Hi! First a meta comment, sorry for spamming: I’m now answering to both the ACE and the <update> COSE mailing list. If the working group chairs have recommendations on where to keep the continued discussion I’m eager to hear.
Thank you for your review! Some answers to the questions are inline below. > When you sign CBOR, usually it is wrapped in a bstr. This is important > to be able to use typical CBOR encoders/decoders. This doesn’t seem > to be the case here, at least I don’t see it in the text near the end of > section 3. Since this bstr wrapping has become the expected norm we agree this is a good suggestion for an improvement with low overhead, which we will add for the next version. > Was any consideration given to using the COSE algorithm registry rather > than defining a new one? Yes, it is still work in progress to determine if the COSE algorithm registry can accommodate the algorithms deemed useful for inclusion. > But of most interest to me is whether the COSE was considered as the > signing format for native CBOR certs. If COSE is used, then this looks > almost identical to CWT and may be a native CBOR cert is a variant of > a CWT? … … Our starting point has been to stay close to the original X.509 format while minimizing size. A COSE encoding would re-add some format overhead (close to 10% for the provided example certificate). But if a COSE encoding would help making the format accepted and used, it can definitely be further discussed. Once again, thank you for your comments! and Best Regards Joel Höglund *Från:* Ace <[email protected]> för Laurence Lundblade < [email protected]> *Skickat:* den 22 april 2020 17:23 *Till:* Ace Wg <[email protected]> *Ämne:* [Ace] draft-raza-ace-cbor-certificates-04.txt I have a few comments / questions about draft-raza-ace-cbor-certificates-04.txt section 6 on native CBOR certs When you sign CBOR, usually it is wrapped in a bstr. This is important to be able to use typical CBOR encoders/decoders. This doesn’t seem to be the case here, at least I don’t see it in the text near the end of section 3.. Was any consideration given to using the COSE algorithm registry rather than defining a new one? But of most interest to me is whether the COSE was considered as the signing format for native CBOR certs. If COSE is used, then this looks almost identical to CWT and may be a native CBOR cert is a variant of a CWT? One advantage of this would be reuse of some of the CWT (and EAT) code. Some of the fields in the CBOR cert might overlap with CWT claims. That might be a good thing. LL _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
