Hi authors,
I read the draft for the first time today. I think it's basically fine, but
there are some points I'm concerned about, so I'd like to make some
comments from an imprementor's perspective.
1) I think it would be better to limit the COSE structures that can have
the CWT claims parameter.
Specifically, I think the use of the CWT claims parameter should be limited
only for COSE_{Encrypt0, Encrypt} and the COSE structures without payloads
(COSE structures with detached contents). I'm not sure whether it should be
MUST, SHOULD or RECOMMENDED though. In JOSE as well, I believe the JWT
claims were only partially usable (only "iss", "sub", "aud") in JWE.
2) Similarly, I believe that there is no need to enable the use of the CWT
claims parameter in COSE_Recipient or COSE_Signature, as it doesn't seem
meaningful.
If my understanding is correct, it might be helpful to mention this
somewhere in the document.
3) I think it would be better to limit the use of the CWT claims parameter
only to the protected header.
I believe there is no need to leave room for using it in the unprotected
header, as it would increase security concerns.
4) I think the following sentence in Security Considerations might be
better written in the main body of this specification. Is there any reason
not to write it in Chapter 2?
"In cases where CWT claims are both present in the payload and the header,
an application receiving such a structure MUST verify that their values are
identical, unless the application defines other specific processing rules
for these claims."
If there are any off-the-mark comments due to my lack of understanding of
the context, I apologize in advance.
Best regards,
AJITOMI Daisuke
2023ๅนด4ๆ28ๆฅ(้) 7:53 Orie Steele <[email protected]>:
> I support publication.
>
> On Thu, Apr 27, 2023, 5:20 PM Mike Prorock <[email protected]> wrote:
>
>> I believe that this is ready to go as well.
>>
>> Mike Prorock
>> mesur.io
>>
>> On Thu, Apr 27, 2023, 15:31 Michael Jones <[email protected]>
>> wrote:
>>
>>> I believe that this specification is ready for publication.
>>>
>>>
>>>
>>> -- Mike
>>>
>>>
>>>
>>> *From:* Ivaylo Petrov <[email protected]>
>>> *Sent:* Thursday, April 27, 2023 1:23 PM
>>> *To:* [email protected]; Tobias Looker
>>> <[email protected]>; cose <[email protected]>
>>> *Cc:* Cose Chairs Wg <[email protected]>
>>> *Subject:* ๐ WGLC of draft-ietf-cose-cwt-claims-in-headers
>>>
>>>
>>>
>>> Dear all,
>>>
>>> This message starts the formal Working Group Last Call of the
>>> draft-ietf-cose-cwt-claims-in-headers [1].
>>>
>>> The working group last call will run for **two weeks**, ending
>>> on May 12, 2022.
>>>
>>> Please review and send any comments or feedback to the working
>>> group. Even if your feedback is "this is ready", please let us know.
>>>
>>> Thank you,
>>>
>>> - Mike and Ivaylo
>>>
>>> COSE Chairs
>>>
>>> [1]:
>>> https://www.ietf.org/archive/id/draft-ietf-cose-cwt-claims-in-headers-04.html
>>> _______________________________________________
>>> COSE mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/cose
>>>
>> _______________________________________________
>> COSE mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/cose
>>
> _______________________________________________
> COSE mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/cose
>
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
