hi Orie, Many thanks for the review!
On Thu, 15 Aug 2024 at 01:25, Orie Steele <[email protected]> wrote: > > Authors might consider providing some guidance regarding validation of CTT > where the COSE claims appear (iat, nbf) to have happened after the timestamp > ( time travel ). +1. I think this needs to be discussed as part of the threat & trust models and can be bundled with your last comment "Security considerations seem light". > IIRC cose counter signatures apply to the protected header, payload and > signature, whereas CTT only applies to the signatures. > > This means that the TSA does not countersign any protected information in the > header? No, the signature subsumes the protected headers and payload (however carried), so the TSA counter-signature includes them. Maybe the reference to 9338 is confusing and we should just remove it [1]. > Some use cases for the 2 modes might improve the document. Tracked at [2]. > Security considerations seem light. Tracked at [3]. cheers, thanks! [1] https://github.com/ietf-scitt/draft-birkholz-cose-tsa-tst-header-parameter/issues/18 [2] https://github.com/ietf-scitt/draft-birkholz-cose-tsa-tst-header-parameter/issues/17 [3] https://github.com/ietf-scitt/draft-birkholz-cose-tsa-tst-header-parameter/issues/16 _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
