[COSE] AD Review of draft-ietf-cose-countersign-05
Roman Danyliw <rdd@cert.org> Wed, 04 May 2022 18:07 UTC
Return-Path: <rdd@cert.org>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0920DC1594AD for <cose@ietfa.amsl.com>; Wed, 4 May 2022 11:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s009VCXwSPhq for <cose@ietfa.amsl.com>; Wed, 4 May 2022 11:07:58 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0097.outbound.protection.office365.us [23.103.209.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA12FC14F74E for <cose@ietf.org>; Wed, 4 May 2022 11:07:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Bqk56Wy44yAW756C0kjt+pdRFjmYlCzFlQdBNfLHdRKnuIpvKkdmsj6AHDaVmc41cppyr2eLzT/wYocyCWQ8q71F37H5sTNRAJ1vaKNXjqnkTu91ytWZC+z21PkB7kKex9gFTNzTtgJNgEAfhdmMvIGb/dpByPY2ZGAhOrJqiKirZ+MQVntOnkxj1V2Jt/0dIq64pY20hxC+aarCc291QmYLqxu+0s5+5XfJaZsoex+3Ave7cN7WHtyVpDfDd3Z7eBRpJSFqCgAET7NqMdcjoEOUsCsugJVX0fST5X3vmhTmeZ7wx1HPkVxfhuAmaL71v3Rvm+CvDeA2O4ByjEYfvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VRPW4U2hDJ/WJ+bVcanhvtMbm8gdlVWRYJKOD37dHcs=; b=dq0VeHvauNTPGO76FZcuTAZ/4YPd4dhlzXwiyqbUOZD4PMqrDX23eAWBT++Z9yILIDu0gx1HdL73WSO7hoerTynChz7GaUM1fZeyPxnjmcv5YhOOhRmz0cUSEBja7UYiI8rt74u1QQqVJfWwks0Nh9/FhyAn6pwrD64woH7+4MphWaawclwv/y4wOcqSa9bK4MhaXphySd2fCqoi5nSu4tL7cx/GeTS2f7DHRM/JVJSzbUO0KQ69iH7ysUbofPORp7G2/FFaibxrmMBEiKOzltTsu953TVsqFnsZzAhKBybBb6YYzshRu8fY9WIUp3ryyKqaPAQXtkruEH+thEM7UA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VRPW4U2hDJ/WJ+bVcanhvtMbm8gdlVWRYJKOD37dHcs=; b=G4xOCiGxxWLyXrbU0QyYFE5uR0wPGQPwlpRFJVR6X7pAzHFkzgxtVLqe9PlsttxVYqX6ty1b77zpHeyscpS1po9Gfygy7XeLrcpjt/H9O4r84ZWm49WqFl4/j+M4yrYO0G44y5CvVNXBReGz1ChizIyHRdUpifWZtx0iyk6HTcs=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1623.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17d::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Wed, 4 May 2022 18:07:46 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61d4:e6f0:d8e4:7722]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61d4:e6f0:d8e4:7722%6]) with mapi id 15.20.5186.028; Wed, 4 May 2022 18:07:46 +0000
From: Roman Danyliw <rdd@cert.org>
To: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: AD Review of draft-ietf-cose-countersign-05
Thread-Index: Adhf4PM+6SaX9rdaQIOBOz9eDp3frQ==
Date: Wed, 04 May 2022 18:07:46 +0000
Message-ID: <BN2P110MB110783804C36D19F2B440E83DCC39@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 12e457c0-e52d-489c-3b91-08da2df8fe21
x-ms-traffictypediagnostic: BN2P110MB1623:EE_
x-microsoft-antispam-prvs: <BN2P110MB16238FB473CA06979A4FE9C3DCC39@BN2P110MB1623.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wg37qXjupkj6OUkEkrWw/hI4Es2Hss1L1A8qGMLgdlkbzRGEh+Pc3+vE6KKS73wDEEJDFjcwmFd8uB1sgaMLIXuoadGPxvHmvTpDEMnVZRhmNXXl+Vhh3RFhIXiRcqgCKstb6C+yO5KZ88a3/migJ5pBbG6YS9OSA+41kUileO1ZSqm84fq/mVGpLO/T5AiskDSjUKNbkey+jEPyLF2Pohr/0MIrytq+v19c1CTjJspp4be7F7M/q7R36ktQNO+Gd8VoQBAnEY6b6LGo2nRbDt90Y15Gk71K+t+l9WGX0pR8MUSn9GkxNdBU0dPh3UflQR3yXROs2ZAL2qs8FT+27J7SteOp4tW9qceiVbrtIvVnth0GldBnXKD7TNlkYgLj3pEHv1469IZgVNnUQbtBNxzeIx301Dn7uFar20Pks9lAyrqpSDpVBIduzFPAavhzi8ty6D2ExwFfS3clocL3MyIFE7nLWVoDqFh0oaP+xhLDo7p2lYW93ZQbQaqkrxxBNwxk116Eb6bNggiCdi+0SpbiuT1gYQ5g92fQWvwe1Q8nd7FwByVIQkNwNhMnan825IZDCWvv5FxTW80DJpjy41Zg4JKq8WNz0QdjpCe95BPnetuk29F/E1rjsD3mMcIE
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(66946007)(76116006)(86362001)(66476007)(7696005)(122000001)(2906002)(6506007)(66556008)(9686003)(498600001)(26005)(71200400001)(8676002)(64756008)(66446008)(82960400001)(8936002)(6916009)(5660300002)(186003)(33656002)(55016003)(66574015)(38100700002)(38070700005)(83380400001)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 94qR2RY1HVmuCnO5J2qxQg/zmf7mFP0FmEfdzzL56cbvSmu5Wz+g8a+oZVRl7JxpOPSSOIPDnFwLa5MNkZHlxwicea3LG4IHyPiMdGDlYE8iWEGyZNaDYrgNrM7L/0InXn6s8we0PfL7A+zYFqzLIujZnMq6jfh6NRBskvLCihn6E48q7R30tAooW1W+4gLNLC9uq3tcu/Pum6INcnbsrBgFS4tfI1Q29MZz/aCdXMSaTVgOLNzDWt5IyjPgdCFdOBwXfJaGUQ3bewg/YheOU6eijqhx1TfNsgtp0W/ORGJG64gwweOwlJulH+vXVXa8i/gO5MOPQjT9bHXqjVE4C0XAthjTcbgniJBg4W93bx9ReM/hzPF3biXsMM8qz1ec0SunQ92v688CYw/gaXsVYqpcsSEWP4THETSoyCwZcic=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 12e457c0-e52d-489c-3b91-08da2df8fe21
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2022 18:07:46.4451 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1623
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/QRGDLHtWrp8L-SExfNOC3SC2aP0>
Subject: [COSE] AD Review of draft-ietf-cose-countersign-05
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 18:07:59 -0000
Hi!
I performed an AD review of draft-ietf-cose-countersign-05. Thanks for this document and the efforts of the WG, especially Russ and the chairs, who picked up this document after Jim Schaad 's untimely passing. This document is another reminder of Jim's lasting and significant contribution to our community.
My feedback is as follows:
** Updating RFC8152.
-- Abstract. The meta-data suggests that this document updates RFC8152, please note that in this section.
-- The text of this document doesn't seem to explicitly say what section of RFC8152 is being updated and in what way. The closest is the guidance of the revised IANA table. Typically, an explicit statement would be made. Could something to the effect of "The countersignature approach described in Section 4.5 of RFC8152 is deprecated" be added somewhere.
** Section 1.
One of the standards that has
come out of this process is "Concise Binary Object Representation
(CBOR)" [RFC8949]. CBOR extended the data model of the JavaScript
Object Notation (JSON) [STD90]
Editorial. Since the text is referencing "standards" in the IETF maturity sense, either reference CBOR as STD94 or JSON as RFC8259 to be consistent.
** Section 1. s/IoT world/IoT user cases/
** Section 1. Recommend being clearer on the motivation, especially since multiple document are being cited and a distinction is being made between the abstract property of the countersignature and the precise specification.
OLD
During the process of advancing COSE to an Internet Standard, it was
noticed the description of the security properties of
countersignatures was incorrect for the COSE_Sign1 structure. Since
the security properties that were described, those of a true
countersignature, were those that the working group desired, the
decision was made to remove all of the countersignature text from
[I-D.ietf-cose-rfc8152bis-struct] and create a new document to both
deprecate the old countersignature algorithm and to define a new one
with the desired security properties.
NEW
During the process of advancing COSE to an Internet Standard, it was noticed that while the description of the security properties of countersignatures was accurate, the associate specification of their implementation in Section 4.5 of RFC8152 [RFC8152] was incorrect for the COSE_Sign1 structure. To remedy this situation, the working group decided to remove all of the countersignature text from [I-D.ietf-cose-rfc8152bis-struct] which was also updating [RFC8152] and create this, new document to both deprecate the previously specified countersignature algorithm and to define a revised one.
** Section 1
The new
algorithm is more aggressive about the set of values included in the
countersignature computation so that the cryptographic computed
values is included.
Can this be restated. I'm not sure what is means to be "more aggressive about the set of values ..."
** Section 1. Typo. s/cryptographic computed/cryptographically computed/
** Section 1.3.
Information which is part of the
context can come from several different sources including: Protocol
interactions, associated key structures, and program configuration
-- s/Protocol interactions/protocol interactions/
-- Is it "program configuration" or application configurations"? [I-D.ietf-cose-rfc8152bis-struct] seems to favor application.
** Section 2. Table 1. What is the purpose of the blank "Value Registry" column? I appreciate that this column is from the associated IANA registry, but the specifics are restated in Section 5.
** Section 3. Editorial. Be clearer on which "operations" are referenced.
OLD
It needs to be noted that the
countersignature needs to be treated as a separate operation from the
initial operation even if it is applied by the same user as is done
in [I-D.ietf-core-oscore-groupcomm].
NEW
A countersignature needs to be treated as a distinct operation from the initial operation that created the security structures on which it is being applied even if both are being performed by the same user as is done in [I-D.ietf-core-oscore-groupcomm].
** Section 3. Editorial. s/original version Section 4.5 of [RFC8152]/original version specified in Section 4.5 of [RFC8152]/
** Section 3. Editorial. s/a time point/a point in time/
** Section 3.
When done on a COSE_Mac or COSE_Mac0, the
payload is included as well as the MAC value.
Unlike the rest of the text, this sentence is describing what is signed not the semantics. Is this operation like COSE_Signature ("normal countersign semantics) or COSE_Sign (where there is a parallel signature).
** Section 3.
It should be noted that there is a big difference
between attesting to the encrypted data as opposed to attesting to
the plaintext data.
No disagreement. I might have said s/big different/distinction/. Isn't the distinction among three categories - on encrypted data (i.e., COSE_Encrypt, COSE_Encrypt0), on plaintext data (i.e., COSE_Sign), and on "cryptographic operation results" (i.e., COSE_Signature). It might be clearer to tie this caught directly the specific signing targets it implies.
** Section 3.1. I believe that Section 8.1 of [I-D.ietf-cose-rfc8152bis-struct] is the more specific reference for signature algorithms with appendix.
** Section 3.2
Abbreviated countersignatures were designed primarily to deal with
the problem of encrypted group messaging, but where it is required to
know who originated the message. The objective was to keep the
countersignature as small as possible while still providing the
needed security.
Why does the history of the primitive matter? Wouldn't it be better for this text simply to state what it is? What is "needed security"
NEW
Abbreviated countersignatures only encode the signature value and rely on the shared application or protocol context to guide it's processing.
** Section 3.3. Editorial. Additional clarity.
OLD
process takes in countersignature target
structure
NEW
process takes in countersignature target
structure (i.e., COSE_Signature, COSE_Sign1, COSE_Sign, COSE_Mac, COSE_Mac0, COSE_Encrypt, or COSE_Encrypt0)
** Section 3.3. A numbered, 6-item list of the contents of the Countersign_structure is provided.
-- Editorial. For easier reading, provide the name of the actual field in the bulleted list for all 6 items. For example:
OLD
2. The protected attributes from the target structure encoded in a
bstr type. If there are no protected attributes, a zero-length
byte string is used.
NEW
2. body_protected: The protected attributes from the target structure encoded in a
bstr type. If there are no protected attributes, a zero-length
byte string is used.
-- The text of #2 and #3 says this field is a bstr, but the CCDL fragment says its empty_or_serialized_map.
** Section 3.3. Be clear that there are mutually exclusive choices.
OLD
4. Place the resulting signature value in the correct location.
This is the 'signature' field of the COSE_Countersignature
structure. This is the value of the Countersignature0 attribute.
NEW
4. Place the resulting signature value in the correct location.
This is the 'signature' field of the COSE_Countersignature
structure for full countersignatures (see Section 3.1). This is the value of the Countersignature0 attribute for abbreviated countersignatures (see Section 3.2).
** Section 4.
In order to always regenerate the same byte string for the "to be
signed" value, the core deterministic encoding rules defined in
Section 4.2.1 of [RFC8949]. These rules match the ones laid out in
Section 9 of [I-D.ietf-cose-rfc8152bis-struct].
-- Editorially, the first sentence doesn't parse as it is missing a verb.
NEW
In order to always regenerate the same byte string for the "to be
signed" value, the core deterministic encoding rules defined in
Section 4.2.1 of [RFC8949] MUST be followed
-- What is the guidance to implementers with the sentence? Are they also supposed to following the restrictions in Section 9 of [I-D.ietf-cose-rfc8152bis-struct]?
** Section 5.1. Please explicitly state that this is a new entry in the "CBOR Tags" registry.
** Section 5.2. Table 2
-- Typo. s/vesion/version/
-- Why is the description for "counter signature version 2" = "v2 countersignature attribute", but for "Countersignature0 version 2" = "abbreviated ... version 2" - that is, why don't they both begin with "V2 xxx" (i.e., "V2 full counter signature" and "V2 abbreviated counter signature")?
* Section 6. Why are the first 6 paragraph of this document, ~1.5 pages, cut-and-paste from draft-ietf-cose-rfc8152bis-struct-15? That document is already with the RFCEd, please just cite the text and focus on the unique guidance here.
Thanks,
Roman
- [COSE] AD Review of draft-ietf-cose-countersign-05 Roman Danyliw
- Re: [COSE] AD Review of draft-ietf-cose-countersi… Russ Housley
- Re: [COSE] AD Review of draft-ietf-cose-countersi… Michael Richardson
- Re: [COSE] AD Review of draft-ietf-cose-countersi… Russ Housley
- Re: [COSE] AD Review of draft-ietf-cose-countersi… Benjamin Kaduk