Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
Carsten Bormann <cabo@tzi.org> Mon, 24 May 2021 15:48 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5453A2D20 for <cose@ietfa.amsl.com>; Mon, 24 May 2021 08:48:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_FAIL=0.001, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsABwWsJHwKF for <cose@ietfa.amsl.com>; Mon, 24 May 2021 08:48:53 -0700 (PDT)
Received: from gabriel-2.zfn.uni-bremen.de (gabriel-2.zfn.uni-bremen.de [IPv6:2001:638:708:32::19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CBC03A2D1D for <cose@ietf.org>; Mon, 24 May 2021 08:48:53 -0700 (PDT)
Received: from [192.168.217.118] (p548dcc89.dip0.t-ipconnect.de [84.141.204.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4FphTF254yz315S; Mon, 24 May 2021 17:48:49 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.6\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <HE1PR0701MB3050C02D9B9DAA425F0CCA0089269@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Date: Mon, 24 May 2021 17:48:48 +0200
Cc: cose <cose@ietf.org>
X-Mao-Original-Outgoing-Id: 643564128.258139-71acdace83bd5b4c518c91cdc99540f5
Content-Transfer-Encoding: quoted-printable
Message-Id: <0423B3B4-B93F-4381-B089-675A9DC98F8D@tzi.org>
References: <FE8C6CA0-DC5B-4A12-B467-957A9C1CD1BF@ericsson.com> <394D515A-62ED-4C0A-A2F0-B8686904F979@tzi.org> <43FF858C-455F-4A3E-8FC0-1B64D715518E@ericsson.com> <8D49BABD-474A-4FD8-B1EF-967A9D30E646@ericsson.com> <D0A8ED69-115A-48F9-8FD3-FDBEF24AEE69@island-resort.com> <9EFBA428-88C0-4BF2-8F8D-3B7B0D52557B@ericsson.com> <HE1PR0701MB3050C02D9B9DAA425F0CCA0089269@HE1PR0701MB3050.eurprd07.prod.outlook.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/tTPzum91C6_gNWhmaizrD-nc_B8>
Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 15:48:57 -0000
Hi John, Is our intention that a chain is a CBOR sequence or is it a CBOR data item (an array)? It seems the current text says it is a single data item. > On 2021-05-24, at 12:00, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote: > > Hi, > > When we discussed this at the meeting is was agreed to change application/cbor to something more specific. The PR now use "application/cose-x509-chain". And has the text "When the application/cose-x509-chain media type is used, the data is a COSE_X509 structure containing a chain." > > I just noticed that an IANA section registering the media type is missing. I will add that to the PR. But before I do that: > > - Is application/cose-x509-chain the right thing? > - Or should it be application/cose-x509 allowing for both bag and chain? > - Or should there be two media types application/cose-x509-chain and application/cose-x509-bag? That depends on whether the media type is needed to make the semantic distinction or that is taken from the context (here: header parameter). The 8152 style was to have a single application/cose that would be further qualified by either an optional addition CBOR tag or an optional media-type parameter (cose-type=“…”). (And don’t forget to define CoRE Content-Formats…) Grüße, Carsten > x5bag and x5chain separates bag and chain, while x5u could be either. Knowing that it is a chain simplifies processing, but removes the option to transfer additional certificates. > > Cheers, > John > > From: John Mattsson <john.mattsson@ericsson.com> > Date: Thursday, 13 May 2021 at 13:07 > To: cose <cose@ietf.org> > Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08 > > Hi, > > https://github.com/cose-wg/X509/pull/35 > > There are three remaining discussions related to the PR that has to be concluded before merging the PR. > > - Two of the discussion are more editorial comments from Ben. > > - The third discussion is in my understanding more high-level and depend on what COSE can require/expect/get information about from the CA(s). It also depends on how much COSE should protect people from shooting themselves in the foot. > > The current text is > > "Unless it is known that the CA required proof-of-possession of the subject's private key to issue an end-entity certificate, the end-entity certificate MUST be integrity protected by COSE." > > Laurance commented that this is not enough and that the endpoints should agree on which end-entity certificate is used. CAs may issue several certificates with the same public key, and different CAs may issue several certificates with the same public key. > > Michael commented that this is overkill. There is also a discussion whether the requirement should be MUST or SHOULD. > > At a minimum I think the draft needs security consideration that discusses that there might be many certificates with the same public key and unless things are put in the protected header, the two endpoints might have different views on which certificate was used. > > I think this needs to be discussed on the list. > > Cheers, > John > > > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose
- [COSE] Pull-request addressing issues #29 #30 #31… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Carsten Bormann
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Laurence Lundblade
- Re: [COSE] Pull-request addressing issues #29 #30… Michael Richardson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… John Mattsson
- Re: [COSE] Pull-request addressing issues #29 #30… Carsten Bormann