Thanks for the review, J.C. and Kevin. Replies are inline below, prefixed by
"Mike>".
Best wishes,
-- Mike
-----Original Message-----
From: COSE <[email protected]> On Behalf Of J.C. Jones
Sent: Thursday, August 15, 2019 2:15 PM
To: [email protected]
Cc: Kevin Jacobs <[email protected]>
Subject: [COSE] Feedback on draft-ietf-cose-webauthn-algorithms-01
All,
We reviewed draft-ietf-cose-webauthn-algorithms-01 and only have pair of
comments about the security considerations.
Regarding section 5.3:
While section 5.2 refers to RFC7518's guidance, currently 5.3 does not. Perhaps
note in 5.3 something akin to "if you have an existing implementation, the
exponent restrictions from RFC7518 also apply."
Mike> Good suggestion. I'd be glad to do that.
Regarding section 5.4:
The first sentence uses the FIPS186-3 form P-256 when everything else in this
document would imply we'd refer to it as secp256r1, though rfc8152bis uses the
P-256 form. Perhaps all readers of this document would be able to avoid
confusion, but since it's a section _about_ confusion, it seems worth pointing
out. Perhaps a parenthetical could be added?
Mike> I propose to add a reference to "[RFC 7518]" after "P-256" to make it
clear where the definition that we are using originates.
Kevin Jacobs and J.C. Jones
_______________________________________________
COSE mailing list
[email protected]<mailto:[email protected]>
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcose&data=02%7C01%7CMichael.Jones%40microsoft.com%7Ca35cc1dc6c6549ca013108d721c5b465%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637015005331095019&sdata=MtpdnZjpVDYvFS2Tr0mfFalyhw%2FiyYQk9H7uKwJGRk8%3D&reserved=0
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
