Re: [COSE] questions for the WG from 8152bis AUTH48
Göran Selander <goran.selander@ericsson.com> Mon, 21 February 2022 15:18 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3EC613A10E7
for <cose@ietfa.amsl.com>; Mon, 21 Feb 2022 07:18:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.676
X-Spam-Level:
X-Spam-Status: No, score=-2.676 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ivKBDLIKPaik for <cose@ietfa.amsl.com>;
Mon, 21 Feb 2022 07:18:10 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com
(mail-ve1eur01on061b.outbound.protection.outlook.com
[IPv6:2a01:111:f400:fe1f::61b])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 441C13A0C77
for <cose@ietf.org>; Mon, 21 Feb 2022 07:18:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Mo5SLvehVccrlfnfTGYcaAAyZPT1EdNDTqaXIMP1yt/Elfhfr+1g/OR4pxe28KlFIFRVEnjpJhNRRPDnwBUMN7SwrnyxObKqO08bb750N0sw5va9hH1CrOtQdh492DDgUzkMXRkiDNnxGUE20gUe1L0vxFg2yJiOw7g9k6Vzfl0M5wMFyKCcp9sXTPUHtn6h0dRp6If2LlDSlIE0+ilLgELzmQevRIn216kRw2HBT8Yc0iffbdhqxth3yQkjjDbioQTV4DpFpK/CnXiEj8MYLwEYJlRe7fXRDSMr7sD/ERk9h3Dd+JhwRaytAMWQ+9iJZqVw/Y7eF89HJkBA+X+Qtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Xtl2qgvPRJhwZXQa5xpsGCRn4TZ3NwQdu4X+sAYCndU=;
b=huPoWZSyQ535TSwssMJgL1a0PJoCcjJcG2aJ6dJKLKgCxwoo6UqDrmBQ/MzTrNGhBkjJhxo4bzs+9BcdlgXOX6PyxkP2P2VShvkgQk8F4iE2UQ6CmbYvusV5VFxzZveO1ltSq0n0GO52JRD84N1HucjiSMN3ekRdwvYuwDRF7Lsf9i4yyN04ojnUeB7bivlSXPQXG1BAUociqXROjQtRf/ZL4uXlmqYzthe4sj0jZjSpt6ufACzjAP4w8EWek3c5XRBFey//6N7gavxaQk6ExTsw8Cz2614SnivqfC/ukc0eAAdfaj1EX+skCtI5I04erZkLDJXLv2Ra0lwP5+ugNQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com;
dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Xtl2qgvPRJhwZXQa5xpsGCRn4TZ3NwQdu4X+sAYCndU=;
b=CenlBOu1Fz/ym2iEGKTTGA+ZN84ubsP7lNrwBgsehieTZkf355I56ORwJgJUBhiu2BlJ1R07rIyd6lxuzzcup1z9pTv44wpcjo7oqpvqy5O1BF6X7De4OZG8HV26t8gp2CMbPevhZ/o8Nt96d0bqAI97BCOoI3BGIbNNipI7gRk=
Received: from AM4PR0701MB2195.eurprd07.prod.outlook.com (2603:10a6:200:45::6)
by AM6PR07MB5222.eurprd07.prod.outlook.com (2603:10a6:20b:61::25)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.21; Mon, 21 Feb
2022 15:18:01 +0000
Received: from AM4PR0701MB2195.eurprd07.prod.outlook.com
([fe80::7c02:9e9:ecd3:ed36]) by AM4PR0701MB2195.eurprd07.prod.outlook.com
([fe80::7c02:9e9:ecd3:ed36%7]) with mapi id 15.20.5017.021; Mon, 21 Feb 2022
15:18:01 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] questions for the WG from 8152bis AUTH48
Thread-Index: AQHYJIR8x2Fwe5c4dkuLALx9+xA4mayeNCcA
Date: Mon, 21 Feb 2022 15:18:01 +0000
Message-ID: <0800E83E-20A7-45AC-8ADB-B803D2F25C38@ericsson.com>
References: <20220218045949.GN12881@kduck.mit.edu>
In-Reply-To: <20220218045949.GN12881@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
authentication-results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ca831d8e-285d-4357-d080-08d9f54d5997
x-ms-traffictypediagnostic: AM6PR07MB5222:EE_
x-microsoft-antispam-prvs: <AM6PR07MB5222A12EA41265D13D97C1BDF43A9@AM6PR07MB5222.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /8a3z0wX/NLNW0gbnH1Bgjsv0pdbdN40qGmoCT7OGvh583Z3h2z0nBfz3wZfr+BqvDlmSTIhAJ06xZQKwHuM8rVuuNTuRQujZr52VLCZAPsq+wCRiX3d+unvgS1pKpsc35mTqkFP56BP0x6i7KEj2KnoWKQ3y7vpQuixFVSv0bYr77KmvRa3dfCbjvRP+r41EcuLISN3O/74U0VMuuxRdVhv0Y5c/l1GhrlqTI0E4ulALcKfumRH2hREAva35mymM9WpY/xf2cYcwiaGKwpQnKbx3wTmO/17q7V2n4HGuQtxcKghUkj9Hg0ufGXVIyF72xlYmNI98f3HGknzfxxhVT3pgLG9Nu0F2BzlFiZUn96PLfY8iKQyCiaRkSC1eh8Xy0SSaBoCldeSePa1E52DhXMTvHYDLQ1hA+LnfYx/pscaAr5r7P/C/Iq8xetKgIQz3nUPYqnhG51HUtkWtjoBpiuP8r6B2qzRfyL4PUQLXcqYOMTE4MGpwu3X5E5079M9Y/fctfZIwbC7eFSqLBNANsQ3ONtdDCaFVwrCkUw2SWVjiPnQ8JytPTHv+dLVw6Mb7sGgTKCIyTMdW3Xd2StCyN2abTncCsYSwyOLyoGYmVe8nEuKMxsHdKyFVFHkQ8LsX9i95KcBKUjZf3isYNHuudU3gNpKw+/IV4zjLTnvzwx65ocg/s/gEY0TppG6AePphnSAX+kr2aHFSaHMCY/IcudD7/jKY8IDgFoCFnRGpADdpsavYmh6amlaVwXpjK8rt01KjzU4/DxSY1bVJpu0G59MOsgKYdnFMCrOfmZJjRCmpoXtQcoXRKDglh2xTGqm
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:AM4PR0701MB2195.eurprd07.prod.outlook.com; PTR:; CAT:NONE;
SFS:(13230001)(4636009)(366004)(110136005)(38100700002)(76116006)(66446008)(64756008)(66476007)(66556008)(66946007)(186003)(91956017)(26005)(6512007)(8676002)(316002)(2616005)(83380400001)(6506007)(86362001)(66574015)(38070700005)(2906002)(966005)(6486002)(85202003)(8936002)(5660300002)(508600001)(71200400001)(85182001)(36756003)(82960400001)(33656002)(122000001)(45980500001);
DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?d21kUlNxZFRMaDlIZ3RUcWc0NE15MkFxS0RDTWg5Mkp1NnFUV2szUDhRQnRi?=
=?utf-8?B?WjlIaW9tUlN2eU9FNCtZY2RLUUVlWUs1SkRIQW9FVEpQMURKbjM3UG9wZXl3?=
=?utf-8?B?NlBOc2FrTDBUS1VsVU1FTkpZamlUS29rNVJxNThXazJDN1NVT2VIOUZyZnVU?=
=?utf-8?B?eDNKTVRRY1lDTkU5S2ZzZy82OGZsOGVxZVVQRGVQZlYyU29XOER2bWNhbVBM?=
=?utf-8?B?V09yWHpOeUFPb3Rqcm54NlozSHFDSG1oRUtjY3RPVEVGbW9SSS9pcjI3TGpj?=
=?utf-8?B?K0RwcDlWaEwrcndzU1ZyTFBQNHZZTFB0dWVQK25KeHRGdjRPYk4vOWNscHFJ?=
=?utf-8?B?REFqQjdheUYxdVRVMEJXT1djekJGQnpqZUU4MnJ3NzUyc2NqR3VySGxLNVY1?=
=?utf-8?B?QXZ5Tnc4M0RMTlhpMUc3MmgxZ29BenRYOVRFUm1MS2pSU0JuTE51cUl5Mitx?=
=?utf-8?B?dmtRUWZxTjFMQ1ZuMTl0UllaR0FhM09BRUpPNmhUSU4rMmoxNmdwQ0ZHVkF4?=
=?utf-8?B?OWhLSWZ1MmdwUVBaV1NpdVJ6dEJ0MVAxOEFhUmRJQTJ2MkdGWnNHZnJoa3BW?=
=?utf-8?B?bks5dHU5UzJSai9ROGJlTGJ0ZDBQN2JSTUZzVVdTV0JvT1AwdGhiY3h5bnc0?=
=?utf-8?B?U0pEemJ4MXBMcHFoNDJiSFczZWZRRjh2TVhCZHFMcGRlZUhlQTBndnpQSFlO?=
=?utf-8?B?NkNvcjU1UHhNRzhMbnUrOUZiRmZVaDdkRDFDdno1M2ZEZ1ZMZGg2cVZydytQ?=
=?utf-8?B?R2hxNWRpZVZXR2htTWNZSUlXVFlkUkpkZ3VMV0U2SHVKNVl2bmZUZXdzNDNw?=
=?utf-8?B?MGw3bGV1YU1oc2xZR3o4RWZqVk1Da1daZDJNZTBTME9pd0d5VjgzU0VRc2ZG?=
=?utf-8?B?bERKVDNKQitxNUJhODVmZVErVVM1U1ZncXZRRFliY2JVSU1PQmtpYnN3clVk?=
=?utf-8?B?OTVrTWZFdXRJeExRa0IxM2ZXSDBQM3MzV0pqbGE4RGJ6TVB2RjltRlplK0wv?=
=?utf-8?B?VUpxRVl4R3Rnems1c0l1UFNBM0hkNzUwbkVuMWVQMUh1c280ZnJSWW9aK1Rx?=
=?utf-8?B?WGd4THhQMUdEQWgxMm5adWhCektsL2w4UDFDTjVQRHArL3ErUHZUWk9sMnlp?=
=?utf-8?B?ekR4M1llV2xaMTVBVVZ3ZHZxTzliUkFSZ3BSM1k0dSsxdXVZZzRXeWZlN1RX?=
=?utf-8?B?MExyd29OQ0N4Wm9PSkpGZjhDVXkvRTl6UXBHdmN5ZVd4ZVpBaWFidnd5a1A2?=
=?utf-8?B?ZG9mNU13aHpqZ0twdFozcncyZ3hIWGdVTTlVV0EwcExnRndlVFVMWlJOcllE?=
=?utf-8?B?MnVXVjJ4NVVKcDVIRy9uZFdiU2tHK3cyc1NoU3BxRE1FdGRmbzRTek13cGx0?=
=?utf-8?B?bmZESmtGN0NLekZvUm5QRDRyOE1hTnova1UxRXgzVVNKSG5aSFYzUUlFYWQv?=
=?utf-8?B?M0MwY3RZTlRYOUp3NDlOa2srVXZiN2xsYXJ0OEx6SnEzWG1YR3RPN1Buc2F0?=
=?utf-8?B?ZlRZUTFQbW1wQkw5eEwzMVZJczRuRGRJSURldkg2V1p3dFBFSmx2L1pzMTNR?=
=?utf-8?B?YVFja1FSNXRuc2huYXF4V2RKTEFhVUdydXRkSEMzcE9HQ1lRYWRxMjVGdUQy?=
=?utf-8?B?cVhFbWx1ZngyZkgvU2dsejJXVnVUUTlaMDhtdUV5YVkzbytzMFR6U2dNRjY2?=
=?utf-8?B?akNJT2pHL05GRUMxeUJJT25GMTZ0WVR2UW85UVpkb2ExN0wwL3ViVS9tZ1Nr?=
=?utf-8?B?Z2dQUi93VWNFaHZiVnZ3QXVEb1JBVHpXWVNVTkFYUnpORHNiemRTbHp3R2ZD?=
=?utf-8?B?cXNaT3FJR1lmekh6amNqNEtmWDZzbTVvWGJEQm54L21jck13elBwZDNzZmcx?=
=?utf-8?B?RSs2dkV1cnN2Q3JHeDh4c2VoOGYrOVE4bTM5dGlQdHc1MVo4eFc0WUFqVkc2?=
=?utf-8?B?bE5saWlvZW0xMFZ0dFR6UG8rZmRCK2toZmhDQ2Q1OWFkT1NWc3VRWnpIakhE?=
=?utf-8?B?cHA3dXRKYlpKcmRpN0lwZnJURzJ4bjRwT3B4bGpxeU9SYXM3NEpjWTlnSFox?=
=?utf-8?B?Q0NlWjdnWkFOZmRRaTIyQ2hwTTBSOU1pQTFlOXBZTkV5anA5QXJFQUlSOStT?=
=?utf-8?B?eXdpa0s4WGo2MWtNVnFPbkgzem1VTVpxOTdkem1pRnY5UFBaWGFDWVMrTG1t?=
=?utf-8?B?NUN1c2lGWlFjNzB6TmM5WXBhaFIwU1Jud0lxdWtRY0VIc0oxazI5akt4ZWFz?=
=?utf-8?Q?SA9lXGvvF/DdMl4Co5SnVpoShbCffGv9x7emcg1bkI=3D?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <5108ED7C7818194AB0894624A820B91E@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM4PR0701MB2195.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ca831d8e-285d-4357-d080-08d9f54d5997
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2022 15:18:01.2950 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: M1NbRX6v/Aql2CaerGqGY4rJKYeRWzpjUXmcwW7glPQ8GpAzAET55olYsO3Nd8Teyk+nTEWfp+vS7p1uM/NlkpcmZZPfE3PKL0CH3rjsXDE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5222
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/mQufQLt1HKhx3J-a1f1byCC2j-E>
Subject: Re: [COSE] questions for the WG from 8152bis AUTH48
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>,
<mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>,
<mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Feb 2022 15:18:16 -0000
On 2022-02-18, 06:00, "COSE on behalf of Benjamin Kaduk" <cose-bounces@ietf.org on behalf of kaduk@mit.edu> wrote: Hi all, The chairs and I are continuing to work through the AUTH48 process for the 8152bis drafts, and a couple topics have come up that would benefit from some broader input. In https://datatracker.ietf.org/doc/html/draft-ietf-cose-rfc8152bis-struct-15#section-7.1 we we have a table of "Key Operation Values", discussing the various operations that are possible. Some of them include the statement "Requires private key fields", and for operations like "sign" or "unwraap key" this is pretty obviously true. But for "derive key" and "derive bits" this is less clear to me. In particular, my understanding is that I can do the derivation operations by combining a public key I control and a public key received from the peer. That, in turn, seems to imply that the serialized public key that I receive from the peer would be intended to be used for a derivation operation but would not contain the private key fields. Are we supposed to indicate the derivation operations in the "key_ops" field of such a public-key-only COSE_Key? I believe we are supposed to, and so have directed the RFC Editor to just remove the statement about "requires private key fields" for those two entries. This seems low-risk in that the statement itself is mostly informative, so we're either removing a false statement or removing something that's informative but obvious when you go to implement it. Do people agree with that interpretation of the "key_ops" for public-key-only key objects destined for derivation operations? [GS] I think it is fine to remove the text about private key fields here. But the use of "key_ops" as inherited from JOSE is not fully clear to me. To the extent it is useful to include a signature private key in a COSE_Key and restrict the operation to "sign", it is perhaps also useful to include a Diffie-Hellman private key in a COSE_Key, but what should the "key_ops" be? Computing the DH shared secret requires two keys, and as it should not be used directly as key, perhaps "derive bits" is the right operation? Or is there a missing operation "key agreement"? Göran
- [COSE] questions for the WG from 8152bis AUTH48 Benjamin Kaduk
- Re: [COSE] questions for the WG from 8152bis AUTH… Michael Richardson
- Re: [COSE] questions for the WG from 8152bis AUTH… Ilari Liusvaara
- Re: [COSE] questions for the WG from 8152bis AUTH… Marco Tiloca
- Re: [COSE] questions for the WG from 8152bis AUTH… Göran Selander