Re: [sacm] [COSE] CoSWID review

"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Tue, 19 November 2019 03:08 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8968C120800; Mon, 18 Nov 2019 19:08:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5p2Sq5Ivetc; Mon, 18 Nov 2019 19:08:04 -0800 (PST)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2072c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2EF51207FD; Mon, 18 Nov 2019 19:08:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PdON7Bv0zwxl87CPNRdaZ/kGfHbOVqToGdLM8Mqz1tznf93fj4V5h+CKlgNzq84fDxCyF+a69ZZOxv+tT1KTfMtqWCvOfDG/i7JFAqySWzCFYSAg5JTqeiBsL6oDVAxVfdnbnlgxOIKuq0aQ7jTAxdrXMynFmnUd97SsFGo+bFUcn7m6dX+nrnlf+HtB95hL8g7w1T6E8CmQk0CMkT02KY3/sU567MEQ8TRI23HRcVzdVqvk2vqxjLpZEehmRF2aa4Wgyl0oTIEOa/Bset0FCyUUaYr0wkLmgSSgsYXwRFzfa0r+EXQQfaJOAOHonN8PVPR2DwIw1f9y+obnPcWteA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0BaL3iuSiuHZ+QDjxVC3fchJ/vwwJX/QAQxnk2H8NlQ=; b=SfbxEODdzeu1Fdc1Q+dxrSkal6KEAHMAA14G66zxW+0KJFLyZ8OgOoAWoWJt6I2lYl7inkVhjsMEIgLXzF+EEBBaSY7WpDsCJEKj57QzuDt2vJOVJ11Hzv33qSoqBxF70GJuZAEVzMIy8LPuPyLj9B5K1hqzjlcgUcVTL60eIeC+JyYROVJBLvl6midv751hra2cV/MnxwL0xVjOMZEk7U60ir0EOfgbS2r9dCRl5/w5438eAaUsmRT0iuthooVjmm+brQt+s9hDqwyCt1psJxIJGBvlFPSeISC5G5SFlW9oMCJs6WtM8+rDXr9LAuFRzMODZTtvmiEBB2dzaMQ5IA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0BaL3iuSiuHZ+QDjxVC3fchJ/vwwJX/QAQxnk2H8NlQ=; b=iYlC3TPGvs5CAd9usByHL8MrI+cs/abrkNyKYFfMF5eh9wMVxCLN3E18r5wDiWay7qekk2FsKopvzsLariHfo2wzC3sug8qk+P+OGomqNC6fy1CeC/p9UdMhINuinArSlc0cKA/zGoqOT2JdpI+RsCsta/GdJyYsHPZQPwIF87g=
Received: from BN7PR09MB2819.namprd09.prod.outlook.com (52.135.242.24) by BN7PR09MB2801.namprd09.prod.outlook.com (52.135.254.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.26; Tue, 19 Nov 2019 03:08:02 +0000
Received: from BN7PR09MB2819.namprd09.prod.outlook.com ([fe80::6d13:7512:b4df:e310]) by BN7PR09MB2819.namprd09.prod.outlook.com ([fe80::6d13:7512:b4df:e310%7]) with mapi id 15.20.2451.031; Tue, 19 Nov 2019 03:08:02 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: Jim Schaad <ietf@augustcellars.com>, "cose@ietf.org" <cose@ietf.org>
CC: 'sacm' <sacm@ietf.org>
Thread-Topic: [COSE] [sacm] CoSWID review
Thread-Index: AQHVi0zu4YoCNvAGF0yJOMlWNNVbBKePD0jWgAHz1s+AANn+TYAAAOYrgAAMXoCAAAcECw==
Date: Tue, 19 Nov 2019 03:08:02 +0000
Message-ID: <BN7PR09MB2819937DE42C9A1FA0F7C675F04C0@BN7PR09MB2819.namprd09.prod.outlook.com>
References: <CAHbuEH7OH_89+e4_BmXJN4LgxzTTQ9MtKF_03XK--a8K4AO11w@mail.gmail.com> <lejxf9f4owwm819gnwiwhlo0.1573973274271@email.android.com> <CAHcK3jMef-SK+AH4RC+EQs1LQ6wZCDAPGLCxqUyE+MFn=n-H+g@mail.gmail.com> <CAHbuEH75-jbPTqprpzjOdhRTVjtBcKy4+M6gW=zEog140ZEw5Q@mail.gmail.com>, <CAHbuEH6SjQRriP-2Sr4k12_hRk88VR3vpTsSW7phqEdKCJoRqg@mail.gmail.com>, <BN7PR09MB281982821C9CD2D11A5F546AF04C0@BN7PR09MB2819.namprd09.prod.outlook.com> <BN7PR09MB28195DC7222FF17789AAC7EBF04C0@BN7PR09MB2819.namprd09.prod.outlook.com>, <010401d59e80$7f4be360$7de3aa20$@augustcellars.com>
In-Reply-To: <010401d59e80$7f4be360$7de3aa20$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [2001:67c:370:128:440f:2dc1:3eca:7ca4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: bf7fee89-0026-4715-526c-08d76c9db07c
x-ms-traffictypediagnostic: BN7PR09MB2801:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BN7PR09MB28014903F6C53DAAE100CA78F04C0@BN7PR09MB2801.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 022649CC2C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(136003)(396003)(346002)(39850400004)(366004)(199004)(189003)(478600001)(8936002)(486006)(64756008)(966005)(476003)(11346002)(46003)(105004)(81156014)(446003)(81166006)(14454004)(71200400001)(71190400001)(606006)(76116006)(8676002)(6116002)(91956017)(33656002)(7736002)(2501003)(66556008)(99286004)(102836004)(19627405001)(74316002)(66946007)(110136005)(66476007)(7696005)(4326008)(256004)(6246003)(14444005)(25786009)(5660300002)(86362001)(6306002)(54896002)(2906002)(186003)(66446008)(6436002)(229853002)(316002)(53546011)(6506007)(55016002)(9686003)(52536014)(236005)(76176011); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR09MB2801; H:BN7PR09MB2819.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AXWV6kMlMzlpstawJVILS42QnMLA2a9uEx5I2bwi1Esv4rtZJuMSsaqOQMoBPGYgC1uE4tE+HjB6ORkIUV364RvX9kUzn/KTsrhT107dZQ7nOh/NNvuvXh+IwGqFNUtjW9TnFZokE/Gj7MMrAQdMXt6xVCFz9GVrd0qKoz9/HEwm4L2bKpIlYQSK2Ru+szUAKBax+Pq4G7lL5qLPPz/54syKEifbyIzz9G2BQzBReoLbcAH9pNbQOWm8532u6d/Dm/S3WO4pCEcgaCwjQOoCtSkIpbwXI985HK5lfCG0MPN5M7O812j60mpbsWT83CBRJP926S4q/KdICwvBAXcFTWSsuiG+d935RBpK80Lm5TywlIssmVXCPrAerimQxssHRwjYKUpoUixlx0b2A5Z6s1J8AyJ5sC1lhBI5n/95iUveFlaZSv4uREaSwNPZBWmtX9Qq/DBidFJQYNEXlLfbW9putcZpSzpUZ58CT5luvao=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR09MB2819937DE42C9A1FA0F7C675F04C0BN7PR09MB2819namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: bf7fee89-0026-4715-526c-08d76c9db07c
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2019 03:08:02.1758 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Kf2dc+didUmDDux4dry5EI0d6dmZS7EEZybZy86wxOwrPv2nprc/k8broyWa0yR8Ij1EosHCEgLdn3GkgBap1Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR09MB2801
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/5u-w-Z10opm5n6-u26YLZoL8oKg>
Subject: Re: [sacm] [COSE] CoSWID review
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 03:08:09 -0000

Jim,

Your suggestion of expressing the filter by way of text in the CoSWID draft would provide a path forward. This approach is less clear cut as it leaves the implementer to decide which algorithms are "hash algorithms". This will likely lead to different implementations choosing a different set of algorithms. To address this, I guess we will need to include some text that makes sure that a parser will not fail the parse when encountering an unsupported hash algorithm identifier.

Any other ideas that might provide a clearer solution?

Thanks,
Dave

________________________________
From: Jim Schaad <ietf@augustcellars.com>
Sent: Monday, November 18, 2019 9:24 PM
To: Waltermire, David A. (Fed) <david.waltermire@nist.gov>; cose@ietf.org <cose@ietf.org>
Cc: 'sacm' <sacm@ietf.org>
Subject: RE: [COSE] [sacm] CoSWID review


Do you believe that there is an issue where you cannot say.  Use the values from registry X and this must be a hash algorithm without trying to do some type of filter.  If we do a filter then we start playing the game of naming all of the different types of algorithms and potentially need to deal with algorithms which would have two algorithm type labels.



Jim





From: COSE <cose-bounces@ietf.org> On Behalf Of Waltermire, David A. (Fed)
Sent: Tuesday, November 19, 2019 9:52 AM
To: cose@ietf.org
Cc: sacm <sacm@ietf.org>
Subject: Re: [COSE] [sacm] CoSWID review



COSE WG,



I accidently sent the last email early. Please ignore it.



Kathleen provided comments below on draft-ietf-sacm-coswid suggesting that we use the COSE proposed algorithm identifiers for hashes in CoSWID. We are currently using the entries in the IANA Named Information Hash Algorithm Registry. It would be great to align with the COSE hash algorithms, but I can't figure out a way to point to only the hash algorithms in the COSE Algorithms registry. We can point to the draft-ietf-cose-hash-algs once its published as an RFC, but this would be less agile in the face of future updates to COSE hash algorithms. It would very useful if the COSE Algorithms registry has a column for algorithm type. That way we could select only the hash algorithms.



Do you have any suggestions on how we might move forward?



Regards,

Dave Waltermire



________________________________

From: Waltermire, David A. (Fed) <david.waltermire@nist.gov<mailto:david.waltermire@nist.gov>>
Sent: Monday, November 18, 2019 8:39 PM
To: cose@ietf.org<mailto:cose@ietf.org> <cose@ietf.org<mailto:cose@ietf.org>>
Cc: sacm <sacm@ietf.org<mailto:sacm@ietf.org>>
Subject: Fw: [sacm] CoSWID review









On Sun, Nov 17, 2019 at 6:45 AM Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote:

Hi Dave,



On Sun, Nov 17, 2019 at 3:02 AM Dave Waltermire <davewaltermire@gmail.com<mailto:davewaltermire@gmail.com>> wrote:

Kathleen,



Thank you for the review. I have addressed your comments in the latest draft. Some comments on your comments are inline below.



From: sacm <sacm-bounces@ietf.org<mailto:sacm-bounces@ietf.org>> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>>

Date: Fri, October 25, 2019 11:57 PM +0800
To: "<sacm@ietf.org<mailto:sacm@ietf.org>>" <sacm@ietf.org<mailto:sacm@ietf.org>>
Subject: [sacm] CoSWID review





Section 2.6:

A Thumbprint is specified in this section, should this be referenced for clarity on hashes with COSE for object identification: https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cose-hash-algs%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C2410b750742b4ee7f88108d76c97ace8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637097271007090632&sdata=NB0wIJTokNhicaXPWlVp448muGvavHVQTxFHBNL%2F0ZI%3D&reserved=0>

Would it be better to tie to the COSE set of supported algorithms (they likely match, but I didn't verify)?



The IANA COSE Algorithms registry contains other types of algorithms beyond hash algorithms. To use this registry, we would need to list the hash-specific algorithms, which is less ideal. Its a shame this registry isn't broken out by algorithm type, which would make this decision easy. With the IANA "Named Information Hash Algorithm Registry", we get only hash algorithms, which is what we are looking for. Can you live with use of the  IANA "Named Information Hash Algorithm Registry"?



COSE is open as is their main draft.  This is a problem that can likely be solved this week...  Talk to Jim. Let me and the list know what's possible.