[COSE] Protocol Action: 'CBOR Object Signing and Encryption (COSE)' to Proposed Standard (draft-ietf-cose-msg-24.txt)

The IESG <iesg-secretary@ietf.org> Mon, 28 November 2016 20:44 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: cose@ietf.org
Delivered-To: cose@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C4779127077; Mon, 28 Nov 2016 12:44:52 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.38.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148036589279.5470.12771092435880786130.idtracker@ietfa.amsl.com>
Date: Mon, 28 Nov 2016 12:44:52 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/tTURgbBqaBC22Dqgmig2s30Gqvg>
Cc: cose@ietf.org, cose-chairs@ietf.org, Kathleen.Moriarty.ietf@gmail.com, The IESG <iesg@ietf.org>, draft-ietf-cose-msg@ietf.org, goran.selander@ericsson.com, rfc-editor@rfc-editor.org
Subject: [COSE] Protocol Action: 'CBOR Object Signing and Encryption (COSE)' to Proposed Standard (draft-ietf-cose-msg-24.txt)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.17
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 20:44:53 -0000

The IESG has approved the following document:
- 'CBOR Object Signing and Encryption (COSE)'
  (draft-ietf-cose-msg-24.txt) as Proposed Standard

This document is the product of the CBOR Object Signing and Encryption
Working Group.

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-cose-msg/





Technical Summary

This specification describes how to create and process signatures, message authentication codes and encryption using the Concise Binary Object Representation (CBOR, RFC7049) for serialization.  The specification additionally specifies how to represent cryptographic keys using CBOR.

This specification is a Standards Track RFC describing a solution component analogous to the JSON Web suite of security RFCs 7515-7518 (JOSE WG), but using the CBOR encoding format.

Working Group Summary

   The document was developed by the COSE working group based on requirements from constrained device/IoT community (CORE/ACE WGs) and on the experience of developing the JSON Web security suite of RFCs (JOSE/OAuth WGs). There is a small dedicated team of people interested in this work, and reviews has been performed mainly by these people. One category of issues has been on generic message format vs dedicated formats optimized for certain constrained settings. This was resolved with a small set of dedicated formats complementing the generic formats. Another category of issues has been on the deviations from JOSE or omission of legacy crypto not suitable for constrained devices. There has been some contention by individuals of how individual review comments were addressed. There are no substained objections on any issues relating to this draft. The current open issues are related to additional algorithm and is out of scope for this draft.

Document Quality

   The draft records the status of known implementations of the protocol defined by this specification (based on RFC 7942). Three implementations currently maintained by the author are referenced, in Java, C# and C (https://github.com/cose-wg).
Ongoing work on a JavaScript implementation has been announced. Implementations optimized for constrained platforms are requested by different companies and is in progress.

The SecDir review was performed by Steve Kent and was thorough.  While something could always be missed, Steve has experience with crypto applications, so his review should alleviate concerns mentioned in the shepherd write up about a security review.  Changes from this review are in GitHub: https://github.com/cose-wg/cose-spec

Personnel

   The document shepherd is Göran Selander.
   The responsible Area Director is Kathleen Moriarty.

IANA Note

  This draft creates the following registries with expert review required and with specification required only where noted:
   16.2: COSE Header Parameters registry, with specification (specification, standards track specification, or just expert review) required depending on the value of the 'label' requested.
   16.3 COSE Header Algorithm Parameters registry
   16.4. COSE Algorithms Registry, with specification required (specification, standards track specification, or just expert review) required depending on the integer 'value' requested.
   16.5. COSE Key Common Parameters registry, with specification (specification, standards track specification, or just expert review) required depending on the value of the 'label' requested.
   16.6. COSE Key Type Parameters registry
   16.7. COSE Key Type registry
   16.8. COSE Elliptic Curve Parameters registry, with specification (specification, standards track specification, or just expert review) required depending on the integer 'value' requested.

This draft also adds entries to the following registries:
16.1: Assigns Tags from the "CBOR Tags" registry
16.9: Adds two entries to the "Media Types" registry
16.10: Adds entries to the "CoAP Content-Format" registry




RFC Editor Note

3 references will need to be updated during the editing process:

- draft-moriarty-pkcs5-v2dot1 is currently in the RFC Editor Queue as RFC-to-be 8018
- draft-moriarty-pkcs1 has been published as RFC 8017 
- draft-selander-ace-object-security has been adopted in CoRE and replaced by draft-ietf-core-object-security.