[COSE] Adam Roach's No Objection on draft-ietf-cose-hash-sig-07: (with COMMENT)

Adam Roach via Datatracker <noreply@ietf.org> Wed, 04 December 2019 03:20 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: cose@ietf.org
Delivered-To: cose@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DB3312009C; Tue, 3 Dec 2019 19:20:48 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-cose-hash-sig@ietf.org, Ivaylo Petrov <ivaylo@ackl.io>, cose-chairs@ietf.org, ivaylo@ackl.io, cose@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.111.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Adam Roach <adam@nostrum.com>
Message-ID: <157542964857.4747.788853927600346605.idtracker@ietfa.amsl.com>
Date: Tue, 03 Dec 2019 19:20:48 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/kYAupRdApAEQ9m8c5ZiXMOnw0Vo>
Subject: [COSE] Adam Roach's No Objection on draft-ietf-cose-hash-sig-07: (with COMMENT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2019 03:20:48 -0000

Adam Roach has entered the following ballot position for
draft-ietf-cose-hash-sig-07: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-cose-hash-sig/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks for the work that went into creating this document. I have no
comments on its contents (the crypto is somewhat outside my area of
expertise), although I have a few observations regarding the examples.

---------------------------------------------------------------------------

Appendix A:

>  This appendix provides a non-normative example of a COSE full message
>  signature and an example of a COSE_Sign1 message.  This section
>  follows the formatting used in [RFC8152].

I would suggest that RFC 8610 might be a better reference here, as it is
the document that actually defines the extended CBOR diagnostic format.
In particular my recommendation is:

  "This section is formatted according to the extended CBOR diagnostic
   format defined by [RFC8610]."

---------------------------------------------------------------------------

§A.1:

>  98(
>    [
>      / protected / h'a10300' / {
>          \ content type \ 3:0
>        } / ,
>      / unprotected / {},
>      / payload / 'This is the content.',
>      / signatures / [
>        [
>          / protected / h'a101382d' / {
>              \ alg \ 1:-46 \ HSS-LMS \
>            } / ,
>          / unprotected / {
>            / kid / 4:'ItsBig'
>          },
>          / signature / ...
>        ]
>      ]
>    ]
>  )

I think there are two things here that need to be addressed.

First, section 3 of this document specifies:

>     o  The 'kty' field MUST be present, and it MUST be 'HSS-LMS'.

I can't find a 'kty' field in this example.

Also, this example uses '-46' as the identifier for HSS-LMS,
while section 6.1 specifies the value as "TBD." This example needs
a clear note added for the RFC editor that the "-46" needs to be
replaced by the IANA-assigned value. A similar annotation will be
required for the 'kty' field, regarding the value assigned for section
6.2.

---------------------------------------------------------------------------

§A.2:

Same comments as A.1, above.