Thomas – thanks for reaching out! I agree that we want to make sure everything is aligned, and really appreciate your reading over our work.
I need to review both of your comments with the committee, but I am pretty sure that we can adjust both to better align with your recommendation as I don’t see any reason we need these exceptions from the norm. Leonard From: Thomas Fossati <[email protected]> Date: Friday, August 23, 2024 at 7:33 AM To: Leonard Rosenthol <[email protected]> Cc: Henk Birkholz <[email protected]>, Michael Jones <[email protected]>, [email protected] <[email protected]> Subject: Re: [COSE] Re: WGLC for draft-ietf-cose-tsa-tst-header-parameter EXTERNAL: Use caution when clicking on links or opening attachments. Hi Leonard, On Wed, 14 Aug 2024 at 23:55, Leonard Rosenthol <[email protected]> wrote: > > The 3161-ctt COSE unprotected header parameter MUST be used for the mode > > described in Section 2.2. > > We are using a CTT-compatible timestamp in C2PA 2.1 – see > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fc2pa.org%2Fspecifications%2Fspecifications%2F2.1%2Fspecs%2FC2PA_Specification.html%23_storing_the_time_stamp&data=05%7C02%7Clrosenth%40adobe.com%7C088054dd4bc64104504908dcc367579d%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C638600095827208230%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=5VrTUvzS3H1rMrFPA2m8zfec1Sse7REvW9O38oJKytI%3D&reserved=0<https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_storing_the_time_stamp>. > However, we are using our own unprotected header for > alignment/compatibility with our work. > > Does that mean we are violating you standard by doing so?? You are not violating the standard because: 1. There is no standard yet :-), and 2. You are using your custom header(s). Converging on a standard has clear benefits, but we need to make sure your requirements are covered and that's why your feedback is very important at this stage. Specifically, while the semantics of C2PA's `tstSig2` are remarkably similar to `3161-ctt`, there are two small differences: 1. C2PA allow multiple timestamps to be collected, whereas the CTT header is a single bstr. To cover C2PA usages, `3161-ctt` must allow an array of bstr's, one per TSA; 2. C2PA stores the whole `TimestampResponse` while `3161-ctt` only stores the inner `TimestampToken`. Since a `TimestampToken` exists only if the `TimestampResponse` has one of the two "granted" statuses (which are those allowed by C2PA), the latter seems redundant. What do you think? cheers, thanks! t
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
