> On Mar 23, 2022, at 11:24 AM, Ilari Liusvaara <[email protected]> > wrote: > > On Mon, Mar 21, 2022 at 02:13:50PM +0100, Laurence Lundblade wrote: >> Thinking about Mike’s comment today in COSE/Vienna about backwards >> compatibility. Looked at my code around this. That definitely seems >> like an issue. > > What does your code do if it encounters a recipient with int kid? > > 1. Treats the entiere message as malformed? > 2. Ignores the recipient? > 3. Something else? What? > > > And it is the implementations that do 1. (or 3. with some oddball > semantics) that worry me the most here. Not so much 2., as such > recipient is probably not correct anyway.
For option A, t_cose would reject the whole message. For option B or C, t_cose would accept the message unless intkid was marked as critical, in which case it would correctly reject the message. There would be no way to get the intkid or even know it exists, though a future version of t_cose will be more extensible in that regard. You can classify end-end systems using COSE kid into 3: 1) mandatory — receiving app can’t function without a kid 2) kid not used 2a) not used and reject the message if it is present 2b) not used, don’t care if it is present 3) optional, some messages can have a kid and it will be used, but there is some means other than a kid parameter for finding the key Note that this list is about kid, not about integer kid. Mandatory means it must have a kid the system can understand. Assuming t_cose behavior, Option A works fine for systems 1) and 2a), but not 2b) or 3). Options B and C work for all system. Since integer kid is only for a small optimization you might be tempted to use the two-byte encoding for compatibility with all COSE libraries if the optimization isn’t absolutely critical. In coming vast spread of COSE use cases, the integer kid will only be used very rarely, so maybe better not to confuse the existing kid parameter. Now I am leaning towards B or C. LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
