Re: [secdir] secdir review of cose-msg-18
Jim Schaad <ietf@augustcellars.com> Fri, 23 September 2016 19:20 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A12D12B47C for <secdir@ietfa.amsl.com>; Fri, 23 Sep 2016 12:20:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.217
X-Spam-Level:
X-Spam-Status: No, score=-4.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PSmkox-XqqF for <secdir@ietfa.amsl.com>; Fri, 23 Sep 2016 12:20:40 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5F9512B419 for <secdir@ietf.org>; Fri, 23 Sep 2016 12:20:39 -0700 (PDT)
Received: from hebrews (192.168.1.152) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 23 Sep 2016 12:33:58 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Stephen Kent' <kent@bbn.com>, 'secdir' <secdir@ietf.org>, 'Justin Richer' <jricher@mit.edu>, 'Kepeng Li' <kepeng.lkp@alibaba-inc.com>, 'Kathleen Moriarty' <Kathleen.Moriarty.ietf@gmail.com>
References: <33a10112-ee91-75df-a390-1c7c2a23a729@bbn.com> <081e01d21474$a3db8440$eb928cc0$@augustcellars.com> <c16beab8-d952-8d37-36db-d8455b5ac896@bbn.com>
In-Reply-To: <c16beab8-d952-8d37-36db-d8455b5ac896@bbn.com>
Date: Fri, 23 Sep 2016 12:20:30 -0700
Message-ID: <0aae01d215cf$8e4f2210$aaed6630$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLn+ErX890UkhHKZArMVoO8r82N0wHmsi+KAgV97+6ePEzSQA==
Content-Language: en-us
X-Originating-IP: [192.168.1.152]
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/jhxBIUaxKPYOMdDEkQpny_xlD-0>
Subject: Re: [secdir] secdir review of cose-msg-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2016 19:20:42 -0000
> -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Friday, September 23, 2016 10:54 AM > To: Jim Schaad <ietf@augustcellars.com>; 'secdir' <secdir@ietf.org>; 'Justin > Richer' <jricher@mit.edu>; 'Kepeng Li' <kepeng.lkp@alibaba-inc.com>; 'Kathleen > Moriarty' <Kathleen.Moriarty.ietf@gmail.com> > Subject: Re: secdir review of cose-msg-18 > > Jim, > > Thanks for making the changes you describe as done. Comments below on the > few remaining items. > > > Applications should have a statement if the label can be omitted. > > -> Applications SHOULD (?) have a statement if the label can be omitted. > > > > [JLS] I believe that lower case is correct here. This would not be a > > requirement on the COSE protocol, but on the application that is using > > COSE. It does not make sense to me to have 2119 language for this > > type of statement. (Partly from an initial brow beating from Russ.) > OK. > > Integers are from the "CoAP Content-Formats" IANA registry table. (no > > reference) > > > > [JLS] What do you think should be referenced here? Are you looking for a URL > to iana.org? Not sure that this makes sense. > When you refer to IANA registries defined in the doc you cite the relevant > section of the doc. Since this registry already exists I think it would be > appropriate to include a pointer to it: > http://www.iana.org/assignments/core-parameters/core-parameters.xhtml I am not overwhelmed, but I will do this > > As the IV is authenticated by the encryption process, it can be placed > > in the unprotected header bucket. (in general, an encryption process > > will not “authenticate” an IV, but use of a modified IV will yield > > mangled plaintext, which can be detected by an integrity check or a > > signature. the same comment applies to the similar statement in the > > “partial IV” description.) > > > > [JLS] Does this work? > > > > The IV can be placed in the unprotected header as modifying the IV will cause > the decryption of the plaintext to fail. > How about: > > The IV can be placed in the unprotected header as modifying the IV will cause > the decryption to yield plaintext that is readily detectable as garbled. That works for me. Will do > > > The decryption process will not, itself, detect any error, so it will not "fail" per > se. > > Steve
- [secdir] secdir review of cose-msg-18 Stephen Kent
- Re: [secdir] secdir review of cose-msg-18 Kathleen Moriarty
- Re: [secdir] secdir review of cose-msg-18 Justin Richer
- Re: [secdir] secdir review of cose-msg-18 Jim Schaad
- Re: [secdir] secdir review of cose-msg-18 Jim Schaad
- Re: [secdir] secdir review of cose-msg-18 Stephen Kent
- Re: [secdir] secdir review of cose-msg-18 Stephen Kent
- Re: [secdir] secdir review of cose-msg-18 Jim Schaad
- Re: [secdir] secdir review of cose-msg-18 Jim Schaad