[
/ protected h'A201260300' / << {
/ alg / 1:-7, / ECDSA 256 /
/ ctyp / 3:0 *<--* ... for example "application/spdx-sbom" (not
currently a real ctyp)
} >>,
/ unprotected / {
/ kid / 4: "11",
/ countersign / 11: [
/ protected h'A1013823' / << {
/ alg / 1:-36 / ECDSA 512 / <--- counter signature alg...
already reserved.
... we could inject the merkle proof here as well.
*"merkle_alg" : SCITT-CCF,*
*"merkle_root": "merkle_root".*
} >>,
/ unprotected / {
/ kid / 4: "[email protected]"
*"merkle_receipt": "path from the original leaf (original COSE
Sign1) to the merkle root... encoded in CBOR".*
},
/ signature / h'01B1291B...'
]
},
/ payload / 'This is the content.', <-- For example SPDX SBOM.
/ signature / h'BB...'
]
I've tested this and it works with JOSE, for example:
https://github.com/w3c-ccg/Merkle-Disclosure-2021/tree/main/packages/json-web-proof/ref-impl
^ This package uses a "signed merkel root" + "merkle receipts" to create a
selective disclosure scheme, where a prover can prove a message is in a
merkle root that was signed by an issuer.
In your construction, I don't think we care to support selective
disclosure, and the counter sign issuer is the one who signs over the root,
the original issuer is part of the COSE Sign1 that becomes the leaf.
Maybe I am not understanding the objective.
I don't understand what a "ledger transaction" looks like... is that a
"merkle receipt" (a proof of leaf inclusion in a merkle root) ?
Regards,
OS
On Tue, Oct 4, 2022 at 9:54 AM Maik Riechert <[email protected]>
wrote:
> No, this wouldn’t work, as this would assume that each ledger transaction
> is signed individually. The signature is over the Merkle tree root. And
> only the extra information binds it to the actual leaf we care about (the
> original COSE envelope plus the countersigner protected header).
>
>
>
> *From:* Orie Steele <[email protected]>
> *Sent:* Dienstag, 4. Oktober 2022 15:21
> *To:* Maik Riechert <[email protected]>
> *Cc:* Mike Prorock <[email protected]>; Russ Housley <[email protected]>;
> [email protected]; cose <[email protected]>
> *Subject:* Re: [EXTERNAL] Re: [COSE] SCITT receipts as COSE V2
> countersignatures
>
>
>
> Looking at the examples:
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-cose-countersign#appendix-A.2.1
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-cose-countersign%23appendix-A.2.1&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=4ojhM4Hg5ry21ueUB5Gk04c2%2FBL5AZfTyQEu25HYSSo%3D&reserved=0>
>
> [
> / protected h'A201260300' / << {
> / alg / 1:-7, / ECDSA 256 /
> / ctyp / 3:0 *<-- ... for example "application/spdx-sbom" *(not
> currently a real ctyp)
> } >>,
> / unprotected / {
> / kid / 4: "11",
> / countersign / 11: [
> / protected h'A1013823' / << {
> / alg / 1:-36 / ECDSA 512 /* <--- counter signature alg...
> already reserved.*
>
> ...
> *we could inject the merkle proof here as well. *
> *"receipt_alg" : SCITT-CCF, * *"receipt": {}*
> } >>,
> / unprotected / {
> / kid / 4: "[email protected]"
> },
> / signature / h'01B1291B...'
> ]
> },
> / payload / 'This is the content.',* <-- For example SPDX SBOM.*
> / signature / h'BB...'
> ]
>
> Does this match what you were saying above?
>
> Regards,
>
> OS
>
>
>
> On Tue, Oct 4, 2022 at 8:56 AM Maik Riechert <[email protected]>
> wrote:
>
> Orie, sure, that can be done by moving the base alg in the signature
> structure, similar to the referenced RFC. Then alg would be “SCITT-CCF”,
> and for non-CCF implementations it may be another custom alg or an existing
> alg (e.g., “ES256” if every COSE envelope is countersigned individually,
> rather than signing a Merkle tree root periodically).
>
>
>
> Note that “cty” doesn’t exist for COSE countersignatures, since there is
> no payload of the countersigner. Instead, any metadata from the
> countersigner would be part of the protected header. See also
> https://datatracker.ietf.org/doc/html/draft-ietf-cose-countersign
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-cose-countersign&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=O7yxvXhraLqPflib%2FdPtYVoIplHm5UdbAEGgp2kuK%2BA%3D&reserved=0>
> .
>
>
>
> *From:* Mike Prorock <[email protected]>
> *Sent:* Dienstag, 4. Oktober 2022 14:48
> *To:* Orie Steele <[email protected]>
> *Cc:* Russ Housley <[email protected]>; Maik Riechert <
> [email protected]>; [email protected]; cose <[email protected]>
> *Subject:* [EXTERNAL] Re: [COSE] SCITT receipts as COSE V2
> countersignatures
>
>
>
> Likewise I am with Orie on this one
>
>
>
> cty or similar would make things a whole lot cleaner for Interop reasons
> and prevents a lot of potential confusion and complexity
>
> Mike Prorock
> mesur.io
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmesur.io%2F&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=GKuIsngtrhvb0Uvv1HE9j7E12ZzRi9yG7%2BKdYJfghtk%3D&reserved=0>
>
>
>
> On Tue, Oct 4, 2022, 07:01 Orie Steele <[email protected]> wrote:
>
> I'm a -1 to needing to register a new alg for every existing registered
> alg when used with counter signatures... specifically:
>
> - SCITT-CCF-ES256
> - SCITT-CCF-EdDSA
> - SCITT-CCF-ES384
> - SCITT-CCF-FANCY_NEW_PQC_1
> - SCITT-CCF-FANCY_NEW_PQC_2
> - SCITT-CCF-FANCY_NEW_PQC_3
>
> Can we move the "application specific" component of the "alg" value to a
> separate field?
>
> Example:
>
> alg: ES256 // support existing alg values with no
> changes
> cty: 'application/scitt-ccf' // signal the content type
>
> ?
>
> Regards,
>
> OS
>
>
>
> On Tue, Oct 4, 2022 at 7:44 AM Russ Housley <[email protected]> wrote:
>
> If I understand this proposal correctly, a value for SCITT-CCF-ES256 would
> be added to the IANA-maintained COSE Algorithms registry. Right now, all
> of the entries are for cryptographic algorithms. I'd like to hear what the
> Designated Experts think about using the registry to identify an
> application-specific structure in addition to the cryptographic algorithm.
>
>
>
> Russ
>
>
>
>
>
> On Oct 4, 2022, at 8:00 AM, Maik Riechert <
> [email protected]> wrote:
>
>
>
> Hi all,
>
>
>
> In the SCITT community call yesterday we had a discussion on receipts (
> https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-receipts-01
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-birkholz-scitt-receipts-01&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=qBB8Xb%2Bs5IEYwig6IK%2FoIFYx8JdRa1CRfMNcXnQFYUk%3D&reserved=0>)
> and whether they should be represented as standard COSE V2
> countersignatures (
> https://datatracker.ietf.org/doc/html/draft-ietf-cose-countersign
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-cose-countersign&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=O7yxvXhraLqPflib%2FdPtYVoIplHm5UdbAEGgp2kuK%2BA%3D&reserved=0>
> ).
>
>
>
> The current receipt format’s CDDL is as follows:
>
>
>
> [
>
> service_id: tstr
>
> contents: any
>
> ]
>
>
>
> where `contents` depends on the “tree” algorithm (with the requirement
> that it has to contain a protected header somewhere in it) identified via
> parameters associated to the service_id. Currently there is only a single
> tree algorithm (based on a CCF ledger implementation) where the CDDL is as
> follows:
>
>
>
> [
>
> signature: bstr
>
> node_certificate: bstr
>
> inclusion_proof: [+ ProofElement]
>
> leaf_info: [
>
> internal_hash: bstr
>
> internal_data: bstr
>
> protected: bstr .cbor {
>
> issuedAt: uint
>
> }
>
> ]
>
> ]
>
>
>
> In order to support more schemes around key discovery (e.g., DID), it
> makes sense to move the protected header to the front and make it part of
> the common top-level structure:
>
>
>
> [
>
> protected: bstr .cbor {
> service_id: tstr
>
> issuedAt: uint
>
> },
>
> contents: any
>
> ]
>
>
>
> The new `contents` would then look like this:
>
>
>
> [
>
> signature: bstr
>
> node_certificate: bstr
>
> inclusion_proof: [+ ProofElement]
>
> leaf_info: [
>
> internal_hash: bstr
>
> internal_data: bstr
>
> ]
>
> ]
>
>
>
> If you then squint a bit more, you can re-imagine this as a COSE V2
> countersignature:
>
>
>
> [
>
> protected: bstr .cbor {
> alg: tstr
> service_id: tstr
>
> issuedAt: uint
>
> },
>
> unprotected: { * label => values }
>
> signature: bstr
>
> ]
>
>
>
> For the CCF tree algorithm, this would equate to `alg` being a new
> identifier (e.g., “SCITT-CCF-ES256”) and the signature being the `contents`
> structure wrapped as bstr.
>
>
>
> Russ raised concerns that carrying all of the additional bits in the
> signature bytes may be hard to justify when it comes to registration of the
> new signature algorithm in COSE’s IANA registry. There seems to be
> precedent though, for example
> https://datatracker.ietf.org/doc/html/rfc8778
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8778&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=7gtc3UlcFIDbNPog%2BWJtsZ9rD2wGbKzaMvT9m%2BcGcpI%3D&reserved=0>
> where
> for Leighton-Micali the signature value (see 2.2) is a structure containing
> a leaf number, an LM-OTS signature, a type code indicating a subalgorithm,
> and a tree path from leaf to root.
>
>
>
> We discussed two alternatives: 1. Keeping it a separate format specific to
> SCITT. 2. Establishing receipts as new COSE message type, though this may
> be more challenging.
>
>
>
> Any discussions and opinions on this topic are highly appreciated.
>
>
>
> Maik
>
> _______________________________________________
> COSE mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/cose
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcose&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=l8VsEPAden6ZIBLRdTv3cMq3W702IZyO7BxzXzTMH14%3D&reserved=0>
>
>
>
> _______________________________________________
> COSE mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/cose
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcose&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=l8VsEPAden6ZIBLRdTv3cMq3W702IZyO7BxzXzTMH14%3D&reserved=0>
>
>
>
>
> --
>
> *ORIE STEELE*
>
> Chief Technical Officer
>
> www.transmute.industries
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.transmute.industries%2F&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663211422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=fhDS7ny8PFTTsD%2BptBGq7OjpelCWfYXjtmXmv8I2pMs%3D&reserved=0>
>
>
>
>
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.transmute.industries%2F&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663367637%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=sxbuN2WUyg2ZbeznSJjX9pcrXfQ5BQVl0UlafoqWdW8%3D&reserved=0>
>
> _______________________________________________
> COSE mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/cose
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcose&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663367637%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=g8UZGbsBkg74iKAw0vTjSbvm9cOsJSByAVt1VyxVlyY%3D&reserved=0>
>
>
>
>
> --
>
> *ORIE STEELE*
>
> Chief Technical Officer
>
> www.transmute.industries
>
>
>
>
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.transmute.industries%2F&data=05%7C01%7CMaik.Riechert%40microsoft.com%7Cfbbec4287b234b7ea58c08daa613afb8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638004901663367637%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=sxbuN2WUyg2ZbeznSJjX9pcrXfQ5BQVl0UlafoqWdW8%3D&reserved=0>
>
--
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries
<https://www.transmute.industries>
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
