Re: [COSE] Individual review of draft-ietf-cose-key-thumbprint-03

Mon, 23 Oct 2023 10:55:52 -0700 

https://www.ietf.org/archive/id/draft-ietf-cose-key-thumbprint-04.html 
addresses my review comments on -03.  Thanks for the quick turnaround!

A few comments on -04…

[IANA.Hash.Algorithms] should be a normative reference, since its use is 
required for implementation.

Please add subsections to the IANA Considerations section.  I suggest these 
titles:
              IANA CWT Confirmation Methods Registrations
              IANA OAuth URI Registrations

I’ll update the shepherd review accordingly.

                                                       Best wishes,
                                                       -- Mike

From: Orie Steele <[email protected]>
Sent: Monday, October 23, 2023 7:10 AM
To: Hannes Tschofenig <[email protected]>
Cc: Michael Jones <[email protected]>; [email protected]; Isobe Kohei 
<[email protected]>
Subject: Re: [COSE] Individual review of draft-ietf-cose-key-thumbprint-03

I think it may actually be helpful to give examples of thumbprints where the 
order in the example will be changed by the canonical encoding.

For example, when implementing this, I purposefully constructed COSE Keys in an 
order that would be changed by the canonization process,

https://github.com/transmute-industries/cose/blob/main/test/keys/cose-key.generate.test.ts#L52

... including extraneous fields that will be omitted, is probably also a good 
idea...

https://github.com/transmute-industries/cose/blob/main/src/key/thumbprint.ts#L10

Bugged implementations of the draft will fail for these examples, which is 
good, and it will force them to correct the ordering / required fields.

However, if we really wish to provided full examples, here is some complete 
diagnostic:

A private key (with non canonical order)

~~~~ cbor-diag
{
  1: 2,
  -4: h'65A298251942FFCC9D20856A12B416F7365A079307C486A5410A9CA932CEE3CD'
  3: -7,
  -1: 1,
  -2: h'0AFA25C74FEF267920BB635D518ED92CB23C35BC0CF80528DD120CFA47329BF8',
   2: h'17C4C2359EE52C9817DC12B5A41BEDBA49538C8E13DA456FC241E1DA0FFCD620',
  -3: h'5DAF04447CFC22FFC51361B92B91AED3E1274A41B5E44F1564BA6450D29A2CB8',
}
~~~~

The public key in canonical order

~~~~ cbor-diag
{
  1: 2,
  -1: 1,
  -2: h'0AFA25C74FEF267920BB635D518ED92CB23C35BC0CF80528DD120CFA47329BF8',
  -3: h'5DAF04447CFC22FFC51361B92B91AED3E1274A41B5E44F1564BA6450D29A2CB8',
}
~~~~

The thumbprint for the public key:
~~~~ cbor-diag
h'17C4C2359EE52C9817DC12B5A41BEDBA49538C8E13DA456FC241E1DA0FFCD620'
~~~~

^ these should be independently confirmed before being included in the draft.

OS

On Mon, Oct 23, 2023 at 2:05 AM Hannes Tschofenig 
<[email protected]<mailto:[email protected]>> wrote:

Thanks for the timely review, Mike.



I agree with all your comments and will incorporate them into the draft for 
submission today.



Ciao

Hannes


Am 23.10.2023 um 05:21 schrieb Michael Jones:
There is one substantive issue identified below to address in the draft.  The 
rest are editorial.

Section 1 (Introduction):  Change “the registry created by 
[RFC8747<https://www.ietf.org/archive/id/draft-ietf-cose-key-thumbprint-03.html#RFC8747>]”
 to “the IANA "CWT Confirmation Methods" registry created by 
[RFC8747<https://www.ietf.org/archive/id/draft-ietf-cose-key-thumbprint-03.html#RFC8747>]”.

Section 6 (Example): In the text below, the two clauses both say that values 
are correctly ordered, but the orders are different!  Please correct this to 
use the same correct order in both.


The required order based on Section 4.2.1 of 
[RFC8949<https://www.ietf.org/archive/id/draft-ietf-cose-key-thumbprint-03.html#RFC8949>]
 is:

•        "y" (label: -3, data type: bstr)

•        "x" (label: -2, data type: bstr)

•        "crv" (label: -1, data type: int)

•        "kty" (label: 1, data type: int)

The resulting COSE Key structure, in CBOR diagnostic format with line-breaks 
added for better readability, with the minimum parameters in the correct order 
are.

{

   1:2,

  -1:1,

  -2:h'65eda5a12577c2bae829437fe338701a

       10aaa375e1bb5b5de108de439c08551d',

  -3:h'1e52ed75701163f7f9e40ddf9f341b3d

       c9ba860af7e0ca7ca7e9eecd0084d19c'

}


Section 8 (IANA Considerations):  Add “IANA” before “"CWT Confirmation Methods" 
registry”.

Section 9 (Acknowledgements):  Please change “Mike Jones” to “Michael B. 
Jones”.  (I use that professionally because there are a whole lot of Mike 
Joneses out there!)

Thanks for writing this specification.

                                                       -- Mike



_______________________________________________

COSE mailing list

[email protected]<mailto:[email protected]>

https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/cose


--



ORIE STEELE
Chief Technology Officer
www.transmute.industries<http://www.transmute.industries/>

[https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/>

_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose

Reply via email to