Hi, When we discussed this at the meeting is was agreed to change application/cbor to something more specific. The PR now use "application/cose-x509-chain". And has the text "When the application/cose-x509-chain media type is used, the data is a COSE_X509 structure containing a chain."
I just noticed that an IANA section registering the media type is missing. I will add that to the PR. But before I do that: - Is application/cose-x509-chain the right thing? - Or should it be application/cose-x509 allowing for both bag and chain? - Or should there be two media types application/cose-x509-chain and application/cose-x509-bag? x5bag and x5chain separates bag and chain, while x5u could be either. Knowing that it is a chain simplifies processing, but removes the option to transfer additional certificates. Cheers, John From: John Mattsson <[email protected]> Date: Thursday, 13 May 2021 at 13:07 To: cose <[email protected]> Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in draft-ietf-cose-x509-08 Hi, https://github.com/cose-wg/X509/pull/35 There are three remaining discussions related to the PR that has to be concluded before merging the PR. - Two of the discussion are more editorial comments from Ben. - The third discussion is in my understanding more high-level and depend on what COSE can require/expect/get information about from the CA(s). It also depends on how much COSE should protect people from shooting themselves in the foot. The current text is "Unless it is known that the CA required proof-of-possession of the subject's private key to issue an end-entity certificate, the end-entity certificate MUST be integrity protected by COSE." Laurance commented that this is not enough and that the endpoints should agree on which end-entity certificate is used. CAs may issue several certificates with the same public key, and different CAs may issue several certificates with the same public key. Michael commented that this is overkill. There is also a discussion whether the requirement should be MUST or SHOULD. At a minimum I think the draft needs security consideration that discusses that there might be many certificates with the same public key and unless things are put in the protected header, the two endpoints might have different views on which certificate was used. I think this needs to be discussed on the list. Cheers, John
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
