>From Goran (now added to CC:)
Hi Paul,
Copying in the same thread a couple of mails later (included below) it
seems Mike and Francesca are converging on a proposal.
>From EDHOC point of view I think this is about:
- Removing the requirement that it must contain a COSE_Key in a ‘cnf’
claim from the IANA registration, but keeping that requirement in 3.5.3.1.
- Changing the name from “kccs” to “ccs” or “CWT Claims” or similar.
- Note that we had the discussion about “ccs” vs “kccs” previously in
LAKE and the reason for the “k” was exactly because of the requirement to
contain a key, so it makes sense to remove the k if the requirement is
removed.
- Harmonize related text, in particular add text that the other
applications may have other requirements
- Note that EDHOC is including COSE headers in message fields like
ID_CRED, so the recommendations in draft-ietf-cose-cwt-claims-in-headers
about use of COSE protected headers are not applicable, or
ambiguous – they
give the impression that what is done in EDHOC is not allowed since COSE
protected headers are not used.
- Analogous changes for “kcwt’”
I don’t think this is a major change. We need to bring to the list of
course, once we have a proposal.
(FWIW I think “ccs” / “cwt” is fine and matching the previous discussion.)
Göran
On Fri, Oct 27, 2023 at 11:57 AM Carsten Bormann <[email protected]> wrote:
> On 2023-10-27, at 16:59, Michael Jones <[email protected]>
> wrote:
> >
> > Just like JWTs and CWTs, the CWT Claims Set in the header parameter is a
> data structure. It's the applications using them that profile them to use
> particular claims and assign them specific semantics in their context. An
> OpenID Connect ID Token defines semantics for a particular kind of JWT,
> just like STIR defines semantics for other kinds of JWTs. SCITT is
> assigning semantics to a particular use of the CWT Claims header parameter.
>
> Hmm, that sounds like a recipe for cross-protocol attacks.
>
> Grüße, Carsten
>
>
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose