Re: [secdir] secdir review of draft-ietf-cose-typ-header-parameters
Michael Jones <michael_b_jones@hotmail.com> Mon, 04 March 2024 06:06 UTC
Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61D7FC14F602; Sun, 3 Mar 2024 22:06:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tp7OuPz0dQKu; Sun, 3 Mar 2024 22:06:12 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02olkn2063.outbound.protection.outlook.com [40.92.44.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 903ECC14F693; Sun, 3 Mar 2024 22:06:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TpflMuyVikdrHexnyY2WvzBiOx407sTFNjk/IdnpYQnPVY/ame44Gx918LpIiAmD2GWrNnWICQoRiYfZF+5phJ0zc0k0Hac0psQL6jbrLbzpOZdJxazRXZ/xRhuojPjnSvSIcrHnxbtOrVJwBlwvQ+wjGwjOlf+jnkyDKJ24ntIKuz8t+NrhAGqRN7F/IADptQFF95siyDTaVrsQQTNQFKV7cFD0QwOucuX2+yb37seWDLK1oMN7UBxh9JFrzoeFHk8+wC2/ISoKV4eDSxYtrxFX/QQpfchnAqOg7DQkQqkauKk0ygtUlYYSG3HEwYwQob79CV6dYPZHxlpAuBMhcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WB4As/r/hNpuMTmXMzZzdY0dio6XbHGm/LNH0WbFbdQ=; b=GdV/TGKCVDKar+VsLJVliefEmP8XUVRgMKE4ElhhoeRYm3jcfb/T3hzeslWFSO/4Dn8pwFIWx+8LxC7GQH0UhS8rhu6fxPvgkCjaKGw29Jc9ZaUIM3tyk1HwhWC6Zb7qDcMvuozaio6cIavQr+D19mJk+WrhtOuO0aJjmyf3FFOQi/7QtF1gGfPUbOKz0+9Jk3uBLxf7GEzSblt+todgDlzstNj7PtA4uZehOGRErI5z9lnt32VjW/4oXvriyiUhUktcex8NJ/4ZCIm3k5c1bXwzrUvnE4+2+mGk8crKZ4giCc5TdyyJ+A7aeS6RsbqqK5hq1F+JaJQ5++X5oT3MRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WB4As/r/hNpuMTmXMzZzdY0dio6XbHGm/LNH0WbFbdQ=; b=a9UpifsQjY//ds7IGsOkkX/RFdj59yeiKhGUmsFUIcLxfh84r0rHUX8Lna29vI9UiWvNVbtVH4BG8SgPpcuUfjM16SC83kwBF6KbkdMqdTvIbScPZI2DLcH3qXZobpkLqYQEbImXltX7+MGTYKpYZ0jSwLFVExqkfMFAvRMPMDSRr93C3hHFKmCpKKuA2X1y5rmLNXYe4yyBYm8D2iWm7AxsF7lSnygFpdCGpWKtAaTvaMXuTw8shbrf3cYQrmSNGd7FiIL9QxSgoDE2jWOXHLEcQsmDYFsJaMOO4qr3l+MwqLY1LLIf1A6O1JCxC/Y7/dEkb/gQMDwhjdg4Mnm56Q==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by IA1PR02MB8876.namprd02.prod.outlook.com (2603:10b6:208:388::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.38; Mon, 4 Mar 2024 06:06:09 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::7c2c:4b2:7be3:4f66]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::7c2c:4b2:7be3:4f66%4]) with mapi id 15.20.7339.035; Mon, 4 Mar 2024 06:06:09 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Dan Harkins <dharkins@lounge.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-cose-typ-header-parameter.all@ietf.org" <draft-ietf-cose-typ-header-parameter.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-cose-typ-header-parameters
Thread-Index: AQHabO53HB//pfcY3UCYQ3Gf+BNvqrEmsDbQgAAScoCAAALsYIAAVCoA
Date: Mon, 04 Mar 2024 06:06:08 +0000
Message-ID: <SJ0PR02MB7439F6090B095A63FA388A51B7232@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <355edff2-75ed-c30e-858d-8bf7a027a164@lounge.org> <PH0PR02MB7430F66C51746AD01ADD9178B7232@PH0PR02MB7430.namprd02.prod.outlook.com> <fc28a997-c6f3-f3d3-ef77-f6c385d4efdd@lounge.org> <PH0PR02MB74306E59B052D57BF0FA24E7B7232@PH0PR02MB7430.namprd02.prod.outlook.com>
In-Reply-To: <PH0PR02MB74306E59B052D57BF0FA24E7B7232@PH0PR02MB7430.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [7ONXowybIOfC5kbXZ/RSD9e+LIJESKaOe6QR5Gfsj9ctR7ygjG0OuTemdlez/E20]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|IA1PR02MB8876:EE_
x-ms-office365-filtering-correlation-id: 0347a245-5ad4-4904-bdde-08dc3c112f87
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WgBo6Gfc14DsVYTIwqPPfvpr5IHDuM78RtJ25IfbLkBcb/cEoym4vcol++s7G+tfq9v+YwFqDAKukw2oA7k1FUIyJOeWkgYkt+5fokv/3PKcUNh5C/5nJu45AWrifjq3opMhlMVxpvqj/eXR6/sTaxfc7SuXMaCH8u8SOn8en69hmZcPjgUzPddxcfSISJb2eLEPLjCLypGFJLk8M0cXfincJcfrrHB3NarqDxOPnBTOShMyDZwOItnZizN03UjupNPB+J1sXqvocwmizBQcTWkX4+oli2MIoMa2u1ZEHWkbpNVYb2MrZA8LxSzGFlfrJw1cHxtRoBbg+pQ6Z7KkeyNcqUweCOe25IViJIkj2Lea7JTlFHFT/dbgmy9hNivHgiBW+d2iBDJ+ood2o5WP8GoPXQOlZwnMx7jiRgRC6hC0Yrg2iLplrB4wUkWhSQxJA7FViLC79kRVICLMtrm1wbIhngruQMWjqqEm7Hfhg95H2ap4HXc9r0C6VlO6CvMOo56ErHd28bBOw7bzjA/pa2+1O/9rBPgJ4xAsJklGL1O99u3tR4/ncWqA4kS8IRCgFSxcQMRuxlzeaU6nfYqNlj4UFg1eGx41b9Sx7UZ0o9Sy2/9su4IQm2GhUiyDzRMxHSXtnKyq/4nYDcze4kMlw1QC3LXJaxKOc4v6gIwdu3A=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 3NLhuLzD7ndf1Ihpb0oXmbkdvO/K6/5/u56Bh8CZW1tZlw3TFXOpCzyvBeVSqhMt872Y3QdW2/xucRWTwpzYWpqFKig2/BIxOFm1SSZeKawa6Xgs4uH8SrUz9Ocii7MPz4E+7KwitpQ+scnbXOj4oTdJnC01R/E6JbJEvYwkg2Kj3RE+DgnKW39PBn+LUFmLymWph1Zy4+jsP8Rx23ANJqSdbIFkEHpy3u+SsrE582b9lQERBQOEj6ipieKodq8dTVGBcyX7etpIluQJlbiYRhlr7OA2z0UHJt75GDWDZi8T6YVCtwyA2T7Ud9+1Q4XWe4j5bmWoveK5Og4M/Z/FOzH1q4agmTopFVjJAX6+9QoG3bic/JwT62NS4QskWzUYoSJDYh5la4pEUY5i2T+b2TcuQ0tsFC2OAH0z95gcMo5Hl6VAqz18grvqFLu+rEpPjWOg8gqgmTKaYlV0h7GZbAx9FP8BjtMObHVEiZML9jYOhcFNOenaLHdLabGXmGXHAtrpkFsua0i/B74fMlRnOVTZXwLalEuw22qNUpBkheXPJC9ML2tv/WonWw8xcZVJmFF439heZbqYSy3GKpDg8SAXe5fsu8O+TAprwE9iTjTyf/Az0V4HRf8tY4AUzwLqMpHaNR348ttBXdIBvSWin5QOeJCR6JbiSmtpy5Vo7C8PEVMUy8Qzo5OSxv9XvKIDeUrnAZZaAmDVFNjF7kVC4g2STS/2DU6Es1r92I8p7Xy20UChawPv6WaiDebtYPxi5UfIHgvqGNgGzQkCOMqfaSF5tMAV/ScPm9M/WOI+xBSAxxhVWqskvLVE65bo3j4nRPOIhKnl8IprmIcbp8Ocz6odkfWkBXR9XC1BWV5zaNoRhNQEJgnVf2fvqiIYvWGLIuOkecsYnKwnmWFusyjX8gTz9H02SnLaMJuUSr0LsyAbuadaFTJBUBz317g4q06BAnWbegi77UfqsSu6TQtgvdf4fe/n7bT6OUkA6F2Vp3wVS721dMSvy85FNLxUxhYbkiOKCFxKzw9WrZdLGP+V8Uo3IBufDyoz630/kE8RM6HbNp/a/ivs6+IKZ9Txzn7iuoiAPjIU65pdVwH1c6KeQb5glsbTriUGc4sBt+WmVyKQmVAM34earJ36s5jM+tJ5YIzqPFRrqgWGzbTPEpnFtrx10sIePwth0xAjjG6XSgb3UfhF89+XPnz4rFvJ/TpJs00hqV4S0HDy6PjN/EbjWXPo8xsG+3OVYgfhMzn0M0luJ+TlKfo6L09uFPjASZvbG10vdDXF2tvSEDSC2fLuazm13q50Ys5CYkdAQKJnUv0kovlBqItyvBgMJO7Xz9qF
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-3d941.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 0347a245-5ad4-4904-bdde-08dc3c112f87
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2024 06:06:08.9195 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR02MB8876
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/X5BWJySYDKGx-NT6H1Bw6HKAQhw>
Subject: Re: [secdir] secdir review of draft-ietf-cose-typ-header-parameters
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 06:06:16 -0000
Dan, please review https://github.com/selfissued/draft-ietf-cose-typ-header-parameter/pull/9, which is intended to address your comments. I'll plan to publish -04 with this, possibly with revisions that you suggest, before the submission cut-off tomorrow. Thanks again, -- Mike -----Original Message----- From: Michael Jones <michael_b_jones@hotmail.com> Sent: Sunday, March 3, 2024 5:05 PM To: Dan Harkins <dharkins@lounge.org>; iesg@ietf.org; secdir@ietf.org; draft-ietf-cose-typ-header-parameter.all@ietf.org Subject: RE: secdir review of draft-ietf-cose-typ-header-parameters I understand that this could be clearer. Let me think about how to make it so. After all, I've got about 23 hours left until the submission deadline to ponder. ;-) -- Mike -----Original Message----- From: Dan Harkins <dharkins@lounge.org> Sent: Sunday, March 3, 2024 4:53 PM To: Michael Jones <michael_b_jones@hotmail.com>; iesg@ietf.org; secdir@ietf.org; draft-ietf-cose-typ-header-parameter.all@ietf.org Subject: Re: secdir review of draft-ietf-cose-typ-header-parameters Hi Mike, So what you're saying is that the "implementation" is the entity that just parses the message and that the "application" is the entity that does something with parsed components of the messages, right? I guess I see what you're saying. I think the confusion was just in my differing definition of what it means for something to be an "implementation" versus an "application". On the one had I want to just say, "forget about it, this is fine" but on the other hand, if I'm confused then there's a reasonable probability of other people being confused so you might want to make a new section 1.2 (suggest "Definitions") and explain the difference. Yes, I understand this is similar to the text in RFC 7515 but I wasn't assigned to review the draft that became RFC 7515 and just because it's there doesn't mean its clear. But I'll leave it up to you. regards, Dan. On 3/3/24 4:03 PM, Michael Jones wrote: > Thanks for reviewing, Dan. > > The language you cite is intentionally parallel to this language in the JWS spec at https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.9 : "This parameter is ignored by JWS implementations; any processing of this parameter is performed by the JWS application." > > The point in both cases is that the COSE (or JOSE) specification intentionally defines no processing rules for this field. Therefore, COSE (or JOSE) libraries simply pass the field through to the application software calling it. It's up to the application software to apply any processing rules that it defines, such as verifying that the "typ" value is a particular application-chosen media type and rejecting the data structure if it's not. > > Does that help? > > Thanks, > -- Mike > > -----Original Message----- > From: Dan Harkins <dharkins@lounge.org> > Sent: Saturday, March 2, 2024 2:11 PM > To: iesg@ietf.org; secdir@ietf.org; > draft-ietf-cose-typ-header-parameter.all@ietf.org > Subject: secdir review of draft-ietf-cose-typ-header-parameters > > > Howdy, > > I have reviewed draft-ietf-cose-type-header-parameters as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. > > The summary of the review is ready (but I do have a question). > > The draft defines the typ (type) header to COSE to parallel the header parameters defined by JOSE, this will permit "explicit typing" of JSON Web Tokens. > > The draft is very simple and straightforward and there aren't really any issues but I was unable to parse this sentence from section 2: > > "This parameter is ignored by COSE implementations; any > processing of this parameter is performed by the COSE > application." > > I'm not sure what the authors are trying to say here. Applications of COSE represent an implementation of COSE, right? So it can't be both ignored and processed. Or can it? What am I missing? > > regards, > > Dan. > > -- > "The object of life is not to be on the side of the majority, but to > escape finding oneself in the ranks of the insane." -- Marcus Aurelius > -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [secdir] secdir review of draft-ietf-cose-typ-hea… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones
- Re: [secdir] secdir review of draft-ietf-cose-typ… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-cose-typ… Michael Jones