1. oid: It is fine for me to extend it by only the PEN option.
2. signatureAlgorithm: the only reason I see here is it breaks the already
deployed certificates.
2.1. Considering the PQC certificate, the public key may be several
kilo-bytes, without the one-pass signature property, the additional required
memory usage is not ignorable.
2.2. As mentioned in the
https://github.com/cose-wg/CBOR-certificates/issues/152, if the CRL have the
same structure as in the current certificate, the impact may be much larger. To
parse the CRL, the application has to parse the *revokedCertificates* field
before getting the signature algorithm. And since revokedCertificates may be
very large, e,g. In mega-bytes. IMHO, putting the *signatureAlgorithm* at the
begging is necessary.
2.3. To unify the structures of certificates and CRLs, I think
*signatureAlgorithm* shall also be at the begging. To keep the backwards
compatibility with the deployed certificates, we shall increase the syntax
version (the *version* field).
- Lijun (github/xipki)
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
