On Nov 2, 2023, at 23:29, Orie Steele <[email protected]> wrote: > > typ in cose headers is a different draft, it's common in JOSE, and it's > recommended in the JWT BCP... I suggest we assume it's not possible to > specify the typ (media type) of the envelop in COSE, since that's true today.
Obviously we could register it with ccs/cwt. > My point is that security assumptions are the same for both the protected > header and the protected payload, as are the semantics for "claims", in the > context of CWT... At least that's what the current draft says. They are secured the same way. That doesn’t mean what they say has the same semantics. The cross-protocol issue I’m chasing after can exploit the undefinedness of the latter. Grüße, Carsten > I don't think this draft should say anything more. > > OS > > > > > On Thu, Nov 2, 2023, 5:11 PM Carsten Bormann <[email protected]> wrote: > On Nov 2, 2023, at 23:02, Orie Steele <[email protected]> wrote: > > > > I suggest we tackle these issues in a separate document. > > I’m fine with that, as long as that document can make retroactive BCP14 > statements :-) (*) > > The CCS in the payload is entirely different from one in the header: > The CCS in the payload is the focus of the signed/encrypted/mac'ed statement. > The CCS/CWT in the header can only be supplementary information to what is in > the payload. > How does that supplementing affect the entire construct? > Mike proposed using typ to supply this information. But then it really needs > to. > > Grüße, Carsten > > (*) OK, there is precedence in RFC 8725 > > -- > last-call mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/last-call _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
