IETF Logo Mail Archive

[COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08

John Mattsson <john.mattsson@ericsson.com> Wed, 24 February 2021 09:35 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA4903A12AE for <cose@ietfa.amsl.com>; Wed, 24 Feb 2021 01:35:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.671
X-Spam-Level:
X-Spam-Status: No, score=-2.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tfFoSwzkkG76 for <cose@ietfa.amsl.com>; Wed, 24 Feb 2021 01:35:21 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150071.outbound.protection.outlook.com [40.107.15.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EE003A12AF for <cose@ietf.org>; Wed, 24 Feb 2021 01:35:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=crHvyhTEDevNE/EIkk+1VdGL0GcNVDr4IO/0mryE06eGTZAYYL6MZSj3qEpOS94BmTHEOumOOokCzHTpUXcYIxKbhzZTxMPn55cnsJE35kihXj/oT9DZfUANsC2kgu8lLasPEBluyAaCow+5yUY7iwv1qkV79ElJLbl5mxLMXKtj8TqlYuDqVUzYEVMlgDwVE5p0WY6EmDNka1PKteodocjSPzZHOg0uXOLc6xpP4Apf0ZfB7EkKHZh1FWP6DD/xaHk/Fbn0um4BsNhd45D+OIY8bQS7zoFjsxlrHn8cWFhFvsT2GeiHwRYMHSnqxeTIszEQENOnI80fQ1U5+XEspQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cd3+HdOj1tcc6ez5s8JAAfa3eURShcjRDgtI8cBwAtQ=; b=fuah7Yq28KuCXWDK6Nf8MOt8hniu6Ab6KkrPcgVJuvaUXIXzZqE8KCiSn/F+MxGI192iQS2Fr+Al4zwmuug2zsbltbyuKZTHtho0jzd8ijgxCwqpBzmHSZ+Yzg12rOKVA57plJV04iafcaUqlcHkAvfl3M7OLWiIE0asoou/OKc/rSt0IlRMyM5Vj3JriO+R6gYxEzWg3+dZHhFGoNS0S9dLPKHp/a5iq531KD0qtoq2DQ8V+FgsI7C9f2SinXDk/cZ7OtoFDd9SS03sQnGXbagdsdPFJmR47PqZVZKmlr/bZzWFkbKsTzbRE/idWbuQ8AmC91V6w8cG78ReCOEChQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cd3+HdOj1tcc6ez5s8JAAfa3eURShcjRDgtI8cBwAtQ=; b=bLqUPXWTaF2IHtV8QbnxpeNHCu8kXgIwH7AjxPg0cq4kwchl+RbA179zVbKLKt6YOYRNCbuLJ8G9QQ4ZIp0MuC6GReO0fgr549UJSbzzQ8Zj3fels8ZDyrIG65q7Bgv+0fIxLlpmx2ZUS+cy/AqOUAv+/SYT28CMSps/WzkBFBA=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2937.eurprd07.prod.outlook.com (2603:10a6:3:56::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.11; Wed, 24 Feb 2021 09:35:18 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536%4]) with mapi id 15.20.3912.009; Wed, 24 Feb 2021 09:35:18 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: cose <cose@ietf.org>
Thread-Topic: Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
Thread-Index: AQHXCpBcn0+aeGrwAEeSOQObBBLraw==
Date: Wed, 24 Feb 2021 09:35:18 +0000
Message-ID: <FE8C6CA0-DC5B-4A12-B467-957A9C1CD1BF@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fe3a9ad5-6467-414c-b457-08d8d8a77f73
x-ms-traffictypediagnostic: HE1PR0701MB2937:
x-ms-exchange-minimumurldomainage: github.com#4887
x-microsoft-antispam-prvs: <HE1PR0701MB29378D4190CFF3E04C6EE4F2899F9@HE1PR0701MB2937.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: b/ZWHy/gl3iv5TVb+RlliSeJc4anH0TUoHyNK4mFGxyowHlXKot1TsDgVIAMihTLTZSoWY/qxQuvyfP+cOM/2O3fyx8JvtOOpA1e3jwOZYLf0Uavra6wDwx+l80DDE6S67AioxuFqo9olQO4D5EOzL0GH/mE0QN445ErmEfHxhkLXjt+8OiNVyaEIP82gLy2BHogwWyBIiuNhZP77yvEDmE+NKaWhf1scQFRdp//kV61CZl6tfhldw9QXQRzE3ZnOGRv1r6ohO79OFuKdhXJAmMQ7PMCmG41HHUUbbii0zIh1V3x/ldtQ1BxFpPgBjbqWknz1IVs79NY1lmnFvxFR108M6VpA2apwAr/z5c4YL67i/YcGIM5mv3TRL3NeGfr9NVPdbrph0EU4RXOIUx8XIxeu2Anupx93yCnuxGVBi107q2io/EiDaCrwXRr2iyyZUXLi073aBNTQcKgCgGRatdvZEKHAiE7PmFfz6vdF72z1b4VbtrZqJ+j7nKuN9/mmDmWtDMyugxOF2ikX2ZPYir1t/8Vi1ky1d6BXqS3OITpEe/+9nFAbEhS8S+Qj3jP/o+IUHuRNp8cKlJlBTW0kwZ91WHQ5PxVRd2TICUdJLyWsvZTbLZyrFgk6UzlOEpzi7dMyLulZkoCJL1C2mMGGD08aw2UtZybfPMcqIFoeg4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(346002)(366004)(136003)(396003)(966005)(8936002)(83380400001)(86362001)(36756003)(6916009)(186003)(6506007)(6486002)(316002)(478600001)(66476007)(8676002)(66946007)(2906002)(33656002)(44832011)(71200400001)(26005)(6512007)(5660300002)(76116006)(66446008)(64756008)(66556008)(2616005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: KtBxc1ZxuD/mDWrQaOEcBZPFiqDo3px+dA3yQGxl+uO7mw2VmGWyPMVZiuz+uiK1LJF5GOO/aOkfwyPkvn17eP191EFilL2UcO75bBJPHJb8Rgm1MSKNHYi+2kacGzuCz22sy4+wipiN+5u0JWiiHxBHtrkRvAc7ROPjrab5/WJ3JYrH5OoJkZUZyckd4Q3IN00l5pLphNZvD0GCD/U6hEg3albHQ9DVGAsyXscn/9v1j9JkTlGUYVY+hex6tUUQTjsyZzUCI08hQv8rqqPtNyho68Dm5OTL9g9lY5NEBTA6QU0orYF00EKU6eVsvDMVxksbboYHXSQkQ26UF+BcCmCaiWNVO4D4/dMg5g+1RsSUxfbQbHhLQq8mq/BN/Piypt9ctixWo3EXgt1ywWisMDDFGsHIwAOwFwDgy2OH141tp67hIKXPbAWZ/mEoOF4dZwCOAQmwi8Y3mDw9+h7bRGxyAaIoZs5jg0KdUzeiWhPNnx/1jQL41oiW7oUuIy8Ujcfkuli400eFP90VbfKB8pMBaGMRHHYOXMJDWv/J8jV0vb9Po91gWQThkGzHPaecKJCDlsI1ZAft2aHOqYrpdwgNYa8VuZertk2Hw94HRMTvrkDKJRvYShl0YBZ9PupBPM1XzAzY5kOFOnuDOpsJGnptOJdpQSh611iyhVKpDrliG9W22hL6y35RKXMD6Thm6LRvLYA+to/a1jwp1+6Vte+Ufp+CDhd7ctFJTEOj9HO74AWLRG11STTSuoBuFr8WpmAUdX/vw3d0CTB1GaGSYrGYM5hFB4ol9mem3KE9DCfKzcvKeJPB/n/ipTaulGMOm4RvE6sfX2VP8SMSmedbxPlQq7AGtUGX0Yj8prk4tifcffGqFmbC87cEhTVxOXtwwq4GVhHAL7fYGoJVXrKAssV+dQkcnilAX2V6Cmd/MJnBvP9XZ8wUUjUCGufyeCqzdv49uGGPU7C5VrhiDJFPkM6Uo+9+besMLLgixBvAHnHeRcAXu5VBNLbRy//uQXKR+y5VlKUaBw04LkcxDj6y9X1wQn+iSKuOVh36wcEEM9VQrjBcwfkA6S+9ldiZA/6yMr1SxPjv0tJpoAlKxs68EPhNwDqSr4QE6e1koER8s+zVJATLcBf7tKoGYuHRzzMHDuHjPsaW6H8hbTMhG1kcFfAXLVWRsyuIWetxHtiLYVb66YruKASw22xSeOIgjRndWELx5/STdH3aW+YFvI9BTawu4e1eni50qOBfOmH4vyxsC1Hd+MRUWkEBuRxTcEibQXeAR/AWk3UwbD66u4TEO4qHigN7b2nkshuaJIVT+mWwmKQbRB4c2oYQwvo+WpQxn6sKklMyCah7+jLaapFN0Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <12B204E9BA703E46802EBD004936B231@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fe3a9ad5-6467-414c-b457-08d8d8a77f73
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2021 09:35:18.1642 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ORYJW1VN0p0y/YR90d726/eWQx7o0VeXWe/3M/I32rwWgssBFg3JAbWY0UBMs5nG1DWSmLls31cWm0K9udPJ8zt+9fi69NGGP9AtzASjuxw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2937
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/lT9reHUsM8lIMlCxm81XTKOcQtk>
Subject: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 09:35:23 -0000

Hi,

At the last interim Ben asked me to make a first attempt at summarizing the discussion and conclusions in the issue tracker, the list, and during the interim. I just made a pull request (PR) doing that.

https://github.com/cose-wg/X509/pull/35

The PR aims to aims to address issues #29 #30 #31 #33 based on the dicussion on the list and during the last interim. The solution is to use x5t together with the other parameters as suggested by Russ:

- Added to x5bag, x5chain, and x5u that integrity protection in COSE is requiured unless it is known that the CA did proof-of-possession.
- Added that integrity protection can be achieved by combining x5t with x5bag, x5chain, or x5u.  
- Added explanation that sending x5bag or x5cahing in unprotected allows an intermediary to remove or add certificates.
- Added clarification that x5t refer to an end-entity certificate.
- Added media type application/cbor for a COSE_X509 chain.
- Added that when the end-entity certificate is intergrity protected by COSE, URI protection is not needed.
- Security consideration on why integrity protection of the end-entity certificate is required is there was no proof-of-possession.
- Security consideration on identity protection.

I think this addresses all the related use case and security issues.
 - If the requirement are followed, it is secure.
 - No changes required to existing secure deployments.
 - It is still possible to send x5bag and x5chain in uprotected.
 - No extra overhead is required when used in EDHOC.
 - When used in EDHOC, plain unprotected CoAP can be used.

I tried to make the changnes so that no existing secure deployment need to change their implementation. Could otherwise discussed if integrity protection should be a MUST, but that would change existing implementaions (which is they do proof-of-possession are already secure).

Cheers,
John

v2.23.0 | Report a Bug | By Email