I wouldn’t say MUST, just highly recommended. If there is consensus for MUST I won’t object considering that the cost of protection is low for all the uses I can imagine.
LL > On Mar 11, 2021, at 11:35 PM, John Mattsson > <john.mattsson=40ericsson....@dmarc.ietf.org> wrote: > > New comment from Laurance on GitHub pointing out that proof-of-possesion > is not enough. I think this point to that COSE integrity protection of the > end-entity certificate needs to be MUST. > > Cheers, > John > > https://github.com/cose-wg/X509/pull/35 > > This doesn't address the case where a CA correctly and intentionally > issued two certs for the same key with different characteristics (e.g., > key use, expiration, other extensions) and the attacker swapped them. > > Maybe this: "When any field in a certificate beyond the key (e.g., key > use, expiration, other extensions) is used in security decisions by the > receiver, the COSE header containing or referencing the certificate > should be in the protected bucket"." > > > > > -----Original Message----- > From: John Mattsson <john.matts...@ericsson.com> > Date: Thursday, 11 March 2021 at 08:33 > To: Carsten Bormann <c...@tzi.org> > Cc: cose <cose@ietf.org> > Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in > draft-ietf-cose-x509-08 > > Yes it probably better to register a new media type. E.g.: > > application/cose-x509-chain > > Let's discuss tomorrow. > > Cheers, > John > > -----Original Message----- > From: Carsten Bormann <c...@tzi.org> > Date: Wednesday, 10 March 2021 at 21:03 > To: John Mattsson <john.matts...@ericsson.com> > Cc: cose <cose@ietf.org> > Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in > draft-ietf-cose-x509-08 > > On 24. Feb 2021, at 10:35, John Mattsson > <john.mattsson=40ericsson....@dmarc.ietf.org> wrote: >> >> - Added media type application/cbor for a COSE_X509 chain. > > Why is that the right media type? > (We have specific ones for everything else, no?) > > Grüße, Carsten > > > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose _______________________________________________ COSE mailing list COSE@ietf.org https://www.ietf.org/mailman/listinfo/cose