[Suit] Draft-ietf-suit-manifest encryption use
Brendan Moran <Brendan.Moran@arm.com> Wed, 02 June 2021 09:59 UTC
Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 83A663A3D2F
for <suit@ietfa.amsl.com>; Wed, 2 Jun 2021 02:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001,
SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=armh.onmicrosoft.com header.b=kdvUU0C5;
dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
header.b=kdvUU0C5
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id xRNogfm5_tJy for <suit@ietfa.amsl.com>;
Wed, 2 Jun 2021 02:59:33 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com
(mail-eopbgr10065.outbound.protection.outlook.com [40.107.1.65])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 786E13A3D35
for <suit@ietf.org>; Wed, 2 Jun 2021 02:59:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;
s=selector2-armh-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=VbiM4/RWf8F6HACapUmQXvOCtJ51Hq0l2Pj8AW069BU=;
b=kdvUU0C5/c7ZQW1VkuPQumfRcIKUfrg+1+MCXHk32rhK0QIJIvH9pf1IxQjPmltSMt+TVGrLAwOPAQy/4OK3wbW4WvY/ZzWO2DkW25aZjzcjb9mbp+0TN4srGkWs7QsVUXLuCDD5gW0d4c4lmyYL92/S0NKrSrxj0OnBbIaIB6M=
Received: from DB6P193CA0007.EURP193.PROD.OUTLOOK.COM (2603:10a6:6:29::17) by
AM0PR08MB5138.eurprd08.prod.outlook.com (2603:10a6:208:15a::32) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20; Wed, 2 Jun
2021 09:59:29 +0000
Received: from DB5EUR03FT056.eop-EUR03.prod.protection.outlook.com
(2603:10a6:6:29:cafe::4b) by DB6P193CA0007.outlook.office365.com
(2603:10a6:6:29::17) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend
Transport; Wed, 2 Jun 2021 09:59:29 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123)
smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified)
header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none
header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
63.35.35.123 as permitted sender) receiver=protection.outlook.com;
client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by
DB5EUR03FT056.mail.protection.outlook.com (10.152.21.124) with
Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4150.30 via Frontend Transport; Wed, 2 Jun 2021 09:59:29 +0000
Received: ("Tessian outbound 836922dda4f1:v93");
Wed, 02 Jun 2021 09:59:28 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 6b16e980de77a630
X-CR-MTA-TID: 64aa7808
Received: from 405f9bec48b2.1
by 64aa7808-outbound-1.mta.getcheckrecipient.com id
75B072B2-BC35-40EC-AFEB-32BBE26AD9C3.1;
Wed, 02 Jun 2021 09:59:22 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com
by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 405f9bec48b2.1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
Wed, 02 Jun 2021 09:59:22 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=IytUFZbmVB38S3U7qMBRnVDY49NL328m3iA15DWyng9bJn5s2zAnIU5h2kAi6r0YLRsL+FJ7+VMA5WpMlojv/KiK7HqMm5aGTplXMOR89OhJzTYR/RoYs18kznM8Ce43+t7k0fvsB6G+zmauesceP++5vFsJWSNXUm0M1TOhV/39s2TVG79A+DAbXqpDxEj2fszRdvfnnMS0Gapv4EM8OB9QJJS6BdPyBjFSwKPp2Kmp3Z9ArxWFNF40vqVi36Lwq/S/nDkGT0KKLjoAM08WxFtNggujNaiRNjk6STYCzCd8uFEdYbWEgCj/pNMyQjoDAyQo5vjhZJGlhd2NrKo1tA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=VbiM4/RWf8F6HACapUmQXvOCtJ51Hq0l2Pj8AW069BU=;
b=LMXCYgWC6rgdNiAnX+afaVAsnEVkkyYO4M3Z4R4X+rA0J2xgey4sQqnRbONEyJuTk0gss0lM51M4I1sSPkkSb4nq12Mk+SWgToelm5C5AvTYmWYrMAx7XqjjC1d/GnfTJ3aUlY2C/MvvvHx0vtF2yerYLqFWDMZhUVwzrbd1ZsasC21TqwJQjJ8IWBuiTQex9KZqYc+ep+cYPCH34anUHXEG9A/rKfDpqzzLnP2S3rp7F4U2OHhgcjSD5cXDkwz4D8r6Dzrx1KbBU0deWyNDlJ+rsDHJeXrlhq1ism4y52fl4oiR3kpq9748XbW9QaidYZXqqWLN/eJ537vF6gHbhg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass
header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;
s=selector2-armh-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=VbiM4/RWf8F6HACapUmQXvOCtJ51Hq0l2Pj8AW069BU=;
b=kdvUU0C5/c7ZQW1VkuPQumfRcIKUfrg+1+MCXHk32rhK0QIJIvH9pf1IxQjPmltSMt+TVGrLAwOPAQy/4OK3wbW4WvY/ZzWO2DkW25aZjzcjb9mbp+0TN4srGkWs7QsVUXLuCDD5gW0d4c4lmyYL92/S0NKrSrxj0OnBbIaIB6M=
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com (2603:10a6:10:1ae::11)
by DB7PR08MB3370.eurprd08.prod.outlook.com (2603:10a6:10:41::23) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Wed, 2 Jun
2021 09:59:20 +0000
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com
([fe80::488c:be63:d9fe:b0e0]) by DBAPR08MB5576.eurprd08.prod.outlook.com
([fe80::488c:be63:d9fe:b0e0%7]) with mapi id 15.20.4173.030; Wed, 2 Jun 2021
09:59:20 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: suit <suit@ietf.org>
Thread-Topic: Draft-ietf-suit-manifest encryption use
Thread-Index: AQHXV5X1RmDYNaTJE0qIMQPcDmnFxA==
Date: Wed, 2 Jun 2021 09:59:20 +0000
Message-ID: <478F1F04-9299-4F4E-9B72-15051DBD2975@arm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.100.0.2.22)
Authentication-Results-Original: ietf.org; dkim=none (message not signed)
header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.7.184.196]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 4f304d11-5e06-436c-5b77-08d925ad1caf
x-ms-traffictypediagnostic: DB7PR08MB3370:|AM0PR08MB5138:
X-Microsoft-Antispam-PRVS: <AM0PR08MB5138D3ADF6981FABBBC61993EA3D9@AM0PR08MB5138.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: m8W2zotDuQI/2NN8AxZky8WlzGYEOsu2B2xrdpk4eWZNxANgB43Mn77dorPxQ+eQnqGOSXekWapmQGwvnnH/EYX2d6L8hZ03CbAZEzrmWNSLlanBw9NEt+U6bo3ALj80dNl5pVKk9oDVuZSVZJoYNyYNi5+s0dBnKtTud85XB+8eA0eaPEM5IfH74VPxdNQw/Lj3/TH9gCfkGiuijG6kCmkDcfj337JldP4pCWnHOeJ+kY9jammC82ya06KbpHQtve8Zive42a2uegWv68KqmS6QBNndG1P71/kqNQGUYmReIHUMoNVm9SEzn5SDQ+oVKryidpUroAm/FiiCtbLt0S/lN80SjlNBBKjzp1w+gxqE/4MffqmMaerECnGYZhP62qFtrq55n27ctd1k3BIeqI/tKDY1HnRj9KDkhzv1aNH0CJJ2jASfCccbCljJONxWi2t9f7u3nF0be1RpR3ZrNxNzWUqTPQ7WQXuFroxEenFEF1TPgvrCT6mUVtZhGrD8A7fhrlljeSd97BKOnBVEhngufboM1rAVWyHJtTrB2hD2a1EpPzZvqwU3nk/8IfSg4rX39cTBxb3+0LkJzDyucXrbVWcTHnMCPTyyjCoGF7BbYtrrR4ETzoW+YheXu9PsKDpz0ayFZetxQhPElQa/COsjvkl0A0RwMy9wKgpUeUkSnJMT/4eL07yn9t3bciKu
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR08MB5576.eurprd08.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(4636009)(346002)(39860400002)(366004)(376002)(136003)(396003)(66446008)(91956017)(66476007)(76116006)(86362001)(33656002)(64756008)(66946007)(66556008)(83380400001)(478600001)(19627235002)(6486002)(6506007)(8676002)(36756003)(6512007)(26005)(316002)(122000001)(71200400001)(2906002)(8936002)(6916009)(5660300002)(186003)(2616005)(38100700002)(73130200004)(45980500001);
DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?STM3ckVKVEc3NytBcmdvK2tFOXZCNjVmVitSRndGcnVVMlUwb0pIR1cxekdp?=
=?utf-8?B?eCt2SEV1eGtPc3V1RjVtU21od3g4V01IOTNOWmpvcFkwOEN3Sk1qU1hlQ01H?=
=?utf-8?B?b2xtWTMzTTNjak45ZDlkb1V2YnhtM1ZtZlRoZjdrYWVRdUlSTytYZnhiWURn?=
=?utf-8?B?cE01NTZrSkdNSVk4SDEvelhzV2ZpcE5SNVU5ZkNxaUFJNlhiVDAwd1BIcHJH?=
=?utf-8?B?TTVKY1BEa0x3T0pVSWpqU2FUUFdpbXpxSWJyNTkzSG5VaytuZytSZXNybm9u?=
=?utf-8?B?WkRkdjd0U0U4eGFwMGF2dEszdmlxRy8zbm1nZ3I5RWxxSFR0N3orbnl4NUhR?=
=?utf-8?B?azhvVjlZQ0xLbW1MWFE0K2NKZEhabWpNUURQU0ttdWg4Um9vcG5mSnhWNFhU?=
=?utf-8?B?SWVtTGlrZEdSTURRU2IySms3VzhRSHp4VXN0dnhjdU94bzREV25hVG1XZkJw?=
=?utf-8?B?M3lKWG0wU01OY1A2YVEydEJLSEdJWnJVMzhFaXpIUkVFdHQ2VTdHNi9pcVIz?=
=?utf-8?B?eWJybmdSNFYzVTdVNFJoTmxKekpxMHhBSnlrZWpYMUs1TmJvQzFBTklsai9i?=
=?utf-8?B?clRacUo3TExlZ0VsZUtoU2ZkVkhsQVZvVUtmZml1b1o1V0dCZERxclZPVzll?=
=?utf-8?B?TlhXUll4VVk4SnRlNVFrREs4RGtCMXNITTY1cGhBOVQzY09FcDh3ZmRjTEJO?=
=?utf-8?B?SDUwN1NxazlyN3J3NjR0KzRYeXBiUWNNaWNKRWJrdFJ4Y2kxQW82VXVHTlVF?=
=?utf-8?B?QUYrbmVMZVlWWDNnNVc5MzlPY0FUSC9TRTNmOWN5Nk5OVmI1d0U4U2Fybkho?=
=?utf-8?B?NTBJeHBodUNlY3hEZXM4cVZGTW03RnFwVkdEME9SNnRGazVGUXJwT25CTDky?=
=?utf-8?B?OGdXNzZhNlE1NjlZVzhtYW96QnZseGg2N281dGxDZDJ1QUhKZ21aYlF6aU1t?=
=?utf-8?B?cmRDVUEyMHF4dTZPZGhXZHFyMFNiMXh2T0FCcnBlTGRjOFU0dkJKUE04NlRD?=
=?utf-8?B?b1Awckk5NERKZmNhWXpKOFh5SWVaaW1mVWFwS1Vhb0FZY09IRkZaVjBnbW5S?=
=?utf-8?B?RllSRGZEZDdMcURlQU0xMVg4NG9ma2E3NFJpUFhlTW1HbzhBUzE2aGFTcmFH?=
=?utf-8?B?NjVuNlV0L2JlNU5GeEdYWHNNYnBraW5sdTRrcXg2YUoyd0lHTmtoWmFiMmFu?=
=?utf-8?B?Z1lPOGdHY2VFc1RCcno2UGdXcDRsVFRzaEwxNDNxZVdFRTc1ZXNOaG9Ga25F?=
=?utf-8?B?aUZMVWMrNTF4Yjh1NUJUWG5YdFVFOXdZeVd2U1pESy9Ca0Y2cXhqVnpGclh4?=
=?utf-8?B?S1JWUTlRbFlqVEVRUDVOR0tKaFpPSkRHM01mb3NNaE1hU0pOdml1a2pacUR2?=
=?utf-8?B?cTI5QW1HSS9TUE5POEcvRFFsQ2FYZ0pHSWh0TnlkbFBxdmQxRTZSWS94NXQv?=
=?utf-8?B?a0kzN3hDelN0YklranR3UU45YjU5dkpFTDQ3RVN3TVg4cEhESndnRmZsU056?=
=?utf-8?B?SUw0aXpua2gvSERrZXM0T3BlVFZ6c2UzbEZtSkZPR1R5UE5GS2VvQXB0MWpo?=
=?utf-8?B?NXhWRW9DRVVXY3RFdkhhQTMydjFtZzUrWDllcVBkOEl5RDJhSWI1SisyYXRm?=
=?utf-8?B?VmVFK01VdnlDSzJRRVNFTTYyd1JQMTRaUGxTdHR0TUFMNThBVC9vNlBvQ3pu?=
=?utf-8?B?aHQ4dnpRaHR1dGRNeEhmejVueGdVbUE5RXk4YTRIZElFRHlQZzE1c0M4T2RQ?=
=?utf-8?Q?14Jq/7m1dI2yREBNo6+RD8qDuV3fCIv5sMnodaO?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <EAA92DFDA4C054458BF9A2789E924BA7@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3370
Original-Authentication-Results: ietf.org; dkim=none (message not signed)
header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: f415aa20-cd62-421a-1452-08d925ad179e
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: K/Mb5gAWYRD27CRuDB7cUDlogyYFiDQc851B6NnHjfst2rYB5kypR2nIDuu6CxR5cAospPnezbQaHOTzJaG5SgaU0wufNzmWTlk+F/EG3l0NvlO0k5Qs/fdVdVZiYWPf6wezG9MOO8wl51GhsbQmnExBYZJ0Nel6dmxnpIpp0EgasIysjFwJXOHSWe8FPD/wThWzHouPqO48nTmyFS7q7EgAXfVn4c2QloHA1UyC3Kswy3YZv9Fkg/ys0Xg99NwouCI8heea8lQq8YoCgPgTrfrBknbYx893f5R6kzZHvc/BqqYAwNwnF4QhZLZSkAPEyC6tjhstD6cgIqa22U6f3hL3bHkLfnT11EI1fTHoEH2W88uw+n1Lx7xZCg5Mfp40a5W6xoaYX06H9ppqqFd+R4kFQviIUfhlE/Y/ClFjNe7HUem+LlGMo1aQMxaq8CAmWg765GXIBXBvS7wW9QQ5m+rjaz0s+Z2UQNfntdZWAzyPBaAETodMqHj9e6EBwTVVfqbtUcOF5Yfusx3qFr3OPhct/gGa+nc/oKLg2WlciNc/8lR5G2y9CJChUNRuEMQqp4LLDvFIYl8vE63cqKJVsvdI43272nzMQpJVKh+LunTFY9tzbB7pX5ZjoEACTFPpvx8s2zgqzuYJwsGgaDHwMCScpYQNnXle9Fb00pYosuyJ67KIECqVNX9AXu5NhINv
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM;
H:64aa7808-outbound-1.mta.getcheckrecipient.com;
PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE;
SFS:(4636009)(39860400002)(396003)(376002)(136003)(346002)(36840700001)(46966006)(316002)(86362001)(70586007)(82740400003)(70206006)(81166007)(47076005)(83380400001)(8676002)(26005)(6486002)(36860700001)(356005)(19627235002)(6506007)(2906002)(2616005)(5660300002)(6916009)(336012)(36756003)(82310400003)(6512007)(33656002)(8936002)(186003)(478600001)(73130200004);
DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Jun 2021 09:59:29.0390 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f304d11-5e06-436c-5b77-08d925ad1caf
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123];
Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB5138
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/FIV-TeC3M7EjKEWhDmuJthpMsE8>
Subject: [Suit] Draft-ietf-suit-manifest encryption use
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>,
<mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>,
<mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jun 2021 09:59:37 -0000
During the virtual interim, we raised the point that the COSE_Recipients for a COSE_Encrypt should not be covered by a signature or digest. This prevents a management system from sending each recipient only the COSE_Recipient structure that pertains to it. This is not ideal for the structure of the manifest.
I can see several ways forward:
1. Key agreement is explicitly out-of-band. The manifest uses COSE_Encrypt0 exclusively. No changes are needed to the manifest. The kid header parameter is used to distinguish between keys for different payloads.
2. The manifest references encryption information by URI. The typical approach is to place the encryption info in the SUIT_Envelope, then reference it by a numeric reference. (e.g. 12 for key 12 in the current SUIT_Envelope). This approach permits the distributor to edit the COSE_Recipients, which allows a firmware author to include all recipients. The distributor can then remove all but the intended recipient. Federated distributors are also possible, where the COSE_Recipients is reduced at each level of distribution.
3. Break COSE’s existing conventions: set COSE_Recipients to nil in order to represent that COSE_Recipients is detached. This is problematic for two reasons: first, it means that we break compatibility with existing COSE libraries, since they will not expect a detached COSE_Recipients; second, it leaves no way to indicate where to find COSE_Recipients. Instead of ’nil’ we could use an int.
I think we should probably discard Option 3. I worry that Option 2 exposes a number of options for tampering with the COSE_Encrypt. It also means that the parser has to advance past the manifest in order to locate the COSE_Encrypt blocks. The envelope should not contain an enormous number of elements, so it may be acceptable to simply hold a table in memory of the key, start, end of each element of the envelope.
We could enable both 1 and 2 by changing the current SUIT Parameter:
ORIGINAL:
SUIT_Encryption_Info = COSE_Encrypt_Tagged/COSE_Encrypt0_Tagged
PROPOSED:
SUIT_Encryption_Info = int / COSE_Encrypt_Tagged/COSE_Encrypt0_Tagged
Alternatively, we could enable both 1 and 2 by adding a new parameter:
SUIT_Parameters //= (suit-parameter-encryption-ref
=> int)
Best Regards,
Brendan
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Suit] Draft-ietf-suit-manifest encryption use Brendan Moran
- Re: [Suit] Draft-ietf-suit-manifest encryption use Russ Housley
- Re: [Suit] Draft-ietf-suit-manifest encryption use Brendan Moran
- Re: [Suit] Draft-ietf-suit-manifest encryption use Hannes Tschofenig