Re: [sacm] [COSE] CoSWID review

[Jim Schaad <ietf@augustcellars.com>]

You probably need to have that text in any event.  If a new hash algorithm
is added to the table you can still end up with the same problem.  Old code
vs new code.

 

jim

 

From: Waltermire, David A. (Fed) <david.waltermire@nist.gov> 
Sent: Tuesday, November 19, 2019 11:08 AM
To: Jim Schaad <ietf@augustcellars.com>; cose@ietf.org
Cc: 'sacm' <sacm@ietf.org>
Subject: Re: [COSE] [sacm] CoSWID review

 

Jim,

 

Your suggestion of expressing the filter by way of text in the CoSWID draft
would provide a path forward. This approach is less clear cut as it leaves
the implementer to decide which algorithms are "hash algorithms". This will
likely lead to different implementations choosing a different set of
algorithms. To address this, I guess we will need to include some text that
makes sure that a parser will not fail the parse when encountering an
unsupported hash algorithm identifier.

 

Any other ideas that might provide a clearer solution?

 

Thanks,

Dave

 

  _____  

From: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> >
Sent: Monday, November 18, 2019 9:24 PM
To: Waltermire, David A. (Fed) <david.waltermire@nist.gov
<mailto:david.waltermire@nist.gov> >; cose@ietf.org <mailto:cose@ietf.org>
<cose@ietf.org <mailto:cose@ietf.org> >
Cc: 'sacm' <sacm@ietf.org <mailto:sacm@ietf.org> >
Subject: RE: [COSE] [sacm] CoSWID review 

 

Do you believe that there is an issue where you cannot say.  Use the values
from registry X and this must be a hash algorithm without trying to do some
type of filter.  If we do a filter then we start playing the game of naming
all of the different types of algorithms and potentially need to deal with
algorithms which would have two algorithm type labels.

 

Jim

 

 

From: COSE <cose-bounces@ietf.org <mailto:cose-bounces@ietf.org> > On Behalf
Of Waltermire, David A. (Fed)
Sent: Tuesday, November 19, 2019 9:52 AM
To: cose@ietf.org <mailto:cose@ietf.org> 
Cc: sacm <sacm@ietf.org <mailto:sacm@ietf.org> >
Subject: Re: [COSE] [sacm] CoSWID review

 

COSE WG,

 

I accidently sent the last email early. Please ignore it.

 

Kathleen provided comments below on draft-ietf-sacm-coswid suggesting that
we use the COSE proposed algorithm identifiers for hashes in CoSWID. We are
currently using the entries in the IANA Named Information Hash Algorithm
Registry. It would be great to align with the COSE hash algorithms, but I
can't figure out a way to point to only the hash algorithms in the COSE
Algorithms registry. We can point to the draft-ietf-cose-hash-algs once its
published as an RFC, but this would be less agile in the face of future
updates to COSE hash algorithms. It would very useful if the COSE Algorithms
registry has a column for algorithm type. That way we could select only the
hash algorithms.

 

Do you have any suggestions on how we might move forward?

 

Regards,

Dave Waltermire

 

  _____  

From: Waltermire, David A. (Fed) <david.waltermire@nist.gov
<mailto:david.waltermire@nist.gov> >
Sent: Monday, November 18, 2019 8:39 PM
To: cose@ietf.org <mailto:cose@ietf.org>  <cose@ietf.org
<mailto:cose@ietf.org> >
Cc: sacm <sacm@ietf.org <mailto:sacm@ietf.org> >
Subject: Fw: [sacm] CoSWID review 

 

 

 

 

On Sun, Nov 17, 2019 at 6:45 AM Kathleen Moriarty
<kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>
> wrote:

Hi Dave, 

 

On Sun, Nov 17, 2019 at 3:02 AM Dave Waltermire <davewaltermire@gmail.com
<mailto:davewaltermire@gmail.com> > wrote:

Kathleen,

 

Thank you for the review. I have addressed your comments in the latest
draft. Some comments on your comments are inline below.

 

From: sacm <sacm-bounces@ietf.org <mailto:sacm-bounces@ietf.org> > on behalf
of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com
<mailto:kathleen.moriarty.ietf@gmail.com> >

Date: Fri, October 25, 2019 11:57 PM +0800
To: "<sacm@ietf.org <mailto:sacm@ietf.org> >" <sacm@ietf.org
<mailto:sacm@ietf.org> >
Subject: [sacm] CoSWID review

 

 

Section 2.6:

A Thumbprint is specified in this section, should this be referenced for
clarity on hashes with COSE for object identification:
https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/
<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatrack
er.ietf.org%2Fdoc%2Fdraft-ietf-cose-hash-algs%2F&data=02%7C01%7Cdavid.walter
mire%40nist.gov%7C2410b750742b4ee7f88108d76c97ace8%7C2ab5d82fd8fa4797a93e054
655c61dec%7C1%7C1%7C637097271007090632&sdata=NB0wIJTokNhicaXPWlVp448muGvavHV
QTxFHBNL%2F0ZI%3D&reserved=0> 

Would it be better to tie to the COSE set of supported algorithms (they
likely match, but I didn't verify)?

 

The IANA COSE Algorithms registry contains other types of algorithms beyond
hash algorithms. To use this registry, we would need to list the
hash-specific algorithms, which is less ideal. Its a shame this registry
isn't broken out by algorithm type, which would make this decision easy.
With the IANA "Named Information Hash Algorithm Registry", we get only hash
algorithms, which is what we are looking for. Can you live with use of the
IANA "Named Information Hash Algorithm Registry"?

 

COSE is open as is their main draft.  This is a problem that can likely be
solved this week...  Talk to Jim. Let me and the list know what's possible.