https://www.ietf.org/archive/id/draft-ietf-cose-cwt-claims-in-headers-05.html
moves the statement about verifying that claim values present in both the
header and payload are identical from the Security Considerations to the body
of the specification. Iβll note that -04 already said that βIt is RECOMMENDED
that the CWT claims header parameter is used only in a protected headerβ and
that remains in -05.
Thanks again for your review, Daisuke.
-- Mike
From: Michael Jones
Sent: Monday, June 19, 2023 11:56 AM
To: AJITOMI Daisuke <[email protected]>; Cose Chairs Wg <[email protected]>;
cose <[email protected]>
Cc: Mike Prorock <[email protected]>; Ivaylo Petrov <[email protected]>; Tobias
Looker <[email protected]>; Orie Steele <[email protected]>
Subject: RE: [COSE] π WGLC of draft-ietf-cose-cwt-claims-in-headers
Thanks for the review, Daisuke! Responses are inline below in green.
From: AJITOMI Daisuke <[email protected]<mailto:[email protected]>>
Sent: Tuesday, May 2, 2023 3:57 PM
To: Cose Chairs Wg <[email protected]<mailto:[email protected]>>; cose
<[email protected]<mailto:[email protected]>>
Cc: Mike Prorock <[email protected]<mailto:[email protected]>>; Michael Jones
<[email protected]<mailto:[email protected]>>; Ivaylo
Petrov <[email protected]<mailto:[email protected]>>; Tobias Looker
<[email protected]<mailto:[email protected]>>; Orie Steele
<[email protected]<mailto:[email protected]>>
Subject: Re: [COSE] π WGLC of draft-ietf-cose-cwt-claims-in-headers
Hi authors,
I read the draft for the first time today. I think it's basically fine, but
there are some points I'm concerned about, so I'd like to make some comments
from an imprementor's perspective.
1) I think it would be better to limit the COSE structures that can have the
CWT claims parameter.
Specifically, I think the use of the CWT claims parameter should be limited
only for COSE_{Encrypt0, Encrypt} and the COSE structures without payloads
(COSE structures with detached contents). I'm not sure whether it should be
MUST, SHOULD or RECOMMENDED though. In JOSE as well, I believe the JWT claims
were only partially usable (only "iss", "sub", "aud") in JWE.
In JWT, any claim can be duplicated to a header parameter. This is described
in https://www.rfc-editor.org/rfc/rfc7519.html#section-5.3. There was no
restriction on use in structures without payloads, etc. Itβs a design goal of
CWT to be as parallel to JWT as possible. Therefore, I donβt think it makes
sense to impose restrictions on CWTs that were not made in JWTs.
2) Similarly, I believe that there is no need to enable the use of the CWT
claims parameter in COSE_Recipient or COSE_Signature, as it doesn't seem
meaningful.
If my understanding is correct, it might be helpful to mention this somewhere
in the document.
Successful specifications are used in ways that the authors never envisioned,
provided they are written to enable general applicability. For instance, I
never imagined JWTs would be used to secure Caller-ID, but that very thing has
happened in the STIR working group, in specs such as RFC 8224. The same is
already true of CWTs. Therefore, Iβm very reluctant to limit the applicability
of the CWT claims-in-headers feature because, as a general-purpose feature, we
are unlikely to be able to guess the productive ways that it will be used.
3) I think it would be better to limit the use of the CWT claims parameter only
to the protected header.
I believe there is no need to leave room for using it in the unprotected
header, as it would increase security concerns.
Iβm fine suggesting that use in the protected headers is preferred in the
Security Considerations. But as above, it seems unwise to impose arbitrary
restrictions on the applicability of the feature.
4) I think the following sentence in Security Considerations might be better
written in the main body of this specification. Is there any reason not to
write it in Chapter 2?
"In cases where CWT claims are both present in the payload and the header, an
application receiving such a structure MUST verify that their values are
identical, unless the application defines other specific processing rules for
these claims."
Iβm fine with promoting this sentence to the main body of the specification.
If there are any off-the-mark comments due to my lack of understanding of the
context, I apologize in advance.
Not at all. I appreciate you taking the time to review the specification and
make concrete suggestions. The βunderstanding the contextβ point is right on.
Some of my responses above essentially say that we donβt have a crystal ball to
gaze into to know the contexts in which the CWT feature will be used in advance.
Best regards,
AJITOMI Daisuke
Best wishes,
-- Mike
2023εΉ΄4ζ28ζ₯(ι) 7:53 Orie Steele
<[email protected]<mailto:[email protected]>>:
I support publication.
On Thu, Apr 27, 2023, 5:20 PM Mike Prorock
<[email protected]<mailto:[email protected]>> wrote:
I believe that this is ready to go as well.
Mike Prorock
mesur.io<http://mesur.io/>
On Thu, Apr 27, 2023, 15:31 Michael Jones
<[email protected]<mailto:[email protected]>> wrote:
I believe that this specification is ready for publication.
-- Mike
From: Ivaylo Petrov <[email protected]<mailto:[email protected]>>
Sent: Thursday, April 27, 2023 1:23 PM
To: [email protected]<mailto:[email protected]>; Tobias
Looker <[email protected]<mailto:[email protected]>>; cose
<[email protected]<mailto:[email protected]>>
Cc: Cose Chairs Wg <[email protected]<mailto:[email protected]>>
Subject: π WGLC of draft-ietf-cose-cwt-claims-in-headers
Dear all,
This message starts the formal Working Group Last Call of the
draft-ietf-cose-cwt-claims-in-headers [1].
The working group last call will run for **two weeks**, ending on May 12, 2022.
Please review and send any comments or feedback to the working group. Even if
your feedback is "this is ready", please let us know.
Thank you,
- Mike and Ivaylo
COSE Chairs
[1]:
https://www.ietf.org/archive/id/draft-ietf-cose-cwt-claims-in-headers-04.html
_______________________________________________
COSE mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
