> 1: I found "The resulting value is the COSE Key Thumbprint with H of the COSE
Key." to be very difficult to parse -- perhaps you can drop "with H of the COSE
Key."? Actually, I'm not entirely sure what the sentence is trying to convey,
other than that the result is the thumbprint...
I suggest changing "The resulting value is the COSE Key Thumbprint with H of
the COSE Key." to changing "The resulting value is the COSE Key Thumbprint with
the hash function H of the key."
Per the second comment, about uniquely identifying keys - unless a canonical
representation is used as the input to the hash function, the value will vary.
For allowing the field order to vary in the (otherwise equivalent) key
representation would result in non-interoperability. That's what this security
consideration text is about.
-- Mike
-----Original Message-----
From: Warren Kumari via Datatracker <[email protected]>
Sent: Tuesday, August 6, 2024 9:11 AM
To: The IESG <[email protected]>
Cc: [email protected]; [email protected];
[email protected]; [email protected]; [email protected];
[email protected]; [email protected]
Subject: Warren Kumari's No Objection on draft-ietf-cose-key-thumbprint-05:
(with COMMENT)
Warren Kumari has entered the following ballot position for
draft-ietf-cose-key-thumbprint-05: No Objection
When responding, please keep the subject line intact and reply to all email
addresses included in the To and CC lines. (Feel free to cut this introductory
paragraph, however.)
Please refer to
https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-cose-key-thumbprint/
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
I agree with Eric Vyncke's comments. Also, much thanks to Joel Jaeggli for his
OpsDir review:
https://datatracker.ietf.org/doc/review-ietf-cose-key-thumbprint-04-opsdir-lc-jaeggli-2024-04-14/
In addition, I have some nits:
1: I found "The resulting value is the COSE Key Thumbprint with H of the COSE
Key." to be very difficult to parse -- perhaps you can drop "with H of the COSE
Key."? Actually, I'm not entirely sure what the sentence is trying to convey,
other than that the result is the thumbprint...
I'm also not sure if the first sentence in the security considerations section
is strictly true: 7. Security Considerations
A COSE Key Thumbprint will only uniquely identify a particular key if
a single unambiguous COSE Key representation for that key is defined
and used when computing the COSE Key Thumbprint.
The implication of "only *uniquely* identify a particular key" makes it sound
like if you used some other representation, then you might identify some other
key (which, I *guess* might be true if the other representation didn't include
the key :-)). Is "correctly" perhaps a better word than "uniquely"? Or have I
completely misunderstood?
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
