Hi Panos, I've not used the "multiple signatures" feature of JOSE or COSE much, but I believe that signatures can be added, or removed incrementally. You could use crit in the top level header to try to force a verifier to be aware of some specific construction, or some application specific digest structure as noted here: https://datatracker.ietf.org/doc/html/rfc9052#section-1-8
Here are some other references I found while trying to craft a reply to your message: https://github.com/cose-wg/Examples/blob/master/sign-tests/ecdsa-01.json https://datatracker.ietf.org/doc/html/rfc8152#appendix-C.1.2 https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2 Here is some code showing how the multiple signature structure is used: https://github.com/erdtman/cose-js/blob/master/lib/sign.js#L108 Regards, OS On Fri, Dec 20, 2024 at 1:35 PM Kampanakis, Panos <kpanos= [email protected]> wrote: > Hi COSE WG, > > Pardon my COSE illiteracy, but I could not find the answer. > > COSE can carry multiple signatures of the content which are validated > independently. But could I take COSE legitimate content signed with > SigAlgo1 and SigAlgo2, and remove the Algo2 signature structure, so that > the verifier will only validate with Algo1? > > CMS prevents this by a new MultipleSignatures signed attribute defined in > *https://www.rfc-editor.org/rfc/rfc5752* > <https://www.rfc-editor.org/rfc/rfc5752> which signifies that there are > more signatures for the content and thus the other signatures cannot be > stripped. > > I could not find if such functionality is available in COSE. > > Thank you, > Panos > > > > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
