Jim Schaad wrote: > In short, I don't believe that we need to fill in the space where one of > these fields is not present as I have not been able to see how it will be > usable as realistic attack vector.
I agree that this is a bit far-fetched. As I said, I don't know how to construct an attack either, but as a matter of principle I wouldn't build something that even provides a potential for, say, an attacker-provided nonce turning up as if it were a party identifier. And, the cost of "fixing" this is quite limited. (But I'm not insisting on anything here.) Grüße, Carsten _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
