On Wed, Mar 8, 2023 at 12:19 PM Laurence Lundblade <[email protected]> wrote:
> Have you looked at detached payloads in COSE? It’s not very prominent in > the RFC, but it’s definitely there and works. It allows for signing > something that is not included in the COSE message. It can produce nice > compact CBOR structures that just hold the signature bytes, the algorithm > ID and maybe a key ID. The SUIT draft makes very heavy use of detached > payloads. t_cose supports them. > > With detached payloads you pretty much get to make up your own rules for > what the detached payload is. The only requirement is that the verifier > some how have the same payload bytes that signer signed. You seem to > understand that requirement :-) > I was aware that COSE RFC 9338 had an optional detached form, but I wasn't able to find a specific section about it. Is it defined further by another RFC or internet-draft? I think you are correct that a good approach is for a Gordian Envelope sub-tree (itself an envelope) to be signed using the detached CBOR option, and then the resulting COSE signature in CBOR added to another Gordian Envelope with both of them as nodes. This does require that the detached signatures COSE objects are using deterministic CBOR (which I presume is true?). You may lose some of the elegance of the Gordian Envelope this way, but it would offer COSE compatibility. A similar approach is under napkin-sketch discussion in the W3C to have JSON-LD Verifiable Credentials objects (expressed as CBOR-LD) that would work with Gordian Envelope (see W3C https://w3c-ccg.github.io/meetings/2023-01-31/). It is harder with CBOR-LD because of needing to round-trip the @context schema, but it should be possible. We have too many libraries, docs, videos, demos, etc. about Gordian Envelope for this level of discussion. Our master documentation page at https://github.com/BlockchainCommons/Gordian/tree/master/Envelope is useful if someone wants to dive deeper. I have also heard some people watching our Envelope-CLI video: https://www.youtube.com/watch?v=K2gFTyjbiYk (or its transcript with screenshots at: https://github.com/BlockchainCommons/envelope-cli-swift/blob/master/Transcripts/1-OVERVIEW-TRANSCRIPT.md) have found them useful to get a fast start at understanding the power of this architecture. -- Christopher Allen
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
