Re: [secdir] secdir review of draft-ietf-cose-typ-header-parameters
Michael Jones <michael_b_jones@hotmail.com> Mon, 04 March 2024 01:05 UTC
Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A394C14F605; Sun, 3 Mar 2024 17:05:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id caCmClNeLzw7; Sun, 3 Mar 2024 17:04:58 -0800 (PST)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12olkn2034.outbound.protection.outlook.com [40.92.23.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73EF4C14F5F5; Sun, 3 Mar 2024 17:04:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HPoa+GbB+G7mc5fHKV6xI3qGb/GCdqRb79Uv44s3/quAUBQqBYJJwX0floqK0D3ViSrn1gR8Q78BBn05hEvc7PVM/pONIFxKWlbIBUbBoIHetWO1VFcOSVSA7C+5maN0grO7XfqVkR7j69ylXXOLfzv4yrglznyUF34Hl45RTtOB5DtkENRLsYAD/2Vgw3JKz2p9HunIWb7A+BQY6yMzW4qr4CT9XZ4BZxuEIcH8qJfaIgarWGzfZsRCy7BGg1jr6r/8JG4EZbSE0APEagW5US8IKJIA3GGvKw/8Io2T6dwgqnNVfjwqsSRHeMbR1s6Q0N3c1XG9ZI+5ShYoNhpvWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nQXwutX5lew9OOC29ItHroeZTIV2b43uO/oZGAjvMds=; b=oSn+VwpPC1H+J28Wtg+0W4MUe8fnHVoBBIAcFUA9rtQTbWFN6pKkep2Vs/L5ceuE8WVGBcvYaYmTtHG+nnpnimyX7EB49axa9bwTMtR2von13tZ9yx+vcrumi7hFPXVolMAy1YpuJsNrVKnns8AVdm1y1wotDBU960HFQQKBvI2ZP7eh42/+DEYky/dqEKSKXfmJ/MwUtGvjHIa1w8e7xUnviwiLtQcFVNiG+kIi3PWN3otNUi42oQJTugJ8Bx0xiMKuQ+0Y3cjF904F44x7g7llfWT35fk26Ws7ByZrALcR0OmwugGP7hcMhZTfj+KSyfl8DnQl/LW7RNfdi3ptcw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nQXwutX5lew9OOC29ItHroeZTIV2b43uO/oZGAjvMds=; b=jggaNqc7P/TfYb917iGI0eyzs7XM/bWLGnPU1+Xuh1jQSGWJf57YGC0OcSMaHMpQnYqgxpEG7rjgFzUkILG7kKeR5fDFbWyRHC9CRTGqe51ek06OJGpDIlKIkbdD50khspEbDy0kRKKuPusiUEXr+auxI+P5jeCecNz/0HnKzmDgh21lJAZRbLQeGeWqtqQNPSY3opojxXR2914DLFzzo5nbWUFQWyVVRj5tmCAe4h9qs0ufRFcC4VIXxC4zs6k9Lpaj7OYgXLG7CzszLARZaSel50iWrmkKu5RNh8vVMJoMfF8y/J0PfM3GYQGcvWag23ZJeqMzeVypED7z33Vrpg==
Received: from PH0PR02MB7430.namprd02.prod.outlook.com (2603:10b6:510:b::9) by CO6PR02MB7555.namprd02.prod.outlook.com (2603:10b6:303:b3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.38; Mon, 4 Mar 2024 01:04:57 +0000
Received: from PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::e7a2:25db:bd10:2e90]) by PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::e7a2:25db:bd10:2e90%6]) with mapi id 15.20.7339.035; Mon, 4 Mar 2024 01:04:56 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Dan Harkins <dharkins@lounge.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-cose-typ-header-parameter.all@ietf.org" <draft-ietf-cose-typ-header-parameter.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-cose-typ-header-parameters
Thread-Index: AQHabO53HB//pfcY3UCYQ3Gf+BNvqrEmsDbQgAAScoCAAALsYA==
Date: Mon, 04 Mar 2024 01:04:56 +0000
Message-ID: <PH0PR02MB74306E59B052D57BF0FA24E7B7232@PH0PR02MB7430.namprd02.prod.outlook.com>
References: <355edff2-75ed-c30e-858d-8bf7a027a164@lounge.org> <PH0PR02MB7430F66C51746AD01ADD9178B7232@PH0PR02MB7430.namprd02.prod.outlook.com> <fc28a997-c6f3-f3d3-ef77-f6c385d4efdd@lounge.org>
In-Reply-To: <fc28a997-c6f3-f3d3-ef77-f6c385d4efdd@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [euqUpu3wHIjYZx1mkoCyd5BB7nA/cjtJ3+iHmQwT8dTkdK6I2H6OO1z6zQnSLe8I]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR02MB7430:EE_|CO6PR02MB7555:EE_
x-ms-office365-filtering-correlation-id: 3785146c-00ab-489d-d683-08dc3be71b9a
x-ms-exchange-slblob-mailprops: vuaKsetfIZnD91YvWKz0zvMPjFGDFcQx1qTson0kCOccraGuq6BrjyZ26CH/+1AwxpyyoCuT5IUpMB3y5zpZRiWzSofusLuLCfHljeZEm4PrK+zlEAhcdDBCKSN3kc7ABr5OgYZ/2yIFzA4q5Xk4JQJAGkB8Ukmo7jMGvpPySLOerHogsXfeuQcuAQIzki2mEqT9WC8NTX4rosDOi7SCrC0ddhMZ4xQiQKRm/KnkekZ8ObmakKHGCMDHaTcu3BSn9jQT8dFSovFNZetRwd+XP3asPjsDFB1JSZZ3QVDy8y2K7ybKqLb+EzswZMnvsvDe8eJBGhArnXT0ufe8o/ryS0U4671vDg5/ZGmriEx/9YDHnwbMl0CBWDlfB745MZ3EDIa4w4542TtHKe/ArAQg0Af5H7V/RqEi1MG4izRp2fOnm0cWBqsGSSi0cOsJ3sZtxlf0lL+iv1uu6gx0gcyKfNkyOpzyNqjkFdGsCt4ttOgnmMJK2jfVakSvMZM6jfuy74FJItHh+UNcHAp+Kp42epKagqoy2RVEGs6733wB7A5WD5KVpRGOOYtrRJJlIE+PDU8f2OB5UiaTYkE9zWKeTwxnxolxfchXq0QMtAmu+rpmUHTtdJQ/QZjkwv+/O2iFust5bW05aKpme4zRAhyaQ/tbm1N83W05uudc9IrPJvBbhGZU1KIduqYTpUzSuHH7DnnQfILP8/qKL2O6PKZYcLOItPIuDbzgyvAWof1scas70OLoUoCNrkzWEHL/xCfwSW3S8DTqTFTaVZy90c50fVfwHIpswMcI3yqtPTvhfd7Me1eZEz0MaGsQQEvXrHNV
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xweQYddbLK5548AYdp5Iu2LYknVoPGzIZXvXfCqrwMAXtQdClj6D8jKM5+9OrKQohBx2WGCyjhUO345Us4/0sM+KPDKWixtxWXbchQwDBZ7ndl/MhV35xpuQhdIEriSNCQ/Fz7deJIXsAVQbQZwmZBlpZrG7bRJ3vZiFcZk+suclMaLjiP+5l92wdHL6fqAtSKcEb9+80SBBVBRu1xmTw0GdglvGR5ziE+GAYnsU2kwG1oPNupeSlc9joenau7s2C+IjhHPahCkZ9QD1Fqt9raa7IZ5FIVlUPpdFbIoeESs3//M1VPB8LL5RQWlJlybcpnXYa2g+zX+AHAFIwfU+nhVVzsvXJ8EIU4TcVwv27pHQIzp0dvmVz6w7YJ2Os6cFKra0IxSRlG2fYSeGxIOjwhpHt5dDeH7jVujCayFQSduuKdFtluD35XB5zfgPvwMZuCD2/BAgjdJG+tBKv0wjp87dyHkSQnuzQzudX97nxYQ5et/Z4NNPjx5bHyxoaizKIHty41vYncgmVrqyRzsWb4+DWHLZS1w1u/nsn4B9Rx6WvsdeiaJwIcgRRJH7GwQ0oAk8bpOSLnylZd2BbwutkgpnjGFjQudP+7pLZmIqldPKWOJmJ/fCsbHM04+oknaWWkhYVOi42gb6sLCxPK0IDyzzNmRJUNvmD+PBZX5PrJw=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: FeNi5ccFlU5YU/wJaxlWmaxpIYCGyBgAlF7jAEaHATDIPU+zPdaAhVmdlYGIoot7NFo9DZvLk5B51Dj4s4MsObQUyLM1H/GbAb6aXfeLJQMP2h31k0I7JZTnlES/Jcq2PLXPniip8XjYDNt0PBek1hV+WRomWyF8JSoMEMSaukUnD/EmUot/8R/9nMXxO7wgSAo+vqXTYcQiT4ZxWW1xmgR6KcY/CvejrduG1GthciBXX+6Ofs8E2HsL0A2H84PLtNJ6vx/7H3j2iAbwxfXevvu3s64hE67EokLudSg78+fKFC5QzpecR9RwUtNx9OCFQ6rSrEHC6hOPTSnq3LFGCijbkGgqqXCMTtJurhRyioxW4dtAU8RTzowKuCkTHGUCwQ7blMeRSsQytO3fKu+UiDY4akfGbddZ6NGZLtlAJ/feXh4ND+otdcimp6T8r8k5tWzZhgqDZYVZYojgK+jR1SXlaxQRvApyxfxyAMax9QbWzZE3Sh9tT4Wjeht7LmLTBb6PoVBTIwGVbyy7dhUyDpTITqflL7uuSbuPf+FHVsPXyl9aeWPD7PBEm6MZSJcrbDE+UGcv3f3GDS+tLXkyvyv4CSBRoOKWg4msfKagPYUQcCYxWR3Aj38lrjO9H8eoDM6BgqPozapiP5DX0YTAP3LHCcKAsHsyNs75r3kkFXQYIqKxrfYiOVZ8oQGjGWj1+Dh7D1J2Tw65CcwbhTqEGl+qtj+1zzio5GyNmAoF2/8YxsuiRASjijSGuhFdgJEq9Dy0H6ubajsTQCV5/KS8t0YHf/dwiWQcIAo02At8x2UgUEsQbP8IpUc8tSa1NgNHJnuzsNd+hjKLNz4kIKXs6WxrvtR9L7+sdRgcwM3KYvRw6yatvtKangOZfWp8olb87YsjB4NlgQJHrPEBFfoZV2oud/3xGEBxV7pLlSUmzUOE3sIXSbIfo59t94TJ+e1cR8ILLuYsOdWhiHhA1ziaEsiihogeTv84AFChx/JxGxEJp7c/bFb9B3xmOyKdiSMPjwtisa5puoYkt/4aOAHTC7EYjYDgjW8PaBwTtb2fqa/OhIpg1NGoSU4OlSWneAFNdFqUFobaVIqRQ/fNN060WY1rSyPDZg3clNMZaQn8hCar4I15kvKWXWeC8AWz1+cPiOBLrPnFOgcXcELZnYPL7vP2HVLSIc7S9aGPHNXjCwMDp2eElvwJ6wytPnPhZ9zw0IwK14zU3sKLjyClg2a15ATinHHygxvp31BkvmJpnVw+WHGnrrg/WoPl7wevOzc0bSCumkP2HVrCjnXOxCxTJuL0S3LTfwtlBoyobnEhcdvqoe18a+gW2f2+SIWetp9y
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR02MB7430.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 3785146c-00ab-489d-d683-08dc3be71b9a
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2024 01:04:56.6211 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR02MB7555
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/FTJGXZ78xD4HYNW1Gi-hYkezHF8>
Subject: Re: [secdir] secdir review of draft-ietf-cose-typ-header-parameters
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 01:05:02 -0000
I understand that this could be clearer. Let me think about how to make it so. After all, I've got about 23 hours left until the submission deadline to ponder. ;-)
-- Mike
-----Original Message-----
From: Dan Harkins <dharkins@lounge.org>
Sent: Sunday, March 3, 2024 4:53 PM
To: Michael Jones <michael_b_jones@hotmail.com>; iesg@ietf.org; secdir@ietf.org; draft-ietf-cose-typ-header-parameter.all@ietf.org
Subject: Re: secdir review of draft-ietf-cose-typ-header-parameters
Hi Mike,
So what you're saying is that the "implementation" is the entity that just parses the message and that the "application" is the entity that does something with parsed components of the messages, right? I guess I see what you're saying. I think the confusion was just in my differing definition of what it means for something to be an "implementation" versus an "application".
On the one had I want to just say, "forget about it, this is fine" but on the other hand, if I'm confused then there's a reasonable probability of other people being confused so you might want to make a new section
1.2 (suggest "Definitions") and explain the difference. Yes, I understand this is similar to the text in RFC 7515 but I wasn't assigned to review the draft that became RFC 7515 and just because it's there doesn't mean its clear. But I'll leave it up to you.
regards,
Dan.
On 3/3/24 4:03 PM, Michael Jones wrote:
> Thanks for reviewing, Dan.
>
> The language you cite is intentionally parallel to this language in the JWS spec at https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.9 : "This parameter is ignored by JWS implementations; any processing of this parameter is performed by the JWS application."
>
> The point in both cases is that the COSE (or JOSE) specification intentionally defines no processing rules for this field. Therefore, COSE (or JOSE) libraries simply pass the field through to the application software calling it. It's up to the application software to apply any processing rules that it defines, such as verifying that the "typ" value is a particular application-chosen media type and rejecting the data structure if it's not.
>
> Does that help?
>
> Thanks,
> -- Mike
>
> -----Original Message-----
> From: Dan Harkins <dharkins@lounge.org>
> Sent: Saturday, March 2, 2024 2:11 PM
> To: iesg@ietf.org; secdir@ietf.org;
> draft-ietf-cose-typ-header-parameter.all@ietf.org
> Subject: secdir review of draft-ietf-cose-typ-header-parameters
>
>
> Howdy,
>
> I have reviewed draft-ietf-cose-type-header-parameters as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
>
> The summary of the review is ready (but I do have a question).
>
> The draft defines the typ (type) header to COSE to parallel the header parameters defined by JOSE, this will permit "explicit typing" of JSON Web Tokens.
>
> The draft is very simple and straightforward and there aren't really any issues but I was unable to parse this sentence from section 2:
>
> "This parameter is ignored by COSE implementations; any
> processing of this parameter is performed by the COSE
> application."
>
> I'm not sure what the authors are trying to say here. Applications of COSE represent an implementation of COSE, right? So it can't be both ignored and processed. Or can it? What am I missing?
>
> regards,
>
> Dan.
>
> --
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
--
"The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [secdir] secdir review of draft-ietf-cose-typ-hea… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones