Hi, In the COSE WG today we discussed the allocations of COSE code points for encryption without MAC, which is not supported by https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis-struct-15.
As I understood from the meeting there is support for allocating such code points, but a concern about the associated security issues. For a previous allocation of COSE algorithms with special security considerations, it was requested to specify their use and include relevant security considerations, resulting in RFC 8812. I didn't hear any objection from the meeting for doing the same thing in this case; specifically requesting a specification for how to use COSE_Encrypt0 wrapped in COSE_Mac0 in a secure way. Any comments on that? There was also a proposal to add a new adjective to the Recommended column to the COSE Algorithms registry for such algorithms. I didn't hear any objection to that. JOSE uses "prohibited". Other proposals in the meeting Jabber included: "dangerous", "obsolete", "condemned", "TNT". IMHO reusing JOSE terminology sounds reasonable. Any comments on that? Göran _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
