Hi, Thanks for all the reviews and comment during summer and autumn! The comments have indicated that the CBOR certificates should support a much larger subset of RFC 5280, that the draft should not be so much of a profile, but also that any updates should not expand the certificate sizes for the most constrained use cases. We think this is possible to achieve.
We have submitted draft-mattsson-cose-cbor-cert-compress-02. Changes are: - Changed terminology to "natively signed" - Completely changes the encoding of issuer and subject. The new encoding supports encoding of sequences of sets of attribute types and values. The encoding should be able to handle any attribute type encoded as utf8string and printableString. Is that enough or do we need to support also legacy teletexString, universalString, bmpString, Ia5string? Is any attributeType missing or are the MUST and SHOULD support in RFC 5280 enough? - Moved signatureAlgorithm so it comes before signatureValue. Made the algorithms explicit and split them into two items. - Extension text moved to separate paragraph. We made some small changes to the extension coding, but based on the discussion and suggestions to support much more, we believe the encoding might have to change quite much. We plan to make further updates after the group has agreed on what to support. - Split CDDL into certificate and tbsCertificate similar to RFC 5280 to not have to duplicate CDDL. - New section of compliance requirements. We did not have to address all the comments in -02 and have already starting to work on -03, which we plan to submit during IETF week. If you want to review, please review the GitHub version https://ericssonresearch.github.io/CBOR-certificates/draft-mattsson-cose-cbor-cert-compress.html Changes in -03 so far: - Added GeneralizedTime as suggested by Jim. We also addresses an issue in that the old encoding could not encode leap seconds (which X.509 can). To enable this we swiched from uint to bytes, where a byte string of length 4 represent a UTCTime and a byte string of length 5 represent a GeneralizedTime. - Changed from TLS compression algorithms to TLS certificate Type as suggested by Ilari. This also enables CBOR certificates to be used with a general compression algorithm in TLS, which is not helping for very contrained certificates but probably reduce the size quite much for non-IoT cbor certificates with a lot of character strings. - We looked into which algorithms can be supported without parameters. Proposal is to not support algorithms with parameters except namedcurves. Looking at RSA-PSS with SHAKE, X25519, Ed25519, and hash-bases algorithms it seems like all new algorithms will be specified without parameters. Do people feel that any algorithms with paramaters should be supported? Algorithms that use parameters are e.g. RSA-PSS keys and signatures with SHA2, ECC keys without named curves. - More strict text on several parts regarding encoding. Cheers, John -----Original Message----- From: "[email protected]" <[email protected]> Date: Monday, 2 November 2020 at 12:34 To: Göran Selander <[email protected]>, Joel Hoglund <[email protected]>, Martin Furuhed <[email protected]>, John Mattsson <[email protected]>, Shahid Raza <[email protected]>, Göran Selander <[email protected]>, John Mattsson <[email protected]>, Joel Höglund <[email protected]> Subject: New Version Notification for draft-mattsson-cose-cbor-cert-compress-02.txt A new version of I-D, draft-mattsson-cose-cbor-cert-compress-02.txt has been successfully submitted by =?utf-8?q?G=C3=B6ran_Selander?= and posted to the IETF repository. Name: draft-mattsson-cose-cbor-cert-compress Revision: 02 Title: CBOR Profile of X.509 Certificates Document date: 2020-11-02 Group: Individual Submission Pages: 19 URL: https://www.ietf.org/archive/id/draft-mattsson-cose-cbor-cert-compress-02.txt Status: https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ Htmlized: https://datatracker.ietf.org/doc/html/draft-mattsson-cose-cbor-cert-compress Htmlized: https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress-02 Diff: https://www.ietf.org/rfcdiff?url2=draft-mattsson-cose-cbor-cert-compress-02 Abstract: This document specifies a CBOR encoding/compression of RFC 7925 profiled certificates. By using the fact that the certificates are profiled, the CBOR certificate compression algorithms can in many cases compress RFC 7925 profiled certificates with over 50%. This document also specifies COSE headers for CBOR encoded certificates as well as the use of the CBOR certificate compression algorithm with TLS Certificate Compression in TLS 1.3 and DTLS 1.3. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
