I agree with both comments. Authors, can you please publish an updated draft when the submission window reopens?
Thanks, -- Mike 6 ________________________________ From: COSE <[email protected]> on behalf of Paul Wouters <[email protected]> Sent: Tuesday, March 12, 2024 6:59:43 PM To: Hannes Tschofenig <[email protected]>; [email protected] <[email protected]>; Orie Steele <[email protected]> Cc: cose <[email protected]> Subject: [COSE] AD review draft-ietf-cose-key-thumbprint-04 Thanks for the short clear document. I only have two comments, which can be addressed as part of the IETF LC. In the Security Considerations: To promote interoperability among implementations, the SHA-256 hash algorithm is mandatory to implement. This really belongs somewhere in the main specification document, and not in the Security Consideration. Someone should be able to implement the spec without reading the Security Considerations. Using thumbprints with passwords (i.e. low-entropy secrets) is dangerous and MUST be avoided. "MUST be avoided" is an odd expression and leaves some wiggle room. ("it was unavoidable, so I did it anyway"). Can it not more plainly say "Thumbprints MUST NOT be used with passwords" ? Paul
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
