Thanks for pointing this out :) The document defines several headers which are hints regarding the payload.
In the context of COSE_Encrypt, the payload would still be a hash, but some of these headers (preimage content type and payload location) could leak information about the payload. All of the use cases I've seen are for signing hashes that are already well known and distributed or used in existing systems. I can't think of a reason to use this approach with encrypted payloads, but from a practical standpoint, I am not sure exactly what the document should say regarding these headers if they appear in COSE_Encrypt. Perhaps something to the effect of: The cose headers defined in this document SHOULD NOT be used in unprotected or protected headers associated with COSE_Encrypt, unless the sender is comfortable disclosing metadata regarding the encrypted payload. What do you think? Regards, OS On Tue, Jul 30, 2024 at 12:07 PM Russ Housley <[email protected]> wrote: > Section 3 says: Should we define this? > > Of course, things can change after adoption, but this seems like a fairly > being open hole. > > I would like to see this document be adopted without Section 3. The COSE > approach would be to use COSE_Encrypt is the payload needs confidentiality. > > Russ > > > On Jul 30, 2024, at 12:42 PM, Ivaylo Petrov <ivaylopetrov= > [email protected]> wrote: > > Dear all, > > This message starts the call for adoption of the following draft as > working group item: > > * draft-steele-cose-hash-envelope: > - https://datatracker.ietf.org/doc/draft-steele-cose-hash-envelope/ > > As discussed during the last IETF, there seems to be interest in the > working group to work on that document. If you have read the draft, please > indicate whether you support its adoption as a working group item or not. > > We would also like to remind you that adoption does not mean a document is > finished, only that it is an acceptable starting point. > > This call will run for two weeks, ending on Aug 13nd. Please try to respond > before that date. > > Best regards, > - Ivaylo on behalf of the COSE Working Group Chairs > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
