On Sat, Aug 03, 2024 at 05:03:27PM +0000, Michael Jones wrote: > > The simplest mitigation isn't a data structure change but prohibiting > the use of unauthenticated encryption in contexts where it's not > needed. Normal COSE implementations not wanting to use > unauthenticated encryption can simply verify that the content > encryption algorithm is authenticated, and we're done.
"Simply" only works if the COSE implementation leaves all unauthenticated encryption algorithms unimplemented. Ensuring that an implemented algorithm is not used unless appropriate takes extreme care. -Ilari _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
