IETF Logo Mail Archive

Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08

John Mattsson <john.mattsson@ericsson.com> Mon, 24 May 2021 10:00 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBB933A2210 for <cose@ietfa.amsl.com>; Mon, 24 May 2021 03:00:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jE2PKEjlvF10 for <cose@ietfa.amsl.com>; Mon, 24 May 2021 03:00:43 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70045.outbound.protection.outlook.com [40.107.7.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EA0C3A220E for <cose@ietf.org>; Mon, 24 May 2021 03:00:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lqWuu+ZOCRdefVwwaVWveRNyFmJUjwU42vPVFB7uMw2eDXTU6hCcnugOSO3hKw2h0ZzTLpRC9Oes2sqL2WO7v0x3gkICeVQZ0VDf1UahrCyODTl2d2p8e/9N54zsp/O329OqL9+WsOHcK5wQEgdEc3jQiD01l1WI+eJQLi/UzYRoTDMct5tw4gM0xLXsPxaeokahzaEB7/XcdJiP8zO/bqIhYQqoTv/+FgLSMXD8fHWTjnNIIuTkvYMEf9ILdHslN5BBpkRY9JGAiejki5ytlD+oVgwNelODPn7aGPBi0vwkNdctLg8yl87zDeEV0jdt2zfxjEtxWGWDLPWslf83pA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Or+beXz8kdJSqZ0WcaoPJEJEijXU8kqo+O2ZdUhoCoc=; b=EPjyoUyE99REUg72qdMdd3mhUW+bE3eNX1KXfvU+/ZFaqvpnuVYFKijSX8Wy5XNvIw59lGvZz0OHUEIAKIEL0A3thv/vDrdcLdLVR5qSozQzm11PULAc3I8cSOroX0sXvcONYJv5+Bc6c8Y5SPPYD8SwQvgM+tszGcp1VIOCKzBvUMAAHL+Do26QrgCh4AN6X2evXmS1MjK2iDemQoH53TWKJAxSYEUJRvmmir9fDyeQMNb27ub8Cu/LWpei8QUg6NBCbqkV3+Wnafq9ikT523GtXDmW6V+27WcWm7YyhF7mjQKORKJYCF2z2GC1YtcFDr0RQrhN9KrZahqQV7+RaQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Or+beXz8kdJSqZ0WcaoPJEJEijXU8kqo+O2ZdUhoCoc=; b=nCRSvn94eajboiis0E0qsC7PbSxcEc2c6JRGbtmnR0hVS/P//uVBx2WkIX51vgQ1p57XyepDkedVyWmDvb8zpft7BSLvbGTNzs0HkZ5M/UYqmXYPQRHjFpT5HUUoYjx47De/++H95njAxntq0jwekWM3pgFrkM30hfvlw2jvJKk=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2203.eurprd07.prod.outlook.com (2603:10a6:3:26::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.12; Mon, 24 May 2021 10:00:40 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4173.018; Mon, 24 May 2021 10:00:40 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: cose <cose@ietf.org>
Thread-Topic: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
Thread-Index: AQHXCpBcn0+aeGrwAEeSOQObBBLra6p9u4wAgADRy4CAAZLbgIAAnlIAgGEeJgCAERSiIQ==
Date: Mon, 24 May 2021 10:00:40 +0000
Message-ID: <HE1PR0701MB3050C02D9B9DAA425F0CCA0089269@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <FE8C6CA0-DC5B-4A12-B467-957A9C1CD1BF@ericsson.com> <394D515A-62ED-4C0A-A2F0-B8686904F979@tzi.org> <43FF858C-455F-4A3E-8FC0-1B64D715518E@ericsson.com> <8D49BABD-474A-4FD8-B1EF-967A9D30E646@ericsson.com> <D0A8ED69-115A-48F9-8FD3-FDBEF24AEE69@island-resort.com>, <9EFBA428-88C0-4BF2-8F8D-3B7B0D52557B@ericsson.com>
In-Reply-To: <9EFBA428-88C0-4BF2-8F8D-3B7B0D52557B@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1f319efd-cb86-462e-74f0-08d91e9ac966
x-ms-traffictypediagnostic: HE1PR0701MB2203:
x-microsoft-antispam-prvs: <HE1PR0701MB2203A81120751110D69E12E489269@HE1PR0701MB2203.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: A3etMrXyQYy95R9A5qPLoCd84YCNVl8gczrVG+zd8gm2wxUgAUnm9pzOaIpJSj4wRD8Pj+muE7RMDD0SG3wiakr8N6MtBQHR23IwMXjpUIOumOYqpWl5sAs3XwyLwPqTpPg31fXbtE4YJ98s4eZBC6FTyjn5zygpeiHdIyeFVQO39eJk5WQxGRvponfSxt0peaB3Fhsz2hTkUv7NDNGCAG945JMYllIOETnwAbwa4N6aI98WRtYd8c736acL2PorBPLg0y85KfqQqYLD17vqNtUPtI/awgrg0JOv4ffQPxbnkhAAyXo/g2tJFqMDona00SQTo0DoDGO6OmkFmDVAxf+7bQ+JMRQ98CYZFI4++plH2n7ItCoghbarFqtTEvW3Kqqf+umLdy7JlerjO5MDJWnKiBl4QWTBe7QGP7XOCbdcdkOq6TxZEdFfLQPcv8A7iDrzxI11rF27f0Av6auVXAw3DPQMAGvoVhDY050bZYugDv18oy4MWEv7WxLWqIGgRKCnCDtojFsMjlr4TXfqFGhZOddg4JUbIgsHPvmrOUYGUgvaPpItgRr47/fU6QugLks4D6l8vv5E/Yg2aZ8+eNRltZ/ZG5p8XrRIsD+s6Q92mP3VxZmgn1fCZWXE5YdNxCMzmx195O2n737NcUsOXdB7IgfzTo1zFMwDh//sAZifIZDuDwldvEie3Sj7Y9fSdk9YWJPKOQNoypwBWE13dolrmRfk9CX1hMjURugRXeA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(346002)(366004)(376002)(396003)(83380400001)(2906002)(38100700002)(86362001)(122000001)(9686003)(33656002)(316002)(7696005)(52536014)(186003)(71200400001)(8676002)(6506007)(8936002)(478600001)(6916009)(76116006)(66946007)(55016002)(26005)(166002)(53546011)(966005)(66476007)(5660300002)(66446008)(64756008)(66556008)(44832011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: G+jFGezWeN0Wt3jPkW08F+CjLTY2rfYdoXRJRp0J8lMW0Y1yDiY1dak8LHwmwyeC3h4LiFqsk4XuyQ3xn/WvZn1JlOUJvP2TByswEnJbZziF/NgyXXbovmAnUAQWiwk+Lwn6uwVUYIjQmsw2zJh3z5V0msw32vqm7uqmng0bqHgAYX3U4VepSkbwq1ym0h/DgEv1dy2ogfqKopbxLAykFRLWb/B6fpCT7AfpyVGnHUGWLAUZxn5dRRckXoxI/074RsS6kNg40qDikjY2rnBydiAr3Kyk1MsMM63jlJtpX2XPFCJruYOZlzEKkR8FJnu/PNyyynGqwg63W1QMsMcS0by3fCZW9xYZKvIcXgMVYOfZMp0dQrY0+NJGPBE+AXQhibXeN+gcmMF3agS1haKQoh/uT/I9xoXekFPjlBeSFWLqQYErHUipZR/JQj4goL0kYoppjZAMBCfo0f8qrjQI8zmjGzzl7jj4fhFRsPECOqkmYxEjnUKz41Zr6pjbaQ1DC17pYwcbfygWIbclMz4eaCUOJ6Zp3PWu4IWXjYZlJ6otiSLmyQc6T1e7xBrMxeLdhhfD7zG2tqqz+GDBsNn20qTHtb7D9rQc0BUnG05JTrOerkEUa09QOTuU+6Io+DWbudVbOpJnDjReukx+9GugBkrmC+ikPlvYY5SHmhkKxtkf8JKZZF/FCOX6tnYbohUOVO6xXOsjAaypY4ZhQmeq92p81eayjEocvh3VmX6mYkN2EGsqY418Q0IG11y+mya2flDAvI8j0QEWRgaBcVwMhqoF3eYo/IrdMBN81MRILLlhNZW/5AD3iLy/dVeKzV1jbfXlWwr5r9njMxz2iyooRe74BycT2XA7yZ4GMzLDy9mwv6esnT14ax/1P1yLYjLPuCJ4q6fQV1D4QPuIpmVIky+8fb130nK1CxzzeVb24Fs1D5W5Yb6SVdMJqsAoVvc1SUtnUxjknYhUUony017WY4fpeXnuoKdSkgNWqWYCsJETfsVHlW0amzu4TYVMZCZemJVET1ddcbF2xC1hNXw0YbIP+M+xT5GbUreES3q8K61yr+U1C7tiKsofVqJPfRNuboGqG4WxdEj2GXjzCKnZPP9rh774nYp4QbR3SWaJenL3o2EBGvRHZtOB2AnjwuBulKzsr+BmPZySiM9L8uM2kABkyHzBypSRMpGXSlQU31KhJfiKiXj9nXQ5Ipdaoa3g4mapkZ0XMCR90SmTT8l/6KU7HGp8HL0SKu39RUuo2qnIfCS3+/QWKGmWy5FmyoXapDMQJ6ibtK7/Hgph1moYPZUjwxEmzg94lSyfIc1W07fW1ENcdPK8hGydzzAuBt34MW75FidSJv89WmWEGrTP7g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050C02D9B9DAA425F0CCA0089269HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1f319efd-cb86-462e-74f0-08d91e9ac966
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2021 10:00:40.0998 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ji4lHyegR8a+hWRn00DbcCG9zaPrSeynmlH99la0mVB8eL1QFkU9052jF+8PpXS28VJlMR6ODTQglxN6WSAp5T+NjEHV/D5klNLVPVz4NLo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2203
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/cTPknLGiIAvaYVRlvlNxQA4c8yE>
Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 10:00:48 -0000

Hi,

When we discussed this at the meeting is was agreed to change application/cbor to something more specific. The PR now use "application/cose-x509-chain". And has the text "When the application/cose-x509-chain media type is used, the data is a COSE_X509 structure containing a chain."

I just noticed that an IANA section registering the media type is missing. I will add that to the PR. But before I do that:

- Is application/cose-x509-chain the right thing?
- Or should it be application/cose-x509 allowing for both bag and chain?
- Or should there be two media types application/cose-x509-chain and application/cose-x509-bag?

x5bag and x5chain separates bag and chain, while x5u could be either. Knowing that it is a chain simplifies processing, but removes the option to transfer additional certificates.

Cheers,
John

From: John Mattsson <john.mattsson@ericsson.com>
Date: Thursday, 13 May 2021 at 13:07
To: cose <cose@ietf.org>
Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
Hi,

https://github.com/cose-wg/X509/pull/35

There are three remaining discussions related to the PR that has to be concluded before merging the PR.

- Two of the discussion are more editorial comments from Ben.

- The third discussion is in my understanding more high-level and depend on what COSE can require/expect/get information about from the CA(s). It also depends on how much COSE should protect people from shooting themselves in the foot.

The current text is

"Unless it is known that the CA required proof-of-possession of the subject's private key to issue an end-entity certificate, the end-entity certificate MUST be integrity protected by COSE."

Laurance commented that this is not enough and that the endpoints should agree on which end-entity certificate is used. CAs may issue several certificates with the same public key, and different CAs may issue several certificates with the same public key.

Michael commented that this is overkill. There is also a discussion whether the requirement should be MUST or SHOULD.

At a minimum I think the draft needs security consideration that discusses that there might be many certificates with the same public key and unless things are put in the protected header, the two endpoints might have different views on which certificate was used.

I think this needs to be discussed on the list.

Cheers,
John

v2.23.0 | Report a Bug | By Email