Jim, Your suggestion of expressing the filter by way of text in the CoSWID draft would provide a path forward. This approach is less clear cut as it leaves the implementer to decide which algorithms are "hash algorithms". This will likely lead to different implementations choosing a different set of algorithms. To address this, I guess we will need to include some text that makes sure that a parser will not fail the parse when encountering an unsupported hash algorithm identifier.
Any other ideas that might provide a clearer solution? Thanks, Dave ________________________________ From: Jim Schaad <[email protected]> Sent: Monday, November 18, 2019 9:24 PM To: Waltermire, David A. (Fed) <[email protected]>; [email protected] <[email protected]> Cc: 'sacm' <[email protected]> Subject: RE: [COSE] [sacm] CoSWID review Do you believe that there is an issue where you cannot say. Use the values from registry X and this must be a hash algorithm without trying to do some type of filter. If we do a filter then we start playing the game of naming all of the different types of algorithms and potentially need to deal with algorithms which would have two algorithm type labels. Jim From: COSE <[email protected]> On Behalf Of Waltermire, David A. (Fed) Sent: Tuesday, November 19, 2019 9:52 AM To: [email protected] Cc: sacm <[email protected]> Subject: Re: [COSE] [sacm] CoSWID review COSE WG, I accidently sent the last email early. Please ignore it. Kathleen provided comments below on draft-ietf-sacm-coswid suggesting that we use the COSE proposed algorithm identifiers for hashes in CoSWID. We are currently using the entries in the IANA Named Information Hash Algorithm Registry. It would be great to align with the COSE hash algorithms, but I can't figure out a way to point to only the hash algorithms in the COSE Algorithms registry. We can point to the draft-ietf-cose-hash-algs once its published as an RFC, but this would be less agile in the face of future updates to COSE hash algorithms. It would very useful if the COSE Algorithms registry has a column for algorithm type. That way we could select only the hash algorithms. Do you have any suggestions on how we might move forward? Regards, Dave Waltermire ________________________________ From: Waltermire, David A. (Fed) <[email protected]<mailto:[email protected]>> Sent: Monday, November 18, 2019 8:39 PM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Cc: sacm <[email protected]<mailto:[email protected]>> Subject: Fw: [sacm] CoSWID review On Sun, Nov 17, 2019 at 6:45 AM Kathleen Moriarty <[email protected]<mailto:[email protected]>> wrote: Hi Dave, On Sun, Nov 17, 2019 at 3:02 AM Dave Waltermire <[email protected]<mailto:[email protected]>> wrote: Kathleen, Thank you for the review. I have addressed your comments in the latest draft. Some comments on your comments are inline below. From: sacm <[email protected]<mailto:[email protected]>> on behalf of Kathleen Moriarty <[email protected]<mailto:[email protected]>> Date: Fri, October 25, 2019 11:57 PM +0800 To: "<[email protected]<mailto:[email protected]>>" <[email protected]<mailto:[email protected]>> Subject: [sacm] CoSWID review Section 2.6: A Thumbprint is specified in this section, should this be referenced for clarity on hashes with COSE for object identification: https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cose-hash-algs%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C2410b750742b4ee7f88108d76c97ace8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637097271007090632&sdata=NB0wIJTokNhicaXPWlVp448muGvavHVQTxFHBNL%2F0ZI%3D&reserved=0> Would it be better to tie to the COSE set of supported algorithms (they likely match, but I didn't verify)? The IANA COSE Algorithms registry contains other types of algorithms beyond hash algorithms. To use this registry, we would need to list the hash-specific algorithms, which is less ideal. Its a shame this registry isn't broken out by algorithm type, which would make this decision easy. With the IANA "Named Information Hash Algorithm Registry", we get only hash algorithms, which is what we are looking for. Can you live with use of the IANA "Named Information Hash Algorithm Registry"? COSE is open as is their main draft. This is a problem that can likely be solved this week... Talk to Jim. Let me and the list know what's possible.
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
