Thanks for the short clear document.
I only have two comments, which can be addressed as part of the IETF LC.
In the Security Considerations:
To promote interoperability among implementations, the SHA-256
hash algorithm is mandatory to implement.
This really belongs somewhere in the main specification document,
and not in the Security Consideration. Someone should be able to
implement the spec without reading the Security Considerations.
Using thumbprints with passwords (i.e. low-entropy secrets)
is dangerous and MUST be avoided.
"MUST be avoided" is an odd expression and leaves some wiggle room.
("it was unavoidable, so I did it anyway"). Can it not more plainly say
"Thumbprints MUST NOT be used with passwords" ?
Paul
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
