Re: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01

Mike Jones <Michael.Jones@microsoft.com> Thu, 24 October 2019 23:11 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCD1A120026 for <cose@ietfa.amsl.com>; Thu, 24 Oct 2019 16:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1T9EMkdIqPel for <cose@ietfa.amsl.com>; Thu, 24 Oct 2019 16:11:20 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640090.outbound.protection.outlook.com [40.107.64.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97D29120019 for <cose@ietf.org>; Thu, 24 Oct 2019 16:11:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HFazFp90fSJtyWR1BzbxAq+PLAuSYuSdmw8LECm1y3J6Sww2p75HLLbNpiHx6tLhBPKW7YxFX1VUQbiavlduTOUBSu35NkhDdD4O9DeLtE9Hq10q3YZkUfX+PgXLKv7EPIM4gacFbj0j48LbwYvzZdPUs4qbvMHcKpmHet368aQc3EK6/KdMAtzleLQTihgsEyY+TdQyjysP/d4H5K5aIHGxHPVwg+th3hh4/vYZTvn0ED3yzHX3wk8H6pwG++vn07L4z40z4G5eTq+G3yF5Uk8uK7YGv5c7uOAB5wTqQZ2uug7V/qzMvGPe9UHS/mKSchpDEOhtpDLmLZ9lX8krNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0wEYKOrZPybhRbCURkZzt+3/ab5SAQzsZL0a8WaapJw=; b=n0WMyHpDf7Jtc9u0TVyGMSQGCNk3FxHO6gGZtZbxC54A93YDqkEK2OMFPPbp+10hc0xD8SVuaghTV+/gKOYhQf6U9fJ0Mud07GmGB2KFjJm5qoga22Eovz6eX4NZ9c50G0gy6QaH/OqE7Aw65xH9QqIpHuvP0WTkHGAsDk5Oq+OTOxUsxB7yX41Cct0mgR0BavoCNds3U/kOe0rxBa63/VN+wBA4W2lUPwaAdybJlmdVII30Ug2pF24oCdrH1mWpuuXfNFIs6TjUsPO3i8P3gtZDfz0WwX905u0ZMe7IMLErfNwwbrthyyBuJ+qtsTZ6rbsejqvZwJ5TeucBa//wVQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0wEYKOrZPybhRbCURkZzt+3/ab5SAQzsZL0a8WaapJw=; b=VxdIuEB5NKe217572bAK6whz9iXw8x9qi3rcc0sh3qm34qGdX8zzisCsG6lTlY2Flc91yd2/Yw/plUzRM9Ois9j2qcHFV0sO4AIa4CIRwOG+Tniv5Hh5Ut6En7JHO8AkM4UFHyFN0Au1cSUJ16u1fJNs0OSn2KPwLlVkseKB6Vc=
Received: from BYAPR00MB0567.namprd00.prod.outlook.com (20.179.56.25) by BYAPR00MB0600.namprd00.prod.outlook.com (20.179.56.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2425.0; Thu, 24 Oct 2019 23:11:15 +0000
Received: from BYAPR00MB0567.namprd00.prod.outlook.com ([fe80::31af:5686:e43b:ed3a]) by BYAPR00MB0567.namprd00.prod.outlook.com ([fe80::31af:5686:e43b:ed3a%9]) with mapi id 15.20.2430.000; Thu, 24 Oct 2019 23:11:15 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "J.C. Jones" <jc@mozilla.com>, "cose@ietf.org" <cose@ietf.org>
CC: Kevin Jacobs <kjacobs@mozilla.com>
Thread-Topic: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
Thread-Index: AQHVU66TKD2WR3BhR0ifVYYdgx1ae6dl/77ggATY4bA=
Date: Thu, 24 Oct 2019 23:11:14 +0000
Message-ID: <BYAPR00MB0567955569B14A2032EC229AF56A0@BYAPR00MB0567.namprd00.prod.outlook.com>
References: <CAObDDPADXoYn4N0jARibozT5NhWVb7JgNydyrEp_ytCR7pSs0A@mail.gmail.com> <BN8PR00MB05638BD3633D5CFC31B6C325F5690@BN8PR00MB0563.namprd00.prod.outlook.com>
In-Reply-To: <BN8PR00MB05638BD3633D5CFC31B6C325F5690@BN8PR00MB0563.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d7727fdc-2fd5-414f-9d6b-00001fb4df13; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-10-21T21:07:32Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:2:d470:4f7:8cbd:3a65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 501346ea-d7ff-4e5e-c8cf-08d758d7780a
x-ms-traffictypediagnostic: BYAPR00MB0600:
x-microsoft-antispam-prvs: <BYAPR00MB0600AA7C57CF520BC348D7DCF56A0@BYAPR00MB0600.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0200DDA8BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(366004)(396003)(346002)(376002)(39860400002)(136003)(189003)(199004)(51914003)(13464003)(316002)(7736002)(229853002)(10090500001)(8990500004)(110136005)(790700001)(74316002)(5660300002)(6116002)(7696005)(6506007)(76176011)(81166006)(81156014)(10290500003)(6436002)(14454004)(53546011)(4326008)(102836004)(966005)(2501003)(186003)(22452003)(478600001)(14444005)(256004)(11346002)(52536014)(446003)(476003)(2906002)(99286004)(486006)(8676002)(33656002)(6246003)(71190400001)(71200400001)(76116006)(25786009)(66946007)(66446008)(46003)(66476007)(64756008)(66556008)(236005)(86362001)(6306002)(54896002)(606006)(8936002)(9686003)(55016002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR00MB0600; H:BYAPR00MB0567.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: riJQTQIKAuKNbXrFM44rxikohoO/yzw8ajJ6/ubLbLWiMsWE7KTuBTtfdL4+RvfcT5I/qH9Ub9aP6hJTQhr0oEJYXUQKTh0Q7B2V5bAfBYv8R/5BlETuc6noCQjrdwOvQ9xLqSeMZStLDS+zeszHgyWg3TcU2sIXoMf8AK0aF0gJiPjOhTzXEci37nQiazgR/trauBh6DuBg+NzCVdwLpSyza0bwpDeYzvtk8i2E7JPim4B0IrKwp2NvakhCgRp7/aRsmobTByEvvP86CRZCrYmNVdWu9BrnSmEPNRb0YvCZRQaCYT68lrEUBd6E2Ma8Ye3HWY0qWeRtQo7SU2QEiUvPONxNXnOFeL91VLNkqwgp/RcLAzJ1fdzBwmhSk10FgCMkTrnibt8Kh9KAXIqPbnQqzHeoevcGv0aJiOD0UFxIC+WLwymt1dMkTUSgQFo4
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR00MB0567955569B14A2032EC229AF56A0BYAPR00MB0567namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 501346ea-d7ff-4e5e-c8cf-08d758d7780a
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2019 23:11:15.0170 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zZpOG58P4sNzS98+BS7PowogQOnHeC94pxogPuJpiQ84EaO1W3p+0UpWsMYM5JuxCjKibrUy49JBkNnv/99pqw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR00MB0600
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/kSub61uNuQvVD-4YOvS5FqPt7Xc>
Subject: Re: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 23:11:24 -0000

These issue resolutions have been incorporated in https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-02.  Thanks again for your useful review!

                                                                -- Mike

From: Mike Jones
Sent: Monday, October 21, 2019 2:11 PM
To: J.C. Jones <jc@mozilla.com>; cose@ietf.org
Cc: Kevin Jacobs <kjacobs@mozilla.com>
Subject: RE: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01


Thanks for the review, J.C. and Kevin.  Replies are inline below, prefixed by "Mike>".



                                                       Best wishes,

                                                       -- Mike



-----Original Message-----
From: COSE <cose-bounces@ietf.org<mailto:cose-bounces@ietf.org>> On Behalf Of J.C. Jones
Sent: Thursday, August 15, 2019 2:15 PM
To: cose@ietf.org<mailto:cose@ietf.org>
Cc: Kevin Jacobs <kjacobs@mozilla.com<mailto:kjacobs@mozilla.com>>
Subject: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01



All,



We reviewed draft-ietf-cose-webauthn-algorithms-01 and only have pair of comments about the security considerations.



Regarding section 5.3:



While section 5.2 refers to RFC7518's guidance, currently 5.3 does not. Perhaps note in 5.3 something akin to "if you have an existing implementation, the exponent restrictions from RFC7518 also apply."



Mike> Good suggestion.  I'd be glad to do that.



Regarding section 5.4:



The first sentence uses the FIPS186-3 form P-256 when everything else in this document would imply we'd refer to it as secp256r1, though rfc8152bis uses the P-256 form. Perhaps all readers of this document would be able to avoid confusion, but since it's a section _about_ confusion, it seems worth pointing out. Perhaps a parenthetical could be added?



Mike> I propose to add a reference to "[RFC 7518]" after "P-256" to make it clear where the definition that we are using originates.



Kevin Jacobs and J.C. Jones



_______________________________________________

COSE mailing list

COSE@ietf.org<mailto:COSE@ietf.org>

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcose&amp;data=02%7C01%7CMichael.Jones%40microsoft.com%7Ca35cc1dc6c6549ca013108d721c5b465%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637015005331095019&amp;sdata=MtpdnZjpVDYvFS2Tr0mfFalyhw%2FiyYQk9H7uKwJGRk8%3D&amp;reserved=0