[jose] Re: [COSE] Re: Re: 2nd WGLC for draft-ietf-jose-fully-specified-algorithms (Fully Specified Algorithms)

Marco Tiloca <marco.tiloca@ri.se> Sat, 02 November 2024 16:51 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DF95C14F61D; Sat, 2 Nov 2024 09:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOcSJm279Gsb; Sat, 2 Nov 2024 09:51:39 -0700 (PDT)
Received: from MM0P280CU005.outbound.protection.outlook.com (mail-swedensouthazon11020102.outbound.protection.outlook.com [52.101.74.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB2D5C14F5FF; Sat, 2 Nov 2024 09:51:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=diKRnGcJBhk37tYHjAG2x3MOsRv7BJqsdjAXZb8Tv/xhy9BywImDrtZzuSw/lYXCvmL0xoKTL2WlFVMc5Vm/3rYa5w+3hQ6anA9X2KyZBQzFI+th6vuc9o7Dzgsj3kA2KjcezWUhxGlNlsrRd8h7mYeLxv76OEW9n5du6tzpS4nd2EVcE6RPxN9HF5YYyu9jWyFbVt+G+eijTcoUcuUbZGN8ZHDutYPRO3Rc8rCjFinPsWNjTtafUBSm/vyDn7wPqLmA2aqix1DEIQhCn7h0SmHAxn1cbye3aD7YS1CO/DqYnpjlt2FJ12gEvOfogwkWvaHQ8v3v1+48ggvXBBhr6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Kj/TjAHIo/ftVONZQgmhx73TdxC3V7IkW+ZThdR+Jf8=; b=gIosLogIaqaeUHs0AFo5umJnlanAl56fp3lIgFOmmdO2V8kjO5vHh+DTZ7asF7ytvFe/qc4hLnXygdtv7DC2SiE9Gdn22hJhKh+6ac7zyAryRdbsxgHv79kt0p0Tb8O+UhMVhQ+vr+HGVnOHgbSi87HIlNHZ043jcDZz+H4rhtjeljRADtzSQYMaXwYjxxLV5W5FY1Q5wuVREshoYknyoNCxbgRjkJ0p6MeSJRtAFtkp+EdwSvNRDMLgdp4icsQxBZNZNDOnTZ221epAjOZZaMvAEz5Ekt+PdIEQSWnXYZ+5DSd2I/fZw1CLyT7XxdFkCYBum/Kyjn+RFgzRKG4WpQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kj/TjAHIo/ftVONZQgmhx73TdxC3V7IkW+ZThdR+Jf8=; b=P3fE9NRLB+OPS5xgGFsdW2WOge5uyUGjLtU7OLzE2m8XbYYAmxvLcDtCuBTgtX/BGcg/YfWChauwQQrKfvzJi0bRVGDuZD4IsDEIm/RrdVDJjsijL5usNU9jweFBicfYkge7drrh7jdRju8mdaTCkW1z4f5pNKxRpH3s7V2gqRqDPgkHFASPrqb1DK0WFv4x2NWXHQ5BC7c8dmB2cHzAexvM4dFj/mXFDx9I4HOwWQBuNewtl6AuuaCFo4Wl97QSW2kmTdcLPMFdOngSJaY27C6aKuW90AY3FctzYMzbztIdrJwErUiTIuDRLvrfwjoplPCy0hPl6bp8rgZEEkczKg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by MM0P280MB1937.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:1e::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8114.29; Sat, 2 Nov 2024 16:51:34 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b1d3:d63d:ce0b:3f70]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b1d3:d63d:ce0b:3f70%7]) with mapi id 15.20.8114.028; Sat, 2 Nov 2024 16:51:34 +0000
Message-ID: <0513c0cd-c6e9-49a1-abbf-6553a4d3f336@ri.se>
Date: Sat, 02 Nov 2024 16:51:26 +0000
User-Agent: Mozilla Thunderbird
To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>, Michael Jones <michael_b_jones@hotmail.com>, "cose@ietf.org" <cose@ietf.org>, "jose@ietf.org" <jose@ietf.org>
References: <CA+mgmiOEbk9qjDwNTu198QVWAGqcuKNSPd2F-YtngcLZwjunZw@mail.gmail.com> <GVXPR07MB9678C278636D28A01AA85C44898F2@GVXPR07MB9678.eurprd07.prod.outlook.com> <PAXPR07MB88443BE71B6DDC81F845A2BDF49D2@PAXPR07MB8844.eurprd07.prod.outlook.com> <PH0PR07MB9077667AEB45E11B29D50D3AB7432@PH0PR07MB9077.namprd07.prod.outlook.com> <PAXPR07MB8844FA40C9236C28108C0BD0F4552@PAXPR07MB8844.eurprd07.prod.outlook.com>
Content-Language: en-US
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <PAXPR07MB8844FA40C9236C28108C0BD0F4552@PAXPR07MB8844.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------eFlreV3P2IyAaMjkyZF8dNRl"
X-ClientProxiedBy: LO4P123CA0103.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:191::18) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|MM0P280MB1937:EE_
X-MS-Office365-Filtering-Correlation-Id: 1c9446d0-da5d-46c6-7841-08dcfb5e9c20
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|4022899009|366016|8096899003;
X-Microsoft-Antispam-Message-Info: ltwIrFTfwa6PWvpVrQO86PvtAxwHhgIvuDaJEwg+3CLwQjELlnGsS/yUG9jIGBYVGcDB9QcWeMJGB/WAWZb4f4x/C52qBTpGU0Bmooky7LNdr3l8CRPJ1SBmILh2qElQqyaPOFDCBvL1Pqfr+xrU2x6O/0VhbHG5DihL4Q+zOpJw2LpsY+8wQEyD8JXfhTtWi3Z0Tc/933pFXWRKP4WF8HPs/iJ+ndoUiG7Uku7Tiz++qzJS9SC5Hg9xq7JWcEs6OjMx+xyXdmxKAAEsAaZYZ4Iqhy/WYxbCb510yS4CaZZkf0+eAlBjkhJ6rAOnG8GBL8ch7imAsJ6vE9OgjzT8j2cIBMelThjspujR3a3456qAS0PuuaUKha0kkhoWJ32tQiwLd8W0lFLV728pSfNezyrdvaVSAwl3ncxvw+sJcV+uGhvY70aoqHwint6OLpG3F/p2aQZpNU+Q7iZeEp/9cTwcu9bUYOqvOXY8ZhkRYlXoZLzlWy45NsIWSQBviFHdJM/moC7wPLTx8i8m1n/O+KKuzrW3iI9FVyIfBkWTejMqlzwirVpiaAH0ZGQ99XhbssM2HHEsODwTdeXDRKijP6FK9IhaV5Z42Sc0FExFpl3+Nk0hspeM5GqjAId062w7pFJ5leOhYK1rSueESqn/exCBlfMTj8k/uycVKFYr1NSOdk9tcpstF7bp2vYcE0PgA0iYa/yE8LWdSLxeBl23SWfpCC1rM1Fb9ohdu+PA27J73Ffh6j1+ZCKR2UNIYSBGeYk+fevgk87MIR+JcEQKtXpkES0PswzcEfn57d1FOGN0rN7Svr2XNpJIA3+YwaShuV2aUtyAezlAKqlRb8WP6gxydd456ZKk0IUDCeVNNUWRlw2IBVVtxAhxUnUhXp42sBkCcOejMrpOJOyTH8E+UNFW/f0YmBSH3+OgFbbyfWJTr1XaE/yS27+K03W2j3r2jJDlDm+pJpdk/tnd/KeZ1EydmkO64NdJvjLeOYSMj7ADtXPWj/oyLDljGlnG/Fizz0/ZMfi3orf4WVKdr+N5wnpX8XvNsOSyNmmKwTbfcbIAK3K9gPg6BJzSF0/uKhlgep/SYNUHvi9tnlffyP0xZ+Yvards4BmJc0mDpHDPeOjwjzYkV+lLWl1d+estfMjBB/MknTQZGY2t04EdjIZbtHdCxZ1+vbbjWMJBlr7/GzZ47zVvuG7ePNCLFpz/lSyPLaheumgAXXJQ+2Hfg8t8+qf2kWY15HScKw6Bq+J8uKb0Fr5RGZ2NeahdqIEULRXY
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(4022899009)(366016)(8096899003);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: raG+xwsgRoATKMcnE66Rw1i1FOV0tFnh5jOfUAwdSRwv+OXQE/ztfIplqkxQBzpG1SF6XSk3oRlj2qsWtMLZy8iP2KrVAeq6QhX2izG/F3VrS9qq/aGRzmWMIfMjY6P5LwFiyQhgnRXGU65GLaPhMZaaN1jkq/0mw9uV4xuwOOn1y0qMczmHeSSD3ICP0Pwp++dhpsAjhgqR4w8P6LYhcZ79W7J4K4BxnU1qTgjskx6aagz+4nrMkSFDxSDey5tGytLUuaYFX6xiIP1wXakvfOKssrACht6VBRPdaGAOXpnmlO3prm7fHRr6K9mMabryHoXh1ID/KjtCfTcdv1GFgdqAR3lKT0QY4aSjJAtOxka7ErtCq7SXK7fj9RxANvKaMKiEkH2z9L5v7uFi2fh/j2+7dbBboUSpu4Zwm9fhh5YG2Nu0dQcwMQ/h5gTn8r2LngoNJhN+E3e0LkeK1spD6QsABQmnQQ+ogQyM6L6I1MIQ3YyXGhnX3Q0e43Ea5O5zF/AM8rTNgYaFk8uzYlIqb/Vwd1nBMs8J24Cb1WqnXHTTz3sdv9yrP5iUzt4iRIN4dGsZmhcw+UBJ4Jis3BVJirsaDS5cvLS9qt5yhEf4ptw1rqlRP3ytBSA6nyNKLSr4iRiJv5wJ7ck5XleQksBBz3mF0YfLtLzFloLIZa7T1EhwDIWBIe8EtHgf+NR2/i5+5UlDyiCWPhNsi4yD7MwNF8Z1a3+ocnLaDXf3riYegmX4K/7FL1vkEmbYmCaSuoyzKfZFeAdX9pCDDQ6AnN/ayFNg+A3w+iBOBB6HX205eCImkjVKGjXyeuRV2QJhufN5hUZkxTz6SOJ3McNEWYJn+piqY9jYia71O+h6YJyLEkxM2Xbi+HyzH4UMIVDjczmQlVCjmnXro0wyVESV4e9UFOVnkvv0ENAGi1mG6MCdu0notgAPKHECChmpE1jlJnNPlIarRR3HCOpIbkVbGN2qIgkiGs33Byp4ZkIdh8J43aFWOQ8pMBPp4X7afQERh+a4iQpcHnLPg3+4bxfsGgrbhGsOcaUgB9R1u+GGA3lFYz7egSHITVTBHGLp1FLLQ/w6C3+yb/e1BDisvhYLkVKSYbgLZoODiAidGg9ApBsdKxVzosCA3JEsXE2hVzvfQWycNPhLvUXQ/1PbCs3bRh5Mu2km+hux1SMxi4Z/N6p4osfTwbfNFdfPLxFhMeVP65uKZZzlQLRlCq9NVlocVRMuM3v6zrM7GOd7sqPSSFMlg93EHYdQVQtq0mvkvyYbaxmX8UlPw3+SXUwAFzois5P2DT6YVe+8DE1XNOy7frqMrsYnEXLnFo8wM0FP6cjIGgLVSYEf3J4WcUmTpsjMlXNyQFCwINBKGRTujKvIsNPfBI2Pk/tjkNHXjYTZkQ7DjHqCojyraIvGAMBmQPeq3TZDRfWFSrh+/aeQl0QYcfVBYHALk96ZekkWSs2V8ZuRBuai7XMsRJw6HddT3hRnaw61H3S6ESVSJSCs0TOrW6pJygjoALhpx+hF1jq8I+JfE4oRo+cViFazhGGOfvc2ZPKDZtdyH4zSQyx8FPoFFkYhAyESRXk6y56SF+Ss4H2sUFhG
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c9446d0-da5d-46c6-7841-08dcfb5e9c20
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2024 16:51:34.7083 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: HGshTA2CRTZnKexN20+sxi+oQSHzkzkYvoXSpcCYaRetQMNGILhSXl+pA+dGhZJTEljAmQpYJyJ/0KF1OVjFIg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB1937
Message-ID-Hash: EAFGLHLQPXHQSGZOGADBJZ5OIN4D45LF
X-Message-ID-Hash: EAFGLHLQPXHQSGZOGADBJZ5OIN4D45LF
X-MailFrom: marco.tiloca@ri.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [jose] Re: [COSE] Re: Re: 2nd WGLC for draft-ietf-jose-fully-specified-algorithms (Fully Specified Algorithms)
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/v3UnEQRe8BzffGbPdjONxi7BeWc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

Hi all,

I have the same concerns that Göran raised on the definition of 
"Deprecated".

I find the latest text from Göran to be better and more appropriate. 
Building on that, I suggest a further, slightly shorter version:

NEW_MT:
There is a preferred mechanism to achieve similar functionality to that 
referenced by the identifier; this replacement functionality SHOULD be 
utilized in new deployments in preference to the deprecated identifier, 
unless the deprecated identifier is used in constructs that fully 
specify the cryptographic operations to be performed, for example in 
EDHOC cipher suites.

Best,
/Marco

On 2024-10-31 09:55, Göran Selander wrote:
>
> Hi Mike,
>
> My remaining issue at the end below.
>
> *From: *Michael Jones <michael_b_jones@hotmail.com>
> *Date: *Monday, 21 October 2024 at 21:47
> *To: *Göran Selander <goran.selander@ericsson.com>, cose@ietf.org 
> <cose@ietf.org>, jose@ietf.org <jose@ietf.org>
> *Subject: *RE: [jose] Re: 2nd WGLC for 
> draft-ietf-jose-fully-specified-algorithms (Fully Specified Algorithms)
>
> Thanks for your comments, Göran.  See the updates to the specification 
> in 
> https://www.ietf.org/archive/id/draft-ietf-jose-fully-specified-algorithms-06.html 
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-jose-fully-specified-algorithms-06.html&data=05%7C02%7Cmarco.tiloca%40ri.se%7C87146041f4674f402aa908dcf9922f68%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638659653476878518%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ibvT5R7NFireoCNLU7S1lbsUJUAZpdU0Ab9pRP4pWIA%3D&reserved=0>. 
> My replies are inline below, prefixed by “Mike>”.
>
> -- Mike
>
> *From:*Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
> *Sent:* Thursday, September 5, 2024 1:30 AM
> *To:* cose@ietf.org; jose@ietf.org
> *Subject:* [jose] Re: 2nd WGLC for 
> draft-ietf-jose-fully-specified-algorithms (Fully Specified Algorithms)
>
> (About target audience:  This draft is proposing to deprecate 
> algorithms in the COSE IANA registry. It would be great if it by 
> default was circulated also on the COSE WG mailing list to enable a 
> timely discussion among those affected.)
>
> Mike> Agreed
>
> With reference to a previous thread on this topic:
>
> https://www.mail-archive.com/cose@ietf.org/msg03799.html 
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mail-archive.com%2Fcose%40ietf.org%2Fmsg03799.html&data=05%7C02%7Cmarco.tiloca%40ri.se%7C87146041f4674f402aa908dcf9922f68%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638659653476905130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=6DFFkrR87qFvJoobYpCtM%2FQQ3u88OHTAg7QzT8X5O1I%3D&reserved=0>
>
> The term “deprecated” is still used in this draft with a different 
> meaning compared to RFC8996 and RFC9325. It doesn’t help that you in 
> this document point out that you are using the word with a different 
> meaning that people are used to, very much fewer people will read this 
> document than those that stumble on the term used in registries and 
> understand it from other contexts.
>
> Moreover, this overload of terminology is actually  unnecessary:
>
> Section 4.4
>
> > The terms "Deprecated" and "Prohibited" as used by JOSE and COSE registrations 
> are currently undefined.
>
> So, in fact this provides a unique opportunity to disambiguate and 
> avoid the otherwise inevitable confusion that will come up over and 
> over again arising from the use of the same term with different 
> meanings. A number of perfectly good alternative terms were suggested 
> in the referenced mail thread.
>
> Mike> Yes, there were not definitions of “Deprecated” and “Prohibited” 
> previously in the specifications, but I will observe that the use of 
> both terms in RFC 7518 makes the distinction pretty clear in context 
> based on the plain English meanings of the terms.  “Prohibited” means 
> that an algorithm must not be used. “Deprecated” means that an 
> alternative algorithm should be used, when possible.  The 
> specification clearly and consistently defines both of those terms in 
> a way that’s applicable to both JOSE and COSE.
>
> Mike> Furthermore, and I consider this a big plus. these definitions 
> don’t require any changes to existing JOSE or COSE registrations.  Nor 
> do they require defining new terms that were not already in use.  Many 
> of the other terminology proposals don’t share these advantages, which 
> is why we went with this one. I’ll also observe that some reviewers 
> explicitly thanked us for the clear terminology definitions.
>
> Moreover, for systems that makes use of the COSE IANA registry and 
> specifies algorithms with enough parameters to make them completely 
> determined, for example EDHOC cipher suites, there is no need to 
> change or abandon the use of the current algorithms. Hence the 
> recommendation (“SHOULD”) in the definition does not apply to such 
> systems, and that circumstance should be stated as an exception to the 
> recommendation.
>
> Mike> We added text describing circumstances in which it makes sense 
> to continue using deprecated algorithms, per your suggestion.
>
> GS:  I maintain that “deprecated” is not a good choice of terminology, 
> and it will lead to misunderstandings for example from people coming 
> from the TLS world. But I’m happy to note that you acknowledge and 
> describe a setting for the continued use of these algorithms. However, 
> the text following “unless” does not capture all cases when this is true:
>
> OLD
>
> Deprecated
>
> There is a preferred mechanism to achieve similar functionality to 
> that referenced by the identifier; this replacement functionality 
> SHOULD be utilized in new deployments in preference to the deprecated 
> identifier, unless there exist documented operational or regulatory 
> requirments that prevent migration away from the deprecated identifier.
>
> GS: For example in case of EDHOC, there are no documented operational 
> or regulatory requirements that prevent migration; there is simply no 
> need to change or use other algorithms for new deployments because the 
> algorithms are used in ciphersuites which are fully specified. Here is 
> a proposed rephrasing:
>
> NEW
>
> There is a preferred mechanism to achieve similar functionality to 
> that referenced by the identifier; this replacement functionality 
> SHOULD be utilized in new deployments in preference to the deprecated 
> identifier, unless they are used in constructs where thecryptographic 
> algorithm identifiers fully specify the cryptographic operations to be 
> performed,
>
>  for example in EDHOC ciphersuites.
>
> GS: The explicit reference to EDHOC is needed to mitigate the 
> inevitable confusion that will come when people wonder why deprecated 
> algorithms are used, following this choice of terminology.
>
> Göran
>
>
> _______________________________________________
> COSE mailing list --cose@ietf.org
> To unsubscribe send an email tocose-leave@ietf.org

-- 
Marco Tiloca
Ph.D., Senior Researcher

Phone: +46 (0)70 60 46 501

RISE Research Institutes of Sweden AB
Box 1263
164 29 Kista (Sweden)

Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity

https://www.ri.se