Hi, https://github.com/cose-wg/X509/pull/35
There are three remaining discussions related to the PR that has to be concluded before merging the PR. - Two of the discussion are more editorial comments from Ben. - The third discussion is in my understanding more high-level and depend on what COSE can require/expect/get information about from the CA(s). It also depends on how much COSE should protect people from shooting themselves in the foot. The current text is "Unless it is known that the CA required proof-of-possession of the subject's private key to issue an end-entity certificate, the end-entity certificate MUST be integrity protected by COSE." Laurance commented that this is not enough and that the endpoints should agree on which end-entity certificate is used. CAs may issue several certificates with the same public key, and different CAs may issue several certificates with the same public key. Michael commented that this is overkill. There is also a discussion whether the requirement should be MUST or SHOULD. At a minimum I think the draft needs security consideration that discusses that there might be many certificates with the same public key and unless things are put in the protected header, the two endpoints might have different views on which certificate was used. I think this needs to be discussed on the list. Cheers, John _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
