Hi John, Is our intention that a chain is a CBOR sequence or is it a CBOR data item (an array)? It seems the current text says it is a single data item.
> On 2021-05-24, at 12:00, John Mattsson > <[email protected]> wrote: > > Hi, > > When we discussed this at the meeting is was agreed to change > application/cbor to something more specific. The PR now use > "application/cose-x509-chain". And has the text "When the > application/cose-x509-chain media type is used, the data is a COSE_X509 > structure containing a chain." > > I just noticed that an IANA section registering the media type is missing. I > will add that to the PR. But before I do that: > > - Is application/cose-x509-chain the right thing? > - Or should it be application/cose-x509 allowing for both bag and chain? > - Or should there be two media types application/cose-x509-chain and > application/cose-x509-bag? That depends on whether the media type is needed to make the semantic distinction or that is taken from the context (here: header parameter). The 8152 style was to have a single application/cose that would be further qualified by either an optional addition CBOR tag or an optional media-type parameter (cose-type=“…”). (And don’t forget to define CoRE Content-Formats…) Grüße, Carsten > x5bag and x5chain separates bag and chain, while x5u could be either. Knowing > that it is a chain simplifies processing, but removes the option to transfer > additional certificates. > > Cheers, > John > > From: John Mattsson <[email protected]> > Date: Thursday, 13 May 2021 at 13:07 > To: cose <[email protected]> > Subject: Re: [COSE] Pull-request addressing issues #29 #30 #31 #33 in > draft-ietf-cose-x509-08 > > Hi, > > https://github.com/cose-wg/X509/pull/35 > > There are three remaining discussions related to the PR that has to be > concluded before merging the PR. > > - Two of the discussion are more editorial comments from Ben. > > - The third discussion is in my understanding more high-level and depend on > what COSE can require/expect/get information about from the CA(s). It also > depends on how much COSE should protect people from shooting themselves in > the foot. > > The current text is > > "Unless it is known that the CA required proof-of-possession of the subject's > private key to issue an end-entity certificate, the end-entity certificate > MUST be integrity protected by COSE." > > Laurance commented that this is not enough and that the endpoints should > agree on which end-entity certificate is used. CAs may issue several > certificates with the same public key, and different CAs may issue several > certificates with the same public key. > > Michael commented that this is overkill. There is also a discussion whether > the requirement should be MUST or SHOULD. > > At a minimum I think the draft needs security consideration that discusses > that there might be many certificates with the same public key and unless > things are put in the protected header, the two endpoints might have > different views on which certificate was used. > > I think this needs to be discussed on the list. > > Cheers, > John > > > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
