Re: [sacm] [COSE] CoSWID review
Jim Schaad <ietf@augustcellars.com> Tue, 19 November 2019 03:22 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 257D6120BEC; Mon, 18 Nov 2019 19:22:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ospondq1mwYh; Mon, 18 Nov 2019 19:22:39 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44BF5120B7B; Mon, 18 Nov 2019 19:22:39 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 18 Nov 2019 19:22:32 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: "'Waltermire, David A. (Fed)'" <david.waltermire@nist.gov>, cose@ietf.org
CC: 'sacm' <sacm@ietf.org>
References: <CAHbuEH7OH_89+e4_BmXJN4LgxzTTQ9MtKF_03XK--a8K4AO11w@mail.gmail.com> <lejxf9f4owwm819gnwiwhlo0.1573973274271@email.android.com> <CAHcK3jMef-SK+AH4RC+EQs1LQ6wZCDAPGLCxqUyE+MFn=n-H+g@mail.gmail.com> <CAHbuEH75-jbPTqprpzjOdhRTVjtBcKy4+M6gW=zEog140ZEw5Q@mail.gmail.com>, <CAHbuEH6SjQRriP-2Sr4k12_hRk88VR3vpTsSW7phqEdKCJoRqg@mail.gmail.com>, <BN7PR09MB281982821C9CD2D11A5F546AF04C0@BN7PR09MB2819.namprd09.prod.outlook.com> <BN7PR09MB28195DC7222FF17789AAC7EBF04C0@BN7PR09MB2819.namprd09.prod.outlook.com>, <010401d59e80$7f4be360$7de3aa20$@augustcellars.com> <BN7PR09MB2819937DE42C9A1FA0F7C675F04C0@BN7PR09MB2819.namprd09.prod.outlook.com>
In-Reply-To: <BN7PR09MB2819937DE42C9A1FA0F7C675F04C0@BN7PR09MB2819.namprd09.prod.outlook.com>
Date: Tue, 19 Nov 2019 11:22:30 +0800
Message-ID: <011a01d59e88$954f7110$bfee5330$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_011B_01D59ECB.A3739B70"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHzpN9RYTZyhsYpaTlVDcXoTZlvQAK3gtZBAhXIKp0BmGR9ZACpgMxNAk/8JVUCWvkKcwKTCkqPAr2UdpumzXEY8A==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/tf7eszwI0zjT994NDlc5NQNzg8I>
Subject: Re: [sacm] [COSE] CoSWID review
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 03:22:45 -0000
You probably need to have that text in any event. If a new hash algorithm is added to the table you can still end up with the same problem. Old code vs new code. jim From: Waltermire, David A. (Fed) <david.waltermire@nist.gov> Sent: Tuesday, November 19, 2019 11:08 AM To: Jim Schaad <ietf@augustcellars.com>; cose@ietf.org Cc: 'sacm' <sacm@ietf.org> Subject: Re: [COSE] [sacm] CoSWID review Jim, Your suggestion of expressing the filter by way of text in the CoSWID draft would provide a path forward. This approach is less clear cut as it leaves the implementer to decide which algorithms are "hash algorithms". This will likely lead to different implementations choosing a different set of algorithms. To address this, I guess we will need to include some text that makes sure that a parser will not fail the parse when encountering an unsupported hash algorithm identifier. Any other ideas that might provide a clearer solution? Thanks, Dave _____ From: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> > Sent: Monday, November 18, 2019 9:24 PM To: Waltermire, David A. (Fed) <david.waltermire@nist.gov <mailto:david.waltermire@nist.gov> >; cose@ietf.org <mailto:cose@ietf.org> <cose@ietf.org <mailto:cose@ietf.org> > Cc: 'sacm' <sacm@ietf.org <mailto:sacm@ietf.org> > Subject: RE: [COSE] [sacm] CoSWID review Do you believe that there is an issue where you cannot say. Use the values from registry X and this must be a hash algorithm without trying to do some type of filter. If we do a filter then we start playing the game of naming all of the different types of algorithms and potentially need to deal with algorithms which would have two algorithm type labels. Jim From: COSE <cose-bounces@ietf.org <mailto:cose-bounces@ietf.org> > On Behalf Of Waltermire, David A. (Fed) Sent: Tuesday, November 19, 2019 9:52 AM To: cose@ietf.org <mailto:cose@ietf.org> Cc: sacm <sacm@ietf.org <mailto:sacm@ietf.org> > Subject: Re: [COSE] [sacm] CoSWID review COSE WG, I accidently sent the last email early. Please ignore it. Kathleen provided comments below on draft-ietf-sacm-coswid suggesting that we use the COSE proposed algorithm identifiers for hashes in CoSWID. We are currently using the entries in the IANA Named Information Hash Algorithm Registry. It would be great to align with the COSE hash algorithms, but I can't figure out a way to point to only the hash algorithms in the COSE Algorithms registry. We can point to the draft-ietf-cose-hash-algs once its published as an RFC, but this would be less agile in the face of future updates to COSE hash algorithms. It would very useful if the COSE Algorithms registry has a column for algorithm type. That way we could select only the hash algorithms. Do you have any suggestions on how we might move forward? Regards, Dave Waltermire _____ From: Waltermire, David A. (Fed) <david.waltermire@nist.gov <mailto:david.waltermire@nist.gov> > Sent: Monday, November 18, 2019 8:39 PM To: cose@ietf.org <mailto:cose@ietf.org> <cose@ietf.org <mailto:cose@ietf.org> > Cc: sacm <sacm@ietf.org <mailto:sacm@ietf.org> > Subject: Fw: [sacm] CoSWID review On Sun, Nov 17, 2019 at 6:45 AM Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com> > wrote: Hi Dave, On Sun, Nov 17, 2019 at 3:02 AM Dave Waltermire <davewaltermire@gmail.com <mailto:davewaltermire@gmail.com> > wrote: Kathleen, Thank you for the review. I have addressed your comments in the latest draft. Some comments on your comments are inline below. From: sacm <sacm-bounces@ietf.org <mailto:sacm-bounces@ietf.org> > on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com> > Date: Fri, October 25, 2019 11:57 PM +0800 To: "<sacm@ietf.org <mailto:sacm@ietf.org> >" <sacm@ietf.org <mailto:sacm@ietf.org> > Subject: [sacm] CoSWID review Section 2.6: A Thumbprint is specified in this section, should this be referenced for clarity on hashes with COSE for object identification: https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/ <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatrack er.ietf.org%2Fdoc%2Fdraft-ietf-cose-hash-algs%2F&data=02%7C01%7Cdavid.walter mire%40nist.gov%7C2410b750742b4ee7f88108d76c97ace8%7C2ab5d82fd8fa4797a93e054 655c61dec%7C1%7C1%7C637097271007090632&sdata=NB0wIJTokNhicaXPWlVp448muGvavHV QTxFHBNL%2F0ZI%3D&reserved=0> Would it be better to tie to the COSE set of supported algorithms (they likely match, but I didn't verify)? The IANA COSE Algorithms registry contains other types of algorithms beyond hash algorithms. To use this registry, we would need to list the hash-specific algorithms, which is less ideal. Its a shame this registry isn't broken out by algorithm type, which would make this decision easy. With the IANA "Named Information Hash Algorithm Registry", we get only hash algorithms, which is what we are looking for. Can you live with use of the IANA "Named Information Hash Algorithm Registry"? COSE is open as is their main draft. This is a problem that can likely be solved this week... Talk to Jim. Let me and the list know what's possible.
- [sacm] CoSWID review Kathleen Moriarty
- Re: [sacm] CoSWID review Kathleen Moriarty
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)
- [sacm] Fw: CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] [COSE] CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] [COSE] CoSWID review Michael Richardson
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)