IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-cose-typ-header-parameters

Michael Jones <michael_b_jones@hotmail.com> Mon, 04 March 2024 00:03 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88D7FC14F603; Sun, 3 Mar 2024 16:03:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3F3JuVuqYhH0; Sun, 3 Mar 2024 16:03:17 -0800 (PST)
Received: from BN8PR05CU002.outbound.protection.outlook.com (mail-eastus2azolkn19013007.outbound.protection.outlook.com [52.103.12.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A93B0C14F5F1; Sun, 3 Mar 2024 16:03:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JEluH5WWU3A5RbKawA1A8/NGXoE2re3I3RURySge3ElN6cTL9EvRWV+mL5GnmnAJJv7llhJMShSR7Ocbz3Xw0WS7PDrIBAFKgVplhZH56CzKBqfK9wegy0MywCb5pthVxVtCq1D1cWuvjAZUH+4qRkfrNXKILzBBkzPQ1cXs+oIRRk5485tQYKBfE5/yvwDEKT65OpxLOd6mDOtDw8bB1ffZB17FnRHLVPq4T2cTD8ltn1s+H0D4KYofhe59ExQU3xUcjnbq4k+LFiiUdG3XZwSWG0nT86UyVucijykeUBEsExzS8mWRwJ3spr/b6LGcvmtkp4rykHY8mHu9rkFL3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sdELxfeNEoN+Na2h+AkR34GtAq2JO0AQIImtP4QNyLU=; b=ihCvJwid5vtLU2yYUMBewW/+jsXKqw0Yteb/rETqrXOB9m2DmHlpPGa57IyfWp/irVHRUBLWJCOrlfAg+AQVnLW+jR/GHRjh/47Dt8y97cDcpaTvKD0YjR7gZPNrK3pWP/eNhchpB2zUgQLISBM8l1XVNhrlmP0S5W1on339Jh1dpMFwiO/kSZmeN3kD3MdDBA4AfYk3l4Zgz08U76LWpa50XigqqBb5NzfcjaZWuRMialgAhbdun9b6UgEtfUEHnrD/O9cX/OyHjKaY+JzRIbRgvNNCl0DuiDzg4mQHpOQBtOVzUhLgRBP2PetKOUeXXtjRLStr7Sz5RFnVSpguDg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sdELxfeNEoN+Na2h+AkR34GtAq2JO0AQIImtP4QNyLU=; b=Tz4VteKNMaxinCI35xeHvv5G6SO1uew+89BTDjcMGqXgieMafTMugTqVo5KzZi3XXnfoY7TwfgL7Oc3TpqfzKWXqkxA/ZxCs4fbewIAwNo9n+sLE2j10l8aKE1BeMlyvCBtggw4ricPlqxOtmDWRBlqHnLQrTn2dJ2d2L87fVbyES1178gfUEZH3BBooD/UbIQScJYpDKVEq0PxDmVVB1pnFx6OTEVvh7bBCfHLlx03Lcaq/rVp3PUSDfyqA0SZGLmQKDX7K7wVD5Dg1nAoP9rH8i9kh/z4UJMNUch2fTRg+gfcqD4zQKEli8yYYmYqUI3qZgURz0tJxgkrq3MhJFA==
Received: from PH0PR02MB7430.namprd02.prod.outlook.com (2603:10b6:510:b::9) by PH0PR02MB7800.namprd02.prod.outlook.com (2603:10b6:510:53::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.38; Mon, 4 Mar 2024 00:03:15 +0000
Received: from PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::e7a2:25db:bd10:2e90]) by PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::e7a2:25db:bd10:2e90%6]) with mapi id 15.20.7339.035; Mon, 4 Mar 2024 00:03:15 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Dan Harkins <dharkins@lounge.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-cose-typ-header-parameter.all@ietf.org" <draft-ietf-cose-typ-header-parameter.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-cose-typ-header-parameters
Thread-Index: AQHabO53HB//pfcY3UCYQ3Gf+BNvqrEmsDbQ
Date: Mon, 04 Mar 2024 00:03:15 +0000
Message-ID: <PH0PR02MB7430F66C51746AD01ADD9178B7232@PH0PR02MB7430.namprd02.prod.outlook.com>
References: <355edff2-75ed-c30e-858d-8bf7a027a164@lounge.org>
In-Reply-To: <355edff2-75ed-c30e-858d-8bf7a027a164@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [IRrTW3vXgJRKPs4QscQ3ROsksuUksjGmtmETqE0ZZ7Va8nBEP/icN+bx7pe1lwep]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR02MB7430:EE_|PH0PR02MB7800:EE_
x-ms-office365-filtering-correlation-id: 335c2b5a-7374-48a4-e959-08dc3bde7d57
x-ms-exchange-slblob-mailprops: vuaKsetfIZnD91YvWKz0zp0wgE735NXMf8/+kLDS6GXzlr7bhjEISeVpkWurb0WKRmIS23vzmpQ2L0R8jxdvf+Hy8BIRweoGdGbzE2nSzi3gGc6QAPuzrQKSsIABebksJ5qJa1CH0t0LMMrR7p7At+F6TFEgLO93W+lbBiQhMQF/10j3xZEYzAx6PQ6ylwC4ncUC9MxhQ8jBqFRcqoTKip9ASiHIhd/mnLXgYnRD4fS2OBT2diI7trxZgmfS5XXSEaEBWhYzsqWrsvtnfvn82ZJOzUfxk/rHTJgEKEmDQQ5GDRt/hQVQ03yggvoMiJd3KG+gbVdS3SsO7Qh4DBPFILaZAu4dqyttbzbWAWibYx0q4vu/fItsboRijAH6vtjOBI7R4yTq2U3uqyKYq/MM+QfzgpNToHqGggexeGzX8OTzUFrEQe8Wv9hgDITooNrsshLzKhBW7PAYoopme/ZUWSCZc/yPG6mMEmByvaUQWey7kLeZCJnfcjCDlZIzuB/OvLIrYo/jKU3zqMSKkrNdnK5ofdwwEolHNtj3nQqnKkwXuwNHv2c4lTz1kNpihjEsa/ARHo/Zvsw0t5JFN/CtGsPsGleHbfLeaG+kkTMP6mWqtw1h31E9yZfKL9NEyrCCSHQO/jkv4iVv6L8pPes6GyAwWvZ54IIoiRpEJcBk47pkS7UnxIDqZqrUmYK5TyiY6dMbdkrdS69xziENS4vDnboFNbKuv70TmHobG0+DtWuTDmZmVNdvqkOi//SONZj0ghtV8nbweMPKCTPw3Nn/bHZ9DKkDYao3xcm5Ez7BnZ0snIKpHAM4rerYJ6wW3Zz5
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7+kZmyMqh63aTM7fjE8B10H2tKTTlh5w9uIFA5/ekB2IgJmo4OOgpYy+PaxRZc86xjEh6tKsB+XT/86ngsi1hbwmvoeyUYr0yyJRixpHyddOx6mE87b/1d+1rJmICTsO4O5eioU7wWKiIL7lNoRgXcmE4P1m0xyZaNy58aLUURHPZRDojfNgpe2gQrfA82dIBghRI7j8INQ4TbRNbXOlmRZtcBauXLRHkTXC/zUrDkfl4fkfJm7gQ3LfJu/bObS2GHBjPsvjNHPmU8Gfv5E0HT17LsHXDCTHm90tltlCWe8qTrP4KED0NnAJYRrAn5j1Z5iWEX4NgdvjzQcwxiSXMHUTvX8chAwm08WYIPEt1fPCpyv5U8mMA0Ie/4bO1kNr273kOoqyEKqlEPEI5p3gscz5li5QXxPQkF5nBtpVo8Kcnkij3y+AnOu75GogCxkrlqwJjTgLFr2abJgZpY/05JF6IP0qVg9+gFK+lhsZVIcGA8xzXhfSPFRVdChSgDb9ZEKWd7IvZ58qWLIdNzyxrCIkIBnHYu6l8RWMd2q3rViq6r6UBb8DVO4EuIKU0/zUcRmYN7sL8w5BkshBvwQSOXMPIURPYaXHo4sthTnjVbLIUZ9JyVN2cMDkzL2F/IG3AHjUkV+2orYwE19x+SlUH2+eQWK/eLrfdwk2YDvaUbQ=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +IZFGBcKkz+lAgPOiFwmbkmP1UgSPj1UTxiYaxipXxRRamjIwSLFHCj58zwzxrHU2rFNayMA6wdlFSYAE+KBQZvgTWNp4q97K5OomMOglpsnDo1PE3lx/vnNw7YFyVTk+AokEK3Z6Dm2elJAnxmEE5uyHEzeYYDukchY3ICehj7YB3Eynb8u8ZRzbxKlI/AV8x6b2ZvqQTbdwm4MfCfwF5AB/akLow9Hws1wehRT/fUY0juVstn1q4DUxM4plBnf22GmQrChmShNs490K9SzaMd9Tr5wRGdjeQ2GXFqSEHIx6Am7hYbDbcfpjhNBlbHdn1/NlVdC7QZHsK8nMk7L9Z45coh0fIM4dmQ1t2zIgBGMshHe4wXNfsOcoNeV6HOvewYYq/+EAuOVh3dB5mn6Cpn4kYYqybu8G3vopKzLHWwyGGJIQ2xxqYymLoZzVsDCvywvt/coM2xnSXXBO4O3o7B7yPdZhqxiLUZE1EUnaxztqplLvn5qRM3oO/H7mqEag/gwY7SEktVk9SjqsTYRafbgddhtmO9eB93+JnL/Z6OHs9ocrexM8peCaAKKCo/NGm2DRCm3YeBaKp2V5ECdRVTWgtH4Rk7IheD8sx4FQlDf+7Em4Qk+yIpWHhVbXKF9NNztUdIUnKJCKajduqXzZpNmoFyA6E/FRH9IIk8u0VZ95eYPazttQr1sD46pYmxvotIFP3LecvbpnGp7pLxOUu9RmCJYu4oRu0N/HbvCbL8M5ka47wxHTPLgtUeq12CLvAQ3iF4z1SQx79sLIUMCG7F/4nk5lRCNUZGmNTs205hj5O+Eq0vrfTDWZoTcB6GsuJz+6o2+QKXWEuvMCC+YRzNLqlVWBjRTgmNMhYM9qgyoh639SyblMXKuEYQWADv5F2CoPK4GG/M9H1VKQ0wVCf2+78k2UN5qBhgYtnSOcW2/AMmy8hCM6rGMXA7fLBiVCD75AO792MrWTwOejdF5uxcGaSG7Im4+5fZqfo+DrIdDMSx8Q5wGYPs7G/DbYxRDLbsNKF/V+4Ikdtc3aVEIBgh14qAe45B7DDj6FQFMalk4Fv1I9APa9kvxmOIV3ZJWJsHulGfPeFLqziR8n9b7qdKZBjLAHIJIsjV9RAWI63tIOcRQM+YAnwtbTE91p5Jd0DFX8pXhRyNKgdYUNKmJh/mhqR8TDHpg1JGRwBVWioEOBofiCjo0Ly+4tFHjHBQnTzQ1j+UeB6jhPJ+rNZPmV6F57KUvuehBTxbndBFmq3QoF+F/5dthszuIP8XYnDefjb9bH+ndlJS5aqhR12MxlxfFVkpsCCWhGp7HkbFWtR1L0LFdRVqNsW5HjxE16QHK
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR02MB7430.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 335c2b5a-7374-48a4-e959-08dc3bde7d57
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2024 00:03:15.0845 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR02MB7800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/yDiyWhc9Frxsj5kdOkO_Deg0InI>
Subject: Re: [secdir] secdir review of draft-ietf-cose-typ-header-parameters
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 00:03:21 -0000

Thanks for reviewing, Dan.

The language you cite is intentionally parallel to this language in the JWS spec at https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.9 : "This parameter is ignored by JWS implementations; any processing of this parameter is performed by the JWS application."

The point in both cases is that the COSE (or JOSE) specification intentionally defines no processing rules for this field.  Therefore, COSE (or JOSE) libraries simply pass the field through to the application software calling it.  It's up to the application software to apply any processing rules that it defines, such as verifying that the "typ" value is a particular application-chosen media type and rejecting the data structure if it's not.

Does that help?

				Thanks,
				-- Mike

-----Original Message-----
From: Dan Harkins <dharkins@lounge.org> 
Sent: Saturday, March 2, 2024 2:11 PM
To: iesg@ietf.org; secdir@ietf.org; draft-ietf-cose-typ-header-parameter.all@ietf.org
Subject: secdir review of draft-ietf-cose-typ-header-parameters


   Howdy,

I have reviewed draft-ietf-cose-type-header-parameters as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is ready (but I do have a question).

The draft defines the typ (type) header to COSE to parallel the header parameters defined by JOSE, this will permit "explicit typing" of JSON Web Tokens.

The draft is very simple and straightforward and there aren't really any issues but I was unable to parse this sentence from section 2:

     "This parameter is ignored by COSE implementations; any
     processing of this parameter is performed by the COSE
     application."

I'm not sure what the authors are trying to say here. Applications of COSE represent an implementation of COSE, right? So it can't be both ignored and processed. Or can it? What am I missing?

   regards,

   Dan.

--
"The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email