Re: [COSE] AD evaluation of draft-ietf-cose-x509-06
Barry Leiba <barryleiba@computer.org> Thu, 17 September 2020 17:27 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F19E43A0EBD; Thu, 17 Sep 2020 10:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.403
X-Spam-Level:
X-Spam-Status: No, score=-1.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxPXdj6efveG; Thu, 17 Sep 2020 10:27:36 -0700 (PDT)
Received: from mail-ua1-f47.google.com (mail-ua1-f47.google.com [209.85.222.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D4C3A0EB2; Thu, 17 Sep 2020 10:27:33 -0700 (PDT)
Received: by mail-ua1-f47.google.com with SMTP id u48so962067uau.0; Thu, 17 Sep 2020 10:27:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Of9Vav9X+hmlA44VxOnsvDinVXxyMrt+qhP8wB89Fq4=; b=Su7FVor0KQ4uxAqSJ72sfFmUj4bbmlOm+tI+lJJg4Oqoe22uFhyRCei3gEFGzqzJkZ ELs5CVC+iCZjAQWpZK6rBnge1o9cWSyMtCHyf0lyu69nQazMnytrkvEwAL6DZ8T3/eQs Jnf3XsviI7psVzoxk5SSlyeAwYAs3pQRSBnC+OsPPkuV1sWkkFvO22IISY19j2fkoUMS QlxG8oZaK0N+pagskeKaKoMc8dcBGZT+99IjiUP4fEEZHiKKGqdgqr1sIDllzID061oc ILEyudSjm3JpPZLQT1rHLVgxNd1vpDtOSGy+Mj/MqvxCzQ/lmJ874LTc+X+IUfNKPq5L XqcA==
X-Gm-Message-State: AOAM532gmKmWXKrPgyaDuGxZE/WakEimzYrltCvDTfITROaB7g1IFBeo yTSzKMpLzIY+e0zJh3ffx1VZI6Bha+NN4SjCaYb2lnul7ss=
X-Google-Smtp-Source: ABdhPJw281u35WvZfb7GuqkgvrOsw2Hfm6cNUyvPq1HcuHwKM1JeXwsVha4Rw67gpEGB/CArotJmtjHRtSfs+ghleuk=
X-Received: by 2002:ab0:748e:: with SMTP id n14mr13396786uap.91.1600363652059; Thu, 17 Sep 2020 10:27:32 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJJ_--idVkDFA_UoO24nPJ8ieaKJkVxtO1Cr5UTF+A8Dzg@mail.gmail.com> <01c901d68afd$d5584860$8008d920$@augustcellars.com>
In-Reply-To: <01c901d68afd$d5584860$8008d920$@augustcellars.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Thu, 17 Sep 2020 13:27:21 -0400
Message-ID: <CALaySJ+pL2ULnjswaw4QNeNjQjqCdacBNK326wXO7HvZnJ+Tjw@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: draft-ietf-cose-x509.all@ietf.org, cose@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/zqXuWD1svy0IX5IHIsULyKZyIyk>
Subject: Re: [COSE] AD evaluation of draft-ietf-cose-x509-06
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 17:27:38 -0000
Hi, Jim. Just leaving the items that aren't fully settled: >> For interoperability, applications which use this header parameter >> MUST support the hash algorithm 'SHA-256', but can use other hash >> algorithms. >> >> I appreciate the need for an MTI alg here, but what does it really >> mean for me to say that my temperature sensor “supports SHA-256”, but >> that everything it sends uses SHA-512? How does that help >> interoperability? > > [JLS] If you have not agreed with others that this is what you are > doing, then it does not help interoperability. However, I am also > loathe to say that you MUST use this algorithm and only this > algorithm. My expectation is that people are more likely to use > SHA-256/64 rather than SHA-256 in this case as the shorter thumbprint > means less bytes on the wire. I don't know what else could be said > here. I'm not sure how to say it either, but I don't think what's there really addresses interoperability. I think you understand what I'm getting at, yes? Possibly it just doesn't make sense to have an MTI algorithm, and instead have text advising about interop issues with regard to the hash algo. Maybe just put a "cref" note in about this issue, and let people who review it cogitate about it -- maybe we'll get some ideas. >> This will normally be the situation when self-signed certificates >> are used. >> >> I wonder whether some readers will misread this as saying that >> self-signed certs will normally be used here. Maybe, “Self-signed >> certificates are more likely to appear in this parameter than in the >> others.” ? > > [JLS] No, this is what I really meant "In particular, self-signed > certificates MUST NOT be trusted without an out-of-band confirmation." That text sounds useful, yes; thanks, Barry
- [COSE] AD evaluation of draft-ietf-cose-x509-06 Barry Leiba
- Re: [COSE] AD evaluation of draft-ietf-cose-x509-… Jim Schaad
- Re: [COSE] AD evaluation of draft-ietf-cose-x509-… Barry Leiba
- Re: [COSE] AD evaluation of draft-ietf-cose-x509-… Barry Leiba
- Re: [COSE] AD evaluation of draft-ietf-cose-x509-… Jim Schaad