> On Oct 21, 2020, at 1:27 PM, Benjamin Kaduk <[email protected]> wrote: > > On Wed, Oct 21, 2020 at 12:54:44PM -0700, Laurence Lundblade wrote: >> >>> On Oct 21, 2020, at 10:58 AM, Benjamin Kaduk via Datatracker >>> <[email protected]> wrote: >>> >>> x5t: This header parameter provides the ability to identify an X.509 >>> certificate by a hash value. The attribute is an array of two >>> >>> I suggest using the word "thumbprint" somewhere to motivate the 't' in >>> "x5t”. >> >> Using “thumbprint” makes sense to me, though it was changed from thumbprint >> to fingerprint in March >> <https://github.com/cose-wg/X509/commit/32c2bf2b2411250f6d9232b43ae0813ac9d88a44>. >> > > My point was more that we're effectively tied to the "x5t" symbol for JOSE > parity, and even if we want to call the thing it carries a "fingerprint", > we should still use the word "thumbprint" once to explain the mnemonic > value of the 't’.
Makes sense. > >> Is it the common understanding that this “x5t” identifies the end-entity >> cert like subjectKeyIdentifier does for CMS >> <https://tools.ietf.org/html/rfc5652#section-5.3>? I can’t imagine what else >> it would identify, but it seems saying this explicitly would be helpful. CMS >> certainly is explicit and detailed on this. > > That's what I assumed, but probably worth a mention (one could, of course, > identify a CA by fingerprint as well). The identification of the CA(s) would be in the X.509 certs in the Subject Key Identifier or such. Don’t think x5t would ever identify a CA (unless the cert is both an end-entity and CA cert). I worry a little about ambiguity if you receive a COSE with an x5chain, an x5bag and an x5t. In particular x5t and x5chain both identify the end-entity cert. Which has precedence? Since the point of x5chain is to avoid the work of cert path construction, I’d say that if it is present, use that. If x5chain processing fails, the whole processing fails. If every (constrained node) implementation must fall back to cert path construction using x5bag, then there would be no savings in using x5chain. LL _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
