Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
John Mattsson <john.mattsson@ericsson.com> Fri, 12 March 2021 07:35 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEEC03A0DA5 for <cose@ietfa.amsl.com>; Thu, 11 Mar 2021 23:35:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.348
X-Spam-Level:
X-Spam-Status: No, score=-2.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHKoOgkEZEwA for <cose@ietfa.amsl.com>; Thu, 11 Mar 2021 23:35:37 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20047.outbound.protection.outlook.com [40.107.2.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 468883A0D99 for <cose@ietf.org>; Thu, 11 Mar 2021 23:35:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V8oHVceFRGJatH1b2TE3VjmxUyuD5o7jV+Lx9bUani4Gju16UzgfgyRugY1BlnE7xFHI5bCABZO0XEbieWikW5wfCxlXkYmTDUCzkUG2r8/0qpzs2mFuRtCdLtl1lEtZ6h4C2pX+Mg8AJtH+fHNgO/tVK10U30SaAEOiQ0G7TeaBhYfnEYB77iwnJCOpdw2xM13pzatoN3+R1/4Vu8+L6slEJrBlKVu1syjzT3s04mZFZv8P7pv8tsWrtPPd2Ev4IitCQKvknnHetTgmhrrYhha++xw+iQUw6ZBv65sO4e/J/Ld/u7nBdlW7dLDQjG6ixWDH9CGTP7G1guLT1zh7+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBp54u9dBLPvw7KWCq/4AMMkvc3HonHwhuUTR7okFBI=; b=ifdWEIB77XNuTWmZqzqRSN0jcWJFSLLMrn4vtC9zgR/3BjThowKZnzlE+4V6DgFHX8/ULwhWhFbSy2Ck2LcBOmR3PSYRmukGSV1RGxcfRyeTdsPcZ07mZ4/UUxEeBOEdg29bzrrCyeycuJH5I87iVn5XAdnVVYVbHXEC2aDdi+197GBeY76Rd0Vx2gM6U+fbkHM4dBalSh+aEtdlNvnV6/xUCicbyR0n4QPKvy8+zKI9EVXIdjWattDxtw0QrdZde0+4eGa28mBe4KAg2vsmvyY/INV1j4Zq8ZC7jV+agLb0u6CkZQowXIKnYUg86yID5y/uupn/yoKQgN8nqBVJXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBp54u9dBLPvw7KWCq/4AMMkvc3HonHwhuUTR7okFBI=; b=h/KbjSbzXRSmioParmutkIUpFzlwH26KOvP2qRNyfeZWQ/fbv9/KZF0PMm4/XZ1iZwzwsa/vYnQValekaixekTkDRXm3QtMdABRRSIpfdx4odeEnWkOZicq6xzcttmLMio1ZI2eAbhg26NxZRM8uDopOkqGx3dt/Yuj4jrxKro8=
Received: from DB6PR0701MB3047.eurprd07.prod.outlook.com (2603:10a6:4:74::7) by DB6PR07MB3094.eurprd07.prod.outlook.com (2603:10a6:6:1b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.29; Fri, 12 Mar 2021 07:35:32 +0000
Received: from DB6PR0701MB3047.eurprd07.prod.outlook.com ([fe80::e03d:bfe3:e49f:3fcf]) by DB6PR0701MB3047.eurprd07.prod.outlook.com ([fe80::e03d:bfe3:e49f:3fcf%10]) with mapi id 15.20.3955.011; Fri, 12 Mar 2021 07:35:32 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Carsten Bormann <cabo@tzi.org>
CC: cose <cose@ietf.org>
Thread-Topic: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
Thread-Index: AQHXCpBcn0+aeGrwAEeSOQObBBLra6p9u4wAgADRy4CAAZLbgA==
Date: Fri, 12 Mar 2021 07:35:32 +0000
Message-ID: <8D49BABD-474A-4FD8-B1EF-967A9D30E646@ericsson.com>
References: <FE8C6CA0-DC5B-4A12-B467-957A9C1CD1BF@ericsson.com> <394D515A-62ED-4C0A-A2F0-B8686904F979@tzi.org> <43FF858C-455F-4A3E-8FC0-1B64D715518E@ericsson.com>
In-Reply-To: <43FF858C-455F-4A3E-8FC0-1B64D715518E@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: tzi.org; dkim=none (message not signed) header.d=none;tzi.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 412e96c6-a737-4501-290d-08d8e5296b1d
x-ms-traffictypediagnostic: DB6PR07MB3094:
x-microsoft-antispam-prvs: <DB6PR07MB30949EC8E9820A6A04E6AA74896F9@DB6PR07MB3094.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WmSlRvxZI49fGxhOhxq0UJrrbqIKzxMM8Sa30IotIFjUAmUhXuLBaLIwv0+rZtLV7yKhtYivD2pFp2jy+YUMItpyyaaradJT5fPHlatu9LzRXZx/sG1taBxSX0MlZyPlfsr7hek7jEaT8buVsWERDUm26oNfiZKZsvNY1xWccvAqGdI+a6wXfVT4+ulloEU7veUc5eKs2ltRG0BhaD6PlVXdGj7VQLe6mQWmkLclFAivNgIRtS95whBeYxZn8BQYqZYPezpIYsxfRnXmv+KiGXtwP4Hcqh7+mhOQM8PmjmRVp3ilQYwT/38oo6pEFthRcCc/WfxqDpvqctIvDZIbLc7tyqDN3NAqCkyAD16NU6OP5Rg1fNKcanrtlli6OmkiDlQSTqOnhC4CjHvCmEIGBlWaYpeDi6oT9dPZSXnRfVpDHKYWr2VNL7zjox32CuseJ+Qll5PSCPu1+TSAdfQZ7NhfbpaUC2Lr9Qn1KrCmkCZyhIg4fG1k9722zWkMypo5FTgAHMqyG5c4yE2gVtmVJLBo/+R5rNKjQcItQVrLjhF0w8SP2WSmt99tcRkPxrAYKI1mw8Kb69tlmhql4PfIHchi9cGv8y+QpqLavukMTBtr8q72/nks+iU+ewUi2/4wguQ7PLO9AWXplIOqa/fLL2P3AISaj248+WjvTyZo92LIt3FQ/ENblVEIkXOYLQCK
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB6PR0701MB3047.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(396003)(366004)(346002)(136003)(36756003)(64756008)(66476007)(66446008)(66556008)(2616005)(44832011)(316002)(966005)(26005)(6512007)(71200400001)(478600001)(2906002)(5660300002)(8936002)(6916009)(6506007)(4326008)(83380400001)(66946007)(8676002)(33656002)(91956017)(186003)(53546011)(76116006)(86362001)(6486002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 3sBIeNRm3IQ6yEC0KdL8bXbY4jjFekx7lPUbgAMpuC7vh/XRl9lAMTs4AusT0gOfiY0wZ2y2p6b6H3NHUxa2tnPeKh7BMn4mH5niUFJO4DXBQlozU10ils5SSaAaoTZUUhA3l/TENNVniuY3r0cgk2uylg8H+eY3woGMUM5aTB13+fJxWssF6Q+1trRhcmrQdJp/UHjTLCmyKbK7GFJb5YWx3XYkZqhXHLzxTDXasxH6DnuTXHlNotRpEqxx5CjfKdZDjYwA2ZlG5094K4yAxvyvFJpOrhQX8Fzp09sZayoOSJKCI7zifASy3WYtt+cTEMCwAPfsUYcqhplhxds0sDRvsIzGkblEXD4X06vYLeuYrrC2Gz3VfHWIFAQhID4dWyle41K0ppC96iI2mRnuYL4iLCBdZwBAyNrsqF9E6Vdd8KZBjEdFMqqUAhjIz0svU2wJa8yuuU0aRhihwDCCLX5IwS830qK/2J5JfHAL0ocOZY/YpPPjrLxQHbfQZGkKvtueEBCx/8/NXukfPzPUEQwpDCP4OIeyym5gYvHUE4HE3BJ+iLMFpy/UirZw9Qz1IeA899SRFUUZ2LUG7MgTupyL0aGO2WOPXhJER5urDh9HUu8atM2fzfCeryyyH5/+4x+WdtU09aqhAlT9F07yPQrPMGYctwRVnTJx9V7RfFaHtNt9NMmcgs36BXqItE8/Op+eDJuEWPaEVtlRugbzOhBwozPzKaX4VdfRxCAH7qRjELGtCzuqd7Bwmt64jPDKqzclIrcWU7+52SnM9yZZ+6XhmS5lfEB20kBkDOrtDAgwp5NX+6Tz7oTl4UNkzIkiMYQ9kDPDwjtT8s63DawDMZMh0zHe6q2BkNkPzA8IpYI8Oi2f7U+K4CtbDC3Da5YGZsaWIIKIXT2T9iNmaM+nsJQ1DqZx0snnzJT/ORbePGeG/u2CcLszUa+H3Mjd2Iv1RN2EJ6znECO40W0+nbOzA9EWJU54qBk2bxbgOvS/8Q8MjYb0UsJSkZobXs4STgDygIvdxAxOVlFKKqi9XOePyFVeaEGQa1++g6UDpGPBxsKsfVghPxF8sbrdrsjiaFjs1FKGf66AAVvCCv/aqpRJapfgWupUH3xATnP05lFN2iMJbRi52icIPsOPFz9/OT7rJYactKi9hukaOQ2t2SBITSs3PBnFM+8oNrM6diimW5Ayh4IYImnPCJU2Du1STqGUMGBWFpL+ucJQ++/Iv/juGr0SusEj/+czSRCRDnz5wZn+SDOLgcAfprRuh6caM2aKnZ3xBcMeYia8gFgFo5wH8aNxUbkmx36tseWTCY0RSOyu1CNo7qoR7WrAfnkY/ZmA68wElfzA+XZsnKFN7d0Irw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <80A071C1B1C36445A33F580F225770BF@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB6PR0701MB3047.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 412e96c6-a737-4501-290d-08d8e5296b1d
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2021 07:35:32.1329 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: J4onxErbgB1mR+qR0l8RAUX8W7Mps9DShZan3hMj0hfhFl+sK5mieZhjyqig9Y4kAf6J3DfFCg5JxanMBWCYlOzP/itFIwP2D9rlMAliuFQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR07MB3094
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/ecRFbnDf6Yvt9vIJr8JDrIoZ_RE>
Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 07:35:40 -0000
New comment from Laurance on GitHub pointing out that proof-of-possesion is not enough. I think this point to that COSE integrity protection of the end-entity certificate needs to be MUST. Cheers, John https://github.com/cose-wg/X509/pull/35 This doesn't address the case where a CA correctly and intentionally issued two certs for the same key with different characteristics (e.g., key use, expiration, other extensions) and the attacker swapped them. Maybe this: "When any field in a certificate beyond the key (e.g., key use, expiration, other extensions) is used in security decisions by the receiver, the COSE header containing or referencing the certificate should be in the protected bucket"." -----Original Message----- From: John Mattsson <john.mattsson@ericsson.com> Date: Thursday, 11 March 2021 at 08:33 To: Carsten Bormann <cabo@tzi.org> Cc: cose <cose@ietf.org> Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08 Yes it probably better to register a new media type. E.g.: application/cose-x509-chain Let's discuss tomorrow. Cheers, John -----Original Message----- From: Carsten Bormann <cabo@tzi.org> Date: Wednesday, 10 March 2021 at 21:03 To: John Mattsson <john.mattsson@ericsson.com> Cc: cose <cose@ietf.org> Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08 On 24. Feb 2021, at 10:35, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote: > > - Added media type application/cbor for a COSE_X509 chain. Why is that the right media type? (We have specific ones for everything else, no?) Grüße, Carsten
- [COSE] Pull-request addressing issues #29 #30 #31… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Carsten Bormann
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Laurence Lundblade
- Re: [COSE] Pull-request addressing issues #29 #30… Michael Richardson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Carsten Bormann