Re: [COSE] AD evaluation of draft-ietf-cose-x509-06
Jim Schaad <ietf@augustcellars.com> Thu, 17 September 2020 18:31 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 917023A0F1E; Thu, 17 Sep 2020 11:31:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6EbBeuD5njX1; Thu, 17 Sep 2020 11:31:16 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0CDB3A03FB; Thu, 17 Sep 2020 11:31:15 -0700 (PDT)
Received: from Jude (192.168.0.11) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 17 Sep 2020 11:30:51 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Barry Leiba' <barryleiba@computer.org>
CC: draft-ietf-cose-x509.all@ietf.org, cose@ietf.org
References: <CALaySJJ_--idVkDFA_UoO24nPJ8ieaKJkVxtO1Cr5UTF+A8Dzg@mail.gmail.com> <01c901d68afd$d5584860$8008d920$@augustcellars.com> <CALaySJ+pL2ULnjswaw4QNeNjQjqCdacBNK326wXO7HvZnJ+Tjw@mail.gmail.com>
In-Reply-To: <CALaySJ+pL2ULnjswaw4QNeNjQjqCdacBNK326wXO7HvZnJ+Tjw@mail.gmail.com>
Date: Thu, 17 Sep 2020 11:30:47 -0700
Message-ID: <02cf01d68d20$ab490e90$01db2bb0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJePC3q+YYvA6ZJWq31K9CPqSw4egGdgYPKAWbpDsWoRaVxoA==
Content-Language: en-us
X-Originating-IP: [192.168.0.11]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/hm7_IJ6wzRlUX531yoTBpY5crek>
Subject: Re: [COSE] AD evaluation of draft-ietf-cose-x509-06
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 18:31:18 -0000
I just posted the new version. As you suggested below, I have punted the MTI issue to see what we get as a response. By default I think we just close our eyes and live with the current text. Jim -----Original Message----- From: Barry Leiba <barryleiba@computer.org> Sent: Thursday, September 17, 2020 10:27 AM To: Jim Schaad <ietf@augustcellars.com> Cc: draft-ietf-cose-x509.all@ietf.org; cose@ietf.org Subject: Re: AD evaluation of draft-ietf-cose-x509-06 Hi, Jim. Just leaving the items that aren't fully settled: >> For interoperability, applications which use this header parameter >> MUST support the hash algorithm 'SHA-256', but can use other hash >> algorithms. >> >> I appreciate the need for an MTI alg here, but what does it really >> mean for me to say that my temperature sensor “supports SHA-256”, but >> that everything it sends uses SHA-512? How does that help >> interoperability? > > [JLS] If you have not agreed with others that this is what you are > doing, then it does not help interoperability. However, I am also > loathe to say that you MUST use this algorithm and only this > algorithm. My expectation is that people are more likely to use > SHA-256/64 rather than SHA-256 in this case as the shorter thumbprint > means less bytes on the wire. I don't know what else could be said > here. I'm not sure how to say it either, but I don't think what's there really addresses interoperability. I think you understand what I'm getting at, yes? Possibly it just doesn't make sense to have an MTI algorithm, and instead have text advising about interop issues with regard to the hash algo. Maybe just put a "cref" note in about this issue, and let people who review it cogitate about it -- maybe we'll get some ideas. >> This will normally be the situation when self-signed certificates >> are used. >> >> I wonder whether some readers will misread this as saying that >> self-signed certs will normally be used here. Maybe, “Self-signed >> certificates are more likely to appear in this parameter than in the >> others.” ? > > [JLS] No, this is what I really meant "In particular, self-signed > certificates MUST NOT be trusted without an out-of-band confirmation." That text sounds useful, yes; thanks, Barry
- [COSE] AD evaluation of draft-ietf-cose-x509-06 Barry Leiba
- Re: [COSE] AD evaluation of draft-ietf-cose-x509-… Jim Schaad
- Re: [COSE] AD evaluation of draft-ietf-cose-x509-… Barry Leiba
- Re: [COSE] AD evaluation of draft-ietf-cose-x509-… Barry Leiba
- Re: [COSE] AD evaluation of draft-ietf-cose-x509-… Jim Schaad