> On Jun 20, 2022, at 4:18 AM, Ilari Liusvaara <[email protected]> wrote: > > On Sun, Jun 19, 2022 at 12:46:28PM -0700, Laurence Lundblade wrote: >> To get more sharp on what an addition to standard COSE would look like: >> >> A new signature type, COSE_SignIndirect is defined. It looks the same as >> COSE_Sign. A new CBOR tag is created for it and all. >> >> COSE_SignIndirect = [ >> Headers, >> payload : bstr / nil, >> signatures : [+ COSE_Signature] >> ] > > If it is the same as COSE_Sign, is it needed as separate type? > > And I do not think new tag gives reliable separation.
It is an array with the same exact items as COSE_Sign, but the signatures are computed quite differently. I don’t see what we have other than a CBOR tag and/or media types to distinguish it from COSE_Sign. If you mix them up, it certainly will not validate so no security hole. > ... >> >> Does this seem right for a standard proposal? > > Yes, this seems to be in the right direction. Thank you kindly for looking this over! LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
