Re: [COSE] [IANA #1284212] expert review for draft-ietf-cose-cwt-claims-in-headers (cose)

Fri, 27 Oct 2023 09:28:07 -0700 

>From Goran (now added to CC:)

Hi Paul,



Copying in the same thread a couple of mails later (included below) it
seems Mike and Francesca are converging on a proposal.



>From EDHOC point of view I think this is about:



   - Removing the requirement that it must contain a COSE_Key in a ‘cnf’
   claim from the IANA registration, but keeping that requirement in 3.5.3.1.
   - Changing the name from “kccs” to “ccs” or “CWT Claims” or similar.
      - Note that we had the discussion about “ccs” vs “kccs” previously in
      LAKE and the reason for the “k” was exactly because of the requirement to
      contain a key, so it makes sense to remove the k if the requirement is
      removed.
   - Harmonize related text, in particular add text that the other
   applications may have other requirements
      - Note that EDHOC is including COSE headers in message fields like
      ID_CRED, so the recommendations in draft-ietf-cose-cwt-claims-in-headers
      about use of COSE protected headers are not applicable, or
ambiguous – they
      give the impression that what is done in EDHOC is not allowed since COSE
      protected headers are not used.
   - Analogous changes for “kcwt’”



I don’t think this is a major change. We need to bring to the list of
course, once we have a proposal.



(FWIW I think “ccs” / “cwt” is fine and matching the previous discussion.)



Göran

On Fri, Oct 27, 2023 at 11:57 AM Carsten Bormann <[email protected]> wrote:

> On 2023-10-27, at 16:59, Michael Jones <[email protected]>
> wrote:
> >
> > Just like JWTs and CWTs, the CWT Claims Set in the header parameter is a
> data structure.  It's the applications using them that profile them to use
> particular claims and assign them specific semantics in their context.  An
> OpenID Connect ID Token defines semantics for a particular kind of JWT,
> just like STIR defines semantics for other kinds of JWTs.  SCITT is
> assigning semantics to a particular use of the CWT Claims header parameter.
>
> Hmm, that sounds like a recipe for cross-protocol attacks.
>
> Grüße, Carsten
>
>

_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose

Reply via email to