For EAT, putting the profile claim in a header could be really useful, especially if the EAT is encrypted.
The profile claim tells you the something about the format and type of the EAT, maybe even which processor to hand it off too. It’s nice to be able to do the hand off without having to decrypt and verify. The intended use claim is another good candidate for this header. I like the addition a lot. LL > On Mar 13, 2022, at 1:47 PM, Tobias Looker <[email protected]> wrote: > > Hi Hannes, > > I can elaborate. > > Encrypted CWTs - In some circumstances CWT claims can be useful to have > available for processing prior to decryption. For example the iss claim can > be used to indicate to a recipient of an encrypted CWT how it should be > decrypted, by informing the recipient who encrypted (and potentially signed) > it. > > Detached Signature - In cases where a detached signature COSE structure is > being used the payload can be un-available (or of invalid form) to express > CWT claims. A concrete example is being able to express who signed the > detached signature structure (using the iss claim) and when it expires (using > the exp claim). > > Thanks, > > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> > > > Tobias Looker > MATTR > CTO > +64 (0) 27 378 0461 > [email protected] <mailto:[email protected]> > > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> > > > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0> > > > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0> > > > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0> > > This communication, including any attachments, is confidential. If you are > not the intended recipient, you should not read it - please contact me > immediately, destroy it, and do not copy or use any part of this > communication or disclose anything about it. Thank you. Please note that this > communication does not designate an information system for the purposes of > the Electronic Transactions Act 2002. > > From: Hannes Tschofenig <[email protected] > <mailto:[email protected]>> > Sent: 12 March 2022 01:45 > To: Mike Jones <[email protected] > <mailto:[email protected]>>; Anders Rundgren > <[email protected] <mailto:[email protected]>>; > Laurence Lundblade <[email protected] <mailto:[email protected]>> > Cc: Tobias Looker <[email protected] > <mailto:[email protected]>>; [email protected] <mailto:[email protected]> > <[email protected] <mailto:[email protected]>> > Subject: RE: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in > COSE Headers > > EXTERNAL EMAIL: This email originated outside of our organisation. Do not > click links or open attachments unless you recognise the sender and know the > content is safe. > > Hi Mike, > > maybe you can give examples of where this feature is used in JWTs, which > would explain why you want to have it in CWTs as well. > > Ciao > Hannes > > From: Mike Jones <[email protected]> > Sent: Thursday, March 3, 2022 6:02 PM > To: Hannes Tschofenig <[email protected]>; Anders Rundgren > <[email protected]>; Laurence Lundblade <[email protected]> > Cc: Tobias Looker <[email protected]>; [email protected] > Subject: RE: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in > COSE Headers > > We are *definitely* not attempting to change anything about COSE message > processing, including how encryption is done. We are defining an additional > header parameter that can be used – that’s it. > > -- Mike > > From: Hannes Tschofenig <[email protected] > <mailto:[email protected]>> > Sent: Thursday, March 3, 2022 1:45 AM > To: Anders Rundgren <[email protected] > <mailto:[email protected]>>; Laurence Lundblade > <[email protected] <mailto:[email protected]>>; Mike Jones > <[email protected] <mailto:[email protected]>> > Cc: Tobias Looker <[email protected] > <mailto:[email protected]>>; [email protected] <mailto:[email protected]> > Subject: RE: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in > COSE Headers > > Hi Anders, > > Thanks for jumping in. > > The example you provide below is actually quite interesting and related to a > question I posted to the list a few days ago > (seehttps://mailarchive.ietf.org/arch/msg/cose/9nowDz5kbfUvrGR-o6U1Tm31XAA/ > <https://mailarchive.ietf.org/arch/msg/cose/9nowDz5kbfUvrGR-o6U1Tm31XAA/>). > > I am not sure whether the intention of Tobias & Mike are actually to > re-define the way how encryption is accomplished. They should confirm. > > Ciao > Hannes > > From: Anders Rundgren <[email protected] > <mailto:[email protected]>> > Sent: Thursday, March 3, 2022 8:39 AM > To: Laurence Lundblade <[email protected] > <mailto:[email protected]>>; Mike Jones > <[email protected] > <mailto:[email protected]>> > Cc: Hannes Tschofenig <[email protected] > <mailto:[email protected]>>; Tobias Looker > <[email protected] > <mailto:[email protected]>>; [email protected] > <mailto:[email protected]> > Subject: Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in > COSE Headers > > On 2022-03-02 19:33, Laurence Lundblade wrote: > Makes sense to me. Helps out for the EAT claim named “profile” which gives > information about the type of the token you might want before fully verifying > it. Addresses an issue Anders brought up about the profile claim. > > Not so fast :) I brought up a bunch of things which can be illustrated by > this (just implemented...) example of an encryption object: > > 211(["https://example.com/myobject"; <https://example.com/myobject>, { > / COSE content encryption algorithm = A256GCM / > 1: 3, > / Key encryption container / > 2: { > / COSE Key encryption algorithm = ECDH-ES+A256KW / > 1: -31, > / Key identifier / > 3: "mykey", > / Ephemeral key / > 5: { > / COSE Key type = OKP / > 1: 1, > / COSE Curve = X25519 / > -1: 4, > / COSE X coordinate / > -2: h'33a04b83d4428824b6d5477522d4a88fac4441122bc46136c0203faa308c3929' > }, > / Encrypted key / > 10: > h'e08977c25aeccaecd63b3367de2e2b8f700c82e098ad1e5099d9db510920ccff14debf820427e4ba' > }, > / Tag / > 8: h'59a84826983e3247fbec4295f75cc138', > / IV / > 9: h'fd8556c122cff2bc128d5119', > / Encrypted data / > 10: > h'e16b16c29da5163eb0131dd1f10f080f8850f55df2ae9d89a3b839ad50952858445f290dfb60' > }]) > > The core of this builds on Deterministic CBOR which unleashes the true power > of CBOR in a way legacy solutions do not. The enhancements include: > Eliminating wrapping of header and (unencrypted) application data. > Using the entire container (modulo the algorithm output variables which are > added lastly) as input to a signature process and to the authentication part > of an encryption process. In the example that includes the top-level CBOR > tag as well. cryptoOperation(cborObject.encode()) is all that it takes on > the encoder's side. > This is pretty much what the X.509 folks have been doing from the very start > so there is close to zero innovation here 😁 > > In the example I have also used a URL as profile/object type indicator since > IANA CBOR custom tag 1537244 or whatever you end-up with, simply isn't pretty > enough :) To be more serious: URLs are decentralized and would in this > context probably be browseable as well. > > Cheers, > Anders > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you.
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
