[sacm] Fw: CoSWID review
"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Tue, 19 November 2019 01:40 UTC
Return-Path: <david.waltermire@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12A6F120220; Mon, 18 Nov 2019 17:40:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yDrc1oWjWIT6; Mon, 18 Nov 2019 17:40:00 -0800 (PST)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2106.outbound.protection.outlook.com [40.107.91.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF332120B7D; Mon, 18 Nov 2019 17:40:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IiWewcZWzpUD3seFj4uZHgQAR4lr2Jpjm2ZWwdzmL6m7d9GyzN7T6Yuw86mtdY01gNNBg3+PKdE4RxLctGdvvQuoN/hE15czJm0du8WgP7OSFjfqXRoMXdsdBD/ju/rI9/SwmBp1ZHxLngFgMq61Ep+p8gv93yfXJ1peMyijKGsEmjyOnML8M1N4BlaG3j6E290hpOdfUsnWYC5NSTztDOuljl94CAkdVo94QpA6L/tKc9U7EBCNlSrt7W0PVx7C1w3B+TUfNwjsq5Kv2Fh5XQoJcnDVV/YBh4pauSa7/EbkqXEuLSPhzsUaD/wntfYeQzE/+7lbYtcVsN1JXaK7tw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C52JIt1O8IGF8tzRw6TihHD9dvNBJi0iwxmmwxh1GEU=; b=eAEOvhQrD7mYdYURq73zQVIDn91pAuw5Dc41ra9KkaPk1F9Ik9z2U7Ka/fVDoWqhiNM4kTVsB3olBK+9efHtWrIhCJXYqJCswg+p16z6mqVEuOfos8M/WzBV+qhcoNpk4lenViAasYV9vECgjMkHrufUKhOPYPv/i7Q3zSfWs0++rmiQrKBk8lOotrvoMvxZxLiobUIuw7+FIZMz9Jq9TIY6Q60m1uSMU/Ij13r4sjxXG1uHTjdGUUZI6Jlfp9odfGY4TVjFwfAvQp1AevUCGTh1wdgz1IONKPFM90C1Z/3U5/Tl4pD7sanvqfzh2oLlc/I5f4fO0l7PDbm5+4uwyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C52JIt1O8IGF8tzRw6TihHD9dvNBJi0iwxmmwxh1GEU=; b=wwsrF7uGSeB5rPccDl+8RdCWWAeXAqlaVHl1zbQwlHzCGL06Mq938ENt2G0R70G66l2ycK21YpfcNtwVCR9O4UwNNe/A5Sqk4/SU5RdSb5v/fY0qIp6kWuCmdG0INMyk/tOiSIDxJ2dr4J8E2quzKNc2G2kzYLsWCy9SlE4NNbw=
Received: from BN7PR09MB2819.namprd09.prod.outlook.com (52.135.242.24) by BN7PR09MB2673.namprd09.prod.outlook.com (52.135.247.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.22; Tue, 19 Nov 2019 01:39:59 +0000
Received: from BN7PR09MB2819.namprd09.prod.outlook.com ([fe80::6d13:7512:b4df:e310]) by BN7PR09MB2819.namprd09.prod.outlook.com ([fe80::6d13:7512:b4df:e310%7]) with mapi id 15.20.2451.031; Tue, 19 Nov 2019 01:39:59 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: "cose@ietf.org" <cose@ietf.org>
CC: sacm <sacm@ietf.org>
Thread-Topic: [sacm] CoSWID review
Thread-Index: AQHVi0zu4YoCNvAGF0yJOMlWNNVbBKePD0jWgAHz1s+AANn+TQ==
Date: Tue, 19 Nov 2019 01:39:58 +0000
Message-ID: <BN7PR09MB281982821C9CD2D11A5F546AF04C0@BN7PR09MB2819.namprd09.prod.outlook.com>
References: <CAHbuEH7OH_89+e4_BmXJN4LgxzTTQ9MtKF_03XK--a8K4AO11w@mail.gmail.com> <lejxf9f4owwm819gnwiwhlo0.1573973274271@email.android.com> <CAHcK3jMef-SK+AH4RC+EQs1LQ6wZCDAPGLCxqUyE+MFn=n-H+g@mail.gmail.com> <CAHbuEH75-jbPTqprpzjOdhRTVjtBcKy4+M6gW=zEog140ZEw5Q@mail.gmail.com>, <CAHbuEH6SjQRriP-2Sr4k12_hRk88VR3vpTsSW7phqEdKCJoRqg@mail.gmail.com>
In-Reply-To: <CAHbuEH6SjQRriP-2Sr4k12_hRk88VR3vpTsSW7phqEdKCJoRqg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [2001:67c:370:128:440f:2dc1:3eca:7ca4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8d2899d1-7ba7-4267-10dc-08d76c91638f
x-ms-traffictypediagnostic: BN7PR09MB2673:
x-microsoft-antispam-prvs: <BN7PR09MB26735CCE196702869FEC091EF04C0@BN7PR09MB2673.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:1265;
x-forefront-prvs: 022649CC2C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(136003)(39860400002)(366004)(189003)(199004)(5660300002)(46003)(2906002)(33656002)(14454004)(606006)(74316002)(478600001)(76176011)(99286004)(486006)(966005)(5640700003)(91956017)(4326008)(76116006)(316002)(450100002)(6436002)(14444005)(6916009)(476003)(55016002)(6306002)(54896002)(2473003)(9686003)(236005)(11346002)(446003)(8936002)(2351001)(256004)(6116002)(6506007)(71190400001)(71200400001)(25786009)(102836004)(229853002)(186003)(19627405001)(7696005)(66446008)(8676002)(52536014)(81156014)(81166006)(1730700003)(2501003)(7736002)(64756008)(66556008)(66946007)(66616009)(66476007)(105004)(53546011)(86362001)(482324003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR09MB2673; H:BN7PR09MB2819.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 64oBm3rJ/T1wjkxRZK63YfEBf9IU/rIJXpwj3378kUDgoGfdiV8KFbJuGCOSCPi/sq4TsMVwwXYVVr44LXXNTE0oycmTfkIX8CeUs1ulYWIHNyHHmbHzQSzqnLpcHlt2DjzZmuhtccIJEZQxdbzIRE5Q4PrkxXM70AXwxZZoShrSM4XMO63wVAKxu8CmLhxTlRcbOyrHD4eIDb9C4HX34y6uTPnGUAoEfm4G+2NK7MoDU0FNmM4apa50IZ2FIs2P4SeXoiOYM/pFC6jZIvo4rvV86S7woLiPd+cUfVNWDVR1F5uiqHC0G8RD3ld/FMPs1J8yeriHZ43azCpFI+N15nBmZCXkNvMclCOq7ltQOA4BZDR/xyBSzt68N+sW7FUP1QpGNNHfv822s0y7n09nxSuTu6+dQtvooKj5WQXBRGJ4Lotm23fe2ExMOfn7hpeG
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed; boundary="_004_BN7PR09MB281982821C9CD2D11A5F546AF04C0BN7PR09MB2819namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 8d2899d1-7ba7-4267-10dc-08d76c91638f
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2019 01:39:58.9074 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bBgZuUYuOs9UUizuhWwnRAgAWcs6rwltCyVA1MxlcQiP6PGXZC/k7wZ4ZqTpNPgYgagVBOR8Z9tvgo/kCveHxQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR09MB2673
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/V_rij6ebc7mV7dN2K6fkN6jEhl0>
Subject: [sacm] Fw: CoSWID review
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 01:40:06 -0000
On Sun, Nov 17, 2019 at 6:45 AM Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote: Hi Dave, On Sun, Nov 17, 2019 at 3:02 AM Dave Waltermire <davewaltermire@gmail.com<mailto:davewaltermire@gmail.com>> wrote: Kathleen, Thank you for the review. I have addressed your comments in the latest draft. Some comments on your comments are inline below. From: sacm <sacm-bounces@ietf.org<mailto:sacm-bounces@ietf.org>> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> Date: Fri, October 25, 2019 11:57 PM +0800 To: "<sacm@ietf.org<mailto:sacm@ietf.org>>" <sacm@ietf.org<mailto:sacm@ietf.org>> Subject: [sacm] CoSWID review Section 2.6: A Thumbprint is specified in this section, should this be referenced for clarity on hashes with COSE for object identification: https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cose-hash-algs%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C75ba45cd96ab47c1496808d76c23fd62%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637096774138383674&sdata=7FGlZBW3KNZeR7ur3baxZKvGm5m8jYR%2BdQnng6L1%2Bmc%3D&reserved=0> Would it be better to tie to the COSE set of supported algorithms (they likely match, but I didn't verify)? The IANA COSE Algorithms registry contains other types of algorithms beyond hash algorithms. To use this registry, we would need to list the hash-specific algorithms, which is less ideal. Its a shame this registry isn't broken out by algorithm type, which would make this decision easy. With the IANA "Named Information Hash Algorithm Registry", we get only hash algorithms, which is what we are looking for. Can you live with use of the IANA "Named Information Hash Algorithm Registry"? COSE is open as is their main draft. This is a problem that can likely be solved this week... Talk to Jim. Let me and the list know what's possible. Section 5: It might be helpful to list what is being requested at the start of the IANA section X registries are established with this request with initial entries for X registries. Values for Z existing registries are requested. Done. Thanks. 5.1: s/This document uses integer/This registry uses integer/ Fixed. Section 5.2.5: s/This document defines a new a new a/This document establishes a/ Fixed a bunch of cases that matched this pattern. Thanks for catching this. Just trying to head off issues at the later review stages :-) . And they were all super minor and may have gone through unnoticed. Security Considerations: I'm wondering why CWT [RFC8392] was not used or recommended for signing. Is it that the other method fits better within SWIMA? COSE was chosen for CoSWID, since it is parallel to the use of XMLDSig.for SWID tags. We could consider CWTs, but this would require a bunch of additional work, and we are fairly close to shipping this draft to the IESG. Maybe a better option might be to write a second draft discussing the use of CWTs with CoSWID? This would allow this draft to move forward, while CWT use is defined. Would you be interested in working on this draft? Yes, I am interested, with coauthors. Are you offering? If CWTs are to be proliferated the way JWTs have been, I suspect it will be easier for CoSWID to gain traction. I think it would be good to list use of a CWT as an option, then registering the claims that one might use for let's say having the CWT be an EAT and be a remote attestation. I think adoption may be better if these are tied together and made simple for regular readers who will likely start to come across CWTs as opposed to just signing with one or more signers. I think what you have us good, but having both as options would be better. Both options would also create the need for some signature verifiers to support both options. This is something that should be discussed at greater length, as it could also create potential interoperability issues. I am not against both options, but we should talk to potential implementors about what they want. This is maybe more reason to do this work in a separate draft to allow for some time to work out these details.. OK, great point on interoperability. My hunch is that since CWTs are in EATs, there is code and there is an established pattern of use that this would be more likely to be supported (more widely). It may be good to pull this all out as not to create confusion as if it is int he base draft, this will be seen as necessary as opposed to a choice and as you note, will create confusion. The claims about the signature may vary from the data in the CoSWID, so this could be potentially useful. Right and minimal claims are possible too. Thanks, Kathleen True. Thank you! -- Best regards, Kathleen -- Best regards, Kathleen -- Best regards, Kathleen
- [sacm] CoSWID review Kathleen Moriarty
- Re: [sacm] CoSWID review Kathleen Moriarty
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)
- [sacm] Fw: CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] [COSE] CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] [COSE] CoSWID review Michael Richardson
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)