLEX21.dom1.jhuapl.edu ([fe80::61c3:f0b7:2fc7:8018]) by APLEX21.dom1.jhuapl.edu ([fe80::61c3:f0b7:2fc7:8018%5]) with mapi id 15.02.0922.020; Fri, 11 Feb 2022 14:03:14 -0500
From: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>
To: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: x5t with multiple hashAlg for interoperability
Thread-Index: Adgfd44M9mNLBZeQQ46A+GFfXGyoBA==
Date: Fri, 11 Feb 2022 19:03:14 +0000
Message-ID: <c14bee1535b54286b0231ed25677c04a@jhuapl.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.162.26]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_01E2_01D81F50.1BAD8130"
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: APLEX22.dom1.jhuapl.edu
X-OrganizationHeadersPreserved: APLEX22.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.816 definitions=2022-02-11_05:2022-02-11, 2022-02-11 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/aHeKsTcwmsOhP4F3zERtz1oTmP4>
Subject: [COSE] x5t with multiple hashAlg for interoperability
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Feb 2022 19:03:22 -0000
All, The current x5t definition [1] includes a review comment about interoperation and the need for out-of-protocol algorithm agreement. Because the "x5t" is a header parameter there can only be a single one present in any COSE layer, which is slightly different than the JOSE "x5t" algorithm uses (as separate parameters). Would it be reasonable to modify the "x5t" definition from a two-tuple into a map structure, where the map keys are algorithm identifiers and the values are the hash byte strings? This would allow the single-algorithm case to be encoded with the exact same size as today, but would allow for multiple algorithms to be present within a single "x5t". One of the algorithms can be required to be SHA-256 unless otherwise agreed by the network operators, so it would have the same properties as the current definition. A map would allow for transition periods where an "x5t" has two algorithms: the old one being transitioned away from and the new one being transitioned to. So the same "x5t" would be understandable by recipients each only accepting a single algorithm. An assumption about this kind of transition is that it's easier to change the COSE source than to change the recipients. This would also allow lossless JOSE translation when it has multiple x5t algorithm variations, if that's a desirable thing. [1] https://www.ietf.org/archive/id/draft-ietf-cose-x509-08.html#section-2-5.5
- [COSE] x5t with multiple hashAlg for interoperabi… Sipos, Brian J.