On Sat, Jul 9, 2022 at 12:47 PM Carsten Bormann <[email protected]> wrote:
> On 2022-07-09, at 19:39, Anders Rundgren <[email protected]> > wrote: > > > > To me the I-D text is utter nonsense; nobody (in their right mind...) > would use the same identifier for multiple keys. > > Of course. The attacker would. > > But, more generally, creating globally unique (including over time) > identifiers is not that easy. > It's not that hard... especially if you bound time... to something reasonable. If it were hard, safe public key generation would also be hard... Yet we are pretty comfortable generating new public / private key pairs and trusting them to be "unique" for sufficiently trusted sources of randomness. Hashes of public keys are a common (and excellent) form of key identifier: https://datatracker.ietf.org/doc/html/rfc7638 Also UUID is nice.. https://datatracker.ietf.org/doc/html/rfc4122 > > > Since this (obviously) is not apparent, I immediately updated my "COSE > challenger" docs to indeed require uniqueness: > > > https://cyberphone.github.io/javaapi/org/webpki/cbor/doc-files/signatures.html#parameters > > When people say “uniqueness”, they usually have a set of separate cases in > mind to each of which the uniqueness applies; I have no idea what yours is. > > In LAKE, we may want to use the kids h’’, h’00’ etc. a lot, because they > have favorable transport representations. > I agree, uniqueness needs to be broken down further. Maybe consider: - https://en.wikipedia.org/wiki/T-closeness - https://en.wikipedia.org/wiki/K-anonymity It's possible setting `kid` to something with extremely high collisions is somehow valuable to your use case... which is the opposite of what you would want if you wanted deterministic identifiers for a large key space, which is what you get by applying RFC7638. > > Grüße, Carsten > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
