Hi, On the proposal 1.: I can confirm that having a shorthand encoding for OIDs in the IANA PEN namespace is useful for the future - I'm involved in some IoT device work where several PEN-based OIDs are included in certificates -- in the X509v3 extensions.
However, using a new registry where people can register integers to represent parts of the OID namespace would give rise to the problem that a typical C509 decoder would become obsolete as soon as someone registers a new entry in that registry. Because it can't decode C509 certs anymore that would carry that new-entry, unless it got software-updated. And getting this sw update isn't always possible. For example, if a device would use C509 certificates for an onboarding protocol like cBRSKI then it may first get factory-reset to 'old firmware', and then the onboarding happens where the IoT device cannot decode any "new" registry entries. Perhaps the device could ignore unknown entries but still, this brings up a whole new area of complexity and new failure cases to handle. So it seems better to only encode PEN plus maybe a few often-used OID namespaces and fix these now in the standard. A future "V2" C509 certificate format may incorporate more of these optimized OID namespaces then. But it maybe would need to indicate the version explicitly in the CBOR encoding somewhere just like X509 has a version integer 0, 1 or 2. Also a question on the proposed format [int, ~roid] : would instead of an array, a tag before the "roid" item also be possible, and could that get us a smaller encoded size (or not) ? thanks Esko From: COSE <[email protected]> On Behalf Of Göran Selander Sent: Tuesday, January 30, 2024 16:04 To: [email protected] Subject: [COSE] C509: Optimisations for PEN and location of signatureAlgorithm All, We got some suggestions for updates to C509 and would like to learn if there are any preferences from the WG. Two issues are highlighted in this mail, for more info see GitHub issue tracker<https://github.com/cose-wg/CBOR-certificates/issues>. 1. One suggestion is to have a more optimised encoding for PEN using relative OIDs, see #143<https://github.com/cose-wg/CBOR-certificates/issues/143>. Here is the proposed change for extensions and attributes: OLD (-07) Extension = ( extensionID: int, extensionValue: any ) // ( extensionID: ~oid, ? critical: true, extensionValue: bytes ) NEW Extension = ( extensionID: int, extensionValue: any ) // ( extensionID: ~oid, ? critical: true, extensionValue: bytes ) // ( extensionID: [int, ~roid], extensionValue: bytes ) OLD Attribute = ( attributeType: int, attributeValue: text ) // ( attributeType: ~oid, attributeValue: bytes ) NEW Attribute = ( attributeType: int, attributeValue: text ) // ( attributeType: ~oid, attributeValue: bytes ) // ( attributeType: [int, ~roid], attributeValue: bytes ) where there will be a new register with integers representing OIDs from which the relative OID is based. Critical extensions are handled using negative numbers in the same way as with the other int-based encoding. The same construction is proposed to be applied to other settings relevant to PEN, such as KeyPurposeID and PolicyIdentifier, see #143<https://github.com/cose-wg/CBOR-certificates/issues/143>. Any objections to this or other comments? 2. Another proposed simple but breaking change is about the location of the signature algorithm in the CDDL for C509Certificate. In common X.509 certificates this information is given twice, in the signatureAlgorithm and Signature fields of TBSCertificate, containing identical values. In -07 we only have the field corresponding to the second occurrence at the end of TBSCertificate. The proposal is to change this to first occurrence, to enable essentially one-pass signature verification. C509Certificate = [ TBSCertificate, issuerSignatureValue : any, ] OLD TBSCertificate = ( c509CertificateType: int, certificateSerialNumber: CertificateSerialNumber, issuer: Name, validityNotBefore: Time, validityNotAfter: Time, subject: Name, subjectPublicKeyAlgorithm: AlgorithmIdentifier, subjectPublicKey: any, extensions: Extensions, issuerSignatureAlgorithm: AlgorithmIdentifier, ) NEW TBSCertificate = ( c509CertificateType: int, certificateSerialNumber: CertificateSerialNumber, issuerSignatureAlgorithm: AlgorithmIdentifier, issuer: Name, validityNotBefore: Time, validityNotAfter: Time, subject: Name, subjectPublicKeyAlgorithm: AlgorithmIdentifier, subjectPublicKey: any, extensions: Extensions, ) Any objections to this or other comments? Göran
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
