Chairs and AD, As was raised in the latest in the latest COSE virtual interim, there is at least one Github issue related to x5u that is not resolved according to some people in the WG:
https://github.com/cose-wg/X509/issues/31 I also agree with the issue that it is not clear what the trust relationship is and why integrity protection is needed when fetching the certificate in this case, which is not the case for the other COSE header parameters x5t, x5bag, x5chain defined in this draft. For these header parameters it is assumed that the certificate is verified, and that suffices to determines if it is trusted. If trust relations are relevant here, it seems also missing in this description the trust relationship between the party hosting the referred-to resource and party requesting the certificate. I'm sorry that this comment comes very late. Further comments below should also have been raised much earlier, but at least I did not pay attention to before Laurence highlighted this issue. Other comments on the x5u text: "The URI provided MUST provide integrity protection and server authentication. For example, an HTTP or CoAP GET request to retrieve a certificate MUST use TLS [RFC8446] or DTLS [I-D.ietf-tls-dtls13]." Why can't a CoAP be protected by OSCORE? "The referenced resource can be any of the following media types: * application/pkix-cert [RFC2585] * application/pkcs7-mime; smime-type="certs-only" [RFC8551]" To enable more efficient coding and avoid implementation of pkcs7, could we also allow media type application/cbor containing a COSE_X509, as defined in the same section? Göran On 2021-01-29, 15:57, "COSE on behalf of Barry Leiba" <[email protected] on behalf of [email protected]> wrote: Chairs, There are some non-blocking comments from Ben Kaduk on this version. Will there be document changes to address them, or do you want to go forward with version -08? Barry _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
