I am implementing some Ruby code to validate the claims shown in the appendix A of draft-ietf-ace-cbor-web-token-01. It wasn't obvious at first, or maybe I just don't get it, but the examples there are not, I think, signed. We are looking at the content that would get signed.
What I see in A.2 is a claim about a public key, but no signature: "This is then packaged signed and encrypted using COSE." Are there any plans to provide a signed test vector as part of CWT? It also seems that perhaps CWT doesn't not need all of the modes that ietf-cose-msg provides. Also, cose-msg has 10 further revisions since the -14 that cwt points to... I don't know if there are any things affecting it. I am currently making sure that I can validate some of the vectors in Appendix C of ietf-cose-msg. I think that the examples are from: https://github.com/cose-wg/Examples I wonder if the directories could say "c-1-1" or something in them? (or the other way around). I think that: C.1.1. Single Signature is ecdsa-01.json, which has a nice "title":"ECDSA-01: ECDSA - P-256" maybe that could be in the document? (My thanks for the LotR inspired keys!) I am aware that ietf-cose-msg-24 has past the WGLC... ietf-cose-msg-24 says on pg 11: protected: Contains parameters about the current layer that are to be cryptographically protected. This bucket MUST be empty if it and after explaining that a zero length string should be used, it says: "This avoids the problem of all parties needing to be able to do a common canonical encoding." Isn't saying it's a zero-length string, a canonical encoding? -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace