Hi Russ,
coming back to your WGAC comment and Orie's reply, would you like to
provide a recommendation to the COSE_Encrypt topic?
Viele Grüße,
Henk
On 30.07.24 19:18, Orie Steele wrote:
Thanks for pointing this out :)
The document defines several headers which are hints regarding the payload.
In the context of COSE_Encrypt, the payload would still be a hash, but
some of these headers (preimage content type and payload location) could
leak information about the payload.
All of the use cases I've seen are for signing hashes that are already
well known and distributed or used in existing systems.
I can't think of a reason to use this approach with encrypted payloads,
but from a practical standpoint, I am not sure exactly what the document
should say regarding these headers if they appear in COSE_Encrypt.
Perhaps something to the effect of:
The cose headers defined in this document SHOULD NOT be used in
unprotected or protected headers associated with COSE_Encrypt, unless
the sender is comfortable disclosing metadata regarding the encrypted
payload.
What do you think?
Regards,
OS
On Tue, Jul 30, 2024 at 12:07 PM Russ Housley <[email protected]
<mailto:[email protected]>> wrote:
Section 3 says: Should we define this?
Of course, things can change after adoption, but this seems like a
fairly being open hole.
I would like to see this document be adopted without Section 3. The
COSE approach would be to use COSE_Encrypt is the payload needs
confidentiality.
Russ
On Jul 30, 2024, at 12:42 PM, Ivaylo Petrov
<[email protected]
<mailto:[email protected]>> wrote:
Dear all,
This message starts the call for adoption of the following draft
as working group item:
* draft-steele-cose-hash-envelope:
-
https://datatracker.ietf.org/doc/draft-steele-cose-hash-envelope/
<https://datatracker.ietf.org/doc/draft-steele-cose-hash-envelope/>
As discussed during the last IETF, there seems to be interest in
the working group to work on that document. If you have read the
draft, please indicate whether you support its adoption as a
working group item or not.
We would also like to remind you that adoption does not mean a
document is finished, only that it is an acceptable starting point.
This call will run for two weeks, ending on Aug 13nd. Please try
to respond
before that date.
Best regards,
- Ivaylo on behalf of the COSE Working Group Chairs
_______________________________________________
COSE mailing list -- [email protected] <mailto:[email protected]>
To unsubscribe send an email to [email protected]
<mailto:[email protected]>
_______________________________________________
COSE mailing list -- [email protected] <mailto:[email protected]>
To unsubscribe send an email to [email protected]
<mailto:[email protected]>
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
