New comment from Laurance on GitHub pointing out that proof-of-possesion is not enough. I think this point to that COSE integrity protection of the end-entity certificate needs to be MUST.
Cheers, John https://github.com/cose-wg/X509/pull/35 This doesn't address the case where a CA correctly and intentionally issued two certs for the same key with different characteristics (e.g., key use, expiration, other extensions) and the attacker swapped them. Maybe this: "When any field in a certificate beyond the key (e.g., key use, expiration, other extensions) is used in security decisions by the receiver, the COSE header containing or referencing the certificate should be in the protected bucket"." -----Original Message----- From: John Mattsson <[email protected]> Date: Thursday, 11 March 2021 at 08:33 To: Carsten Bormann <[email protected]> Cc: cose <[email protected]> Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08 Yes it probably better to register a new media type. E.g.: application/cose-x509-chain Let's discuss tomorrow. Cheers, John -----Original Message----- From: Carsten Bormann <[email protected]> Date: Wednesday, 10 March 2021 at 21:03 To: John Mattsson <[email protected]> Cc: cose <[email protected]> Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08 On 24. Feb 2021, at 10:35, John Mattsson <[email protected]> wrote: > > - Added media type application/cbor for a COSE_X509 chain. Why is that the right media type? (We have specific ones for everything else, no?) Grüße, Carsten _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
