[secdir] secdir review of draft-ietf-cose-typ-header-parameters
Dan Harkins <dharkins@lounge.org> Sat, 02 March 2024 22:10 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDC1BC14F68D; Sat, 2 Mar 2024 14:10:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJqCTDfhg3Gr; Sat, 2 Mar 2024 14:10:35 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96206C14F68A; Sat, 2 Mar 2024 14:10:32 -0800 (PST)
Received: from kitty.bergandi.net (076-176-014-122.res.spectrum.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0S9Q1BCBGQXKEI@wwwlocal.goatley.com>; Sat, 02 Mar 2024 17:10:32 -0500 (EST)
Received: from [192.168.1.21] (customer.lsancax1.pop.starlinkisp.net [98.97.61.131]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0S9Q00N51QXIC4@kitty.bergandi.net>; Sat, 02 Mar 2024 14:10:31 -0800 (PST)
Received: from customer.lsancax1.pop.starlinkisp.net ([98.97.61.131] EXTERNAL) (EHLO [192.168.1.21]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Sat, 02 Mar 2024 14:10:31 -0800
Date: Sat, 02 Mar 2024 14:10:30 -0800
From: Dan Harkins <dharkins@lounge.org>
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-cose-typ-header-parameter.all@ietf.org
Message-id: <355edff2-75ed-c30e-858d-8bf7a027a164@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="UTF-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=98.97.61.131)
X-PMAS-External-Auth: customer.lsancax1.pop.starlinkisp.net [98.97.61.131] (EHLO [192.168.1.21])
X-PMAS-Software: PreciseMail V3.3 [240301a] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OdfGMfsLDJocx8AbzpVtCOi7JSY>
Subject: [secdir] secdir review of draft-ietf-cose-typ-header-parameters
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2024 22:10:40 -0000
Howdy, I have reviewed draft-ietf-cose-type-header-parameters as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is ready (but I do have a question). The draft defines the typ (type) header to COSE to parallel the header parameters defined by JOSE, this will permit "explicit typing" of JSON Web Tokens. The draft is very simple and straightforward and there aren't really any issues but I was unable to parse this sentence from section 2: "This parameter is ignored by COSE implementations; any processing of this parameter is performed by the COSE application." I'm not sure what the authors are trying to say here. Applications of COSE represent an implementation of COSE, right? So it can't be both ignored and processed. Or can it? What am I missing? regards, Dan. -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [secdir] secdir review of draft-ietf-cose-typ-hea… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones