Thanks, Russ, Orie added this issue to track the discussion: https://github.com/OR13/draft-steele-cose-hash-envelope/issues/16 with a PR (https://github.com/OR13/draft-steele-cose-hash-envelope/pull/17) as a quick fix for further clarity in subsequent PRs.
From: Russ Housley <[email protected]> Sent: Tuesday, July 30, 2024 10:38 AM To: Orie Steele <[email protected]> Cc: Cose Chairs Wg <[email protected]>; cose <[email protected]> Subject: [COSE] Re: Call for Adoption: draft-steele-cose-hash-envelope Sure. That seems like a good place to start in the adopted document. If someone raises a use case, we can discuss it. Russ On Jul 30, 2024, at 1:18 PM, Orie Steele <[email protected]<mailto:[email protected]>> wrote: Thanks for pointing this out :) The document defines several headers which are hints regarding the payload. In the context of COSE_Encrypt, the payload would still be a hash, but some of these headers (preimage content type and payload location) could leak information about the payload. All of the use cases I've seen are for signing hashes that are already well known and distributed or used in existing systems. I can't think of a reason to use this approach with encrypted payloads, but from a practical standpoint, I am not sure exactly what the document should say regarding these headers if they appear in COSE_Encrypt. Perhaps something to the effect of: The cose headers defined in this document SHOULD NOT be used in unprotected or protected headers associated with COSE_Encrypt, unless the sender is comfortable disclosing metadata regarding the encrypted payload. What do you think? Regards, OS On Tue, Jul 30, 2024 at 12:07 PM Russ Housley <[email protected]<mailto:[email protected]>> wrote: Section 3 says: Should we define this? Of course, things can change after adoption, but this seems like a fairly being open hole. I would like to see this document be adopted without Section 3. The COSE approach would be to use COSE_Encrypt is the payload needs confidentiality. Russ On Jul 30, 2024, at 12:42 PM, Ivaylo Petrov <[email protected]<mailto:[email protected]>> wrote: Dear all, This message starts the call for adoption of the following draft as working group item: * draft-steele-cose-hash-envelope: - https://datatracker.ietf.org/doc/draft-steele-cose-hash-envelope/ As discussed during the last IETF, there seems to be interest in the working group to work on that document. If you have read the draft, please indicate whether you support its adoption as a working group item or not. We would also like to remind you that adoption does not mean a document is finished, only that it is an acceptable starting point. This call will run for two weeks, ending on Aug 13nd. Please try to respond before that date. Best regards, - Ivaylo on behalf of the COSE Working Group Chairs _______________________________________________ COSE mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> _______________________________________________ COSE mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> -- ORIE STEELE Chief Technology Officer www.transmute.industries<http://www.transmute.industries/> [https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/>
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
