Re: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
Mike Jones <Michael.Jones@microsoft.com> Mon, 21 October 2019 21:11 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F28A12001A for <cose@ietfa.amsl.com>; Mon, 21 Oct 2019 14:11:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikwdDYY1dQF2 for <cose@ietfa.amsl.com>; Mon, 21 Oct 2019 14:11:30 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650130.outbound.protection.outlook.com [40.107.65.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A5D4120019 for <cose@ietf.org>; Mon, 21 Oct 2019 14:11:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KOy2yM9fZdjiBuDlIrbvwul68RAA6GNOW/NthfT40ZGn5rUzSqy1fgLUH4B7pma3+6mAYzuVjiIbJ6IluSRxlA31Lp9dsB13JZL2GywRPQAVS3Jxa/s+nCdy3bZbGTjcQJ8uyTVc3fWMJkzotQZl4XfZ4PAzoX55nrA2l9JLCo7g5H7K3pE7lUVyo1FpJIjx/GHwKcHaN/EUX/Ns62+LFPmYP98TvsiE+3Dh1NhS9tCW2a3OVZKtXjQHHuaX9L1ETfp2yRZ/DjF1vkt+xYQF1kU4gGAga1zgGKNUGBvXcgxiv0ADP+fdje0LJgXegNPHoHm0IVt2BBwkMZaqpMdAAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RfoJkhYB9fghMiZSCXacx98/DkKsUdLdjxUpgkrulvc=; b=oWFFFs8NamobcO7/T/bNwqnZsp5Om5DD94pbn9fyYCFVhy//InpMCDjNxz4YCPSh0xN0PNydP6SVAYerPi8CoVI8asWY3i8mQHF5ouB2ZRxTimSNAJ+EjkHmMCLXho0S/Wb5gam9pV57SWjQwYZhv9jXRRpvyTN0tledXRtgsyHXx1aHoCtsff7VAXOnTBLGmDsPfvci8DqeF+JoNIvaJrn20petfMVWg4ZB5NpgMZGjSl7fox9x9X93/IWyk4UwORxsNXYKg8SXw35bJzdHzGG06iGLoGhjigkiSBjrnK8lAzMpE26k//GKms/fG6dxgCIoj7GpzQ79ZPrNrbUNtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RfoJkhYB9fghMiZSCXacx98/DkKsUdLdjxUpgkrulvc=; b=fuMsVTFjEfsPcnrvszVuVxwovNcp0dySWAWOyNPsg7E6ApnTt1MGMkRlRyHzozSpG7BI2aAcWop+S2G9IwSzG72FqKrG0UxgLd5l4Ybm+08JM6B1uBhXn0S7kta51k1DLt0744obUyvRgdYSLBnNY7U+07uzg0u4kQCbRV/MRyM=
Received: from BN8PR00MB0563.namprd00.prod.outlook.com (20.179.72.150) by BN8PR00MB0612.namprd00.prod.outlook.com (20.179.73.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2422.0; Mon, 21 Oct 2019 21:11:27 +0000
Received: from BN8PR00MB0563.namprd00.prod.outlook.com ([fe80::e17f:be07:82a2:12db]) by BN8PR00MB0563.namprd00.prod.outlook.com ([fe80::e17f:be07:82a2:12db%9]) with mapi id 15.20.2421.000; Mon, 21 Oct 2019 21:11:27 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "J.C. Jones" <jc@mozilla.com>, "cose@ietf.org" <cose@ietf.org>
CC: Kevin Jacobs <kjacobs@mozilla.com>
Thread-Topic: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
Thread-Index: AQHVU66TKD2WR3BhR0ifVYYdgx1ae6dl/77g
Date: Mon, 21 Oct 2019 21:11:27 +0000
Message-ID: <BN8PR00MB05638BD3633D5CFC31B6C325F5690@BN8PR00MB0563.namprd00.prod.outlook.com>
References: <CAObDDPADXoYn4N0jARibozT5NhWVb7JgNydyrEp_ytCR7pSs0A@mail.gmail.com>
In-Reply-To: <CAObDDPADXoYn4N0jARibozT5NhWVb7JgNydyrEp_ytCR7pSs0A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d7727fdc-2fd5-414f-9d6b-00001fb4df13; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-10-21T21:07:32Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [24.18.207.73]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0070a05c-a527-4e30-69e0-08d7566b3ce6
x-ms-office365-filtering-ht: Tenant
x-ms-traffictypediagnostic: BN8PR00MB0612:
x-microsoft-antispam-prvs: <BN8PR00MB0612D5AE28FBF1C374AB519AF5690@BN8PR00MB0612.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0197AFBD92
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(396003)(39860400002)(366004)(136003)(346002)(376002)(199004)(189003)(51914003)(13464003)(256004)(186003)(10290500003)(14444005)(6246003)(26005)(71200400001)(33656002)(5660300002)(4326008)(66066001)(10090500001)(486006)(8990500004)(478600001)(476003)(606006)(81166006)(8676002)(52536014)(81156014)(2501003)(8936002)(446003)(76116006)(11346002)(66476007)(66946007)(66446008)(71190400001)(25786009)(53546011)(9686003)(6306002)(229853002)(236005)(7736002)(7696005)(74316002)(6506007)(86362001)(54896002)(102836004)(6436002)(790700001)(3846002)(966005)(6116002)(55016002)(316002)(22452003)(110136005)(14454004)(66556008)(76176011)(64756008)(2906002)(99286004); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR00MB0612; H:BN8PR00MB0563.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IRzobfM4MJpRHLGYQDx2N4Tuc2OmYwyuRrfqi7373z0i2Wmln9vVm62iiXLKQCKE51fVjWl1VcRSclLZ+sWNTmJsijR0y6Qag2P7mjbefJqV0VZiA9h4j2KATrKSSjf6aQ9IW+MOBobztlnfbrKPoV7/sPVLigsGDJrG0R/rIxLvk2VvT0Q9JxrYA13FbDXMAf+WusTijzVnN1ikYu5gltZbcKdVeA0SmkZNoPvLEBz+l9SyvMN0BEfL8VaTx5laOdRQn70lMfgfXoIOhQuAIX9XZJKBbTx6eNShANlfIXrntReS4EMesR021VCEpce6joDbgDyYphEbq7XGO6dIYCeZas841RP5C+q6T+IxbbxOoQuCgdDyoi35TFu9zCqsjn2rBt9KPIobFqBWKa3/nqFSe5IMJ+vha85YwnP+hCNQmirRc0X1KDO4nsUYSpXS
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN8PR00MB05638BD3633D5CFC31B6C325F5690BN8PR00MB0563namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0070a05c-a527-4e30-69e0-08d7566b3ce6
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2019 21:11:27.7498 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oNVOVM3ZpiWLvf59msPrMG1Ursv/eNeHLhz4uOAvgjCUQzjOnQfYi+fLrjFFHAb64pgoUutDqbjeLHFS1H/BSQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR00MB0612
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/tBYA29uCee2sd-1Nwbk3otTvQEU>
Subject: Re: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 21:11:32 -0000
Thanks for the review, J.C. and Kevin. Replies are inline below, prefixed by "Mike>".
Best wishes,
-- Mike
-----Original Message-----
From: COSE <cose-bounces@ietf.org> On Behalf Of J.C. Jones
Sent: Thursday, August 15, 2019 2:15 PM
To: cose@ietf.org
Cc: Kevin Jacobs <kjacobs@mozilla.com>
Subject: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
All,
We reviewed draft-ietf-cose-webauthn-algorithms-01 and only have pair of comments about the security considerations.
Regarding section 5.3:
While section 5.2 refers to RFC7518's guidance, currently 5.3 does not. Perhaps note in 5.3 something akin to "if you have an existing implementation, the exponent restrictions from RFC7518 also apply."
Mike> Good suggestion. I'd be glad to do that.
Regarding section 5.4:
The first sentence uses the FIPS186-3 form P-256 when everything else in this document would imply we'd refer to it as secp256r1, though rfc8152bis uses the P-256 form. Perhaps all readers of this document would be able to avoid confusion, but since it's a section _about_ confusion, it seems worth pointing out. Perhaps a parenthetical could be added?
Mike> I propose to add a reference to "[RFC 7518]" after "P-256" to make it clear where the definition that we are using originates.
Kevin Jacobs and J.C. Jones
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcose&data=02%7C01%7CMichael.Jones%40microsoft.com%7Ca35cc1dc6c6549ca013108d721c5b465%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637015005331095019&sdata=MtpdnZjpVDYvFS2Tr0mfFalyhw%2FiyYQk9H7uKwJGRk8%3D&reserved=0