Yes, I’m 90% sure you can strip COSE signatures. Just delete the CBOR for the signature and reduce the count of the array that holds the signatures by 1.
I looked over my COSE implementation (“t_cose”) to try to confirm and I don’t see anything that binds signatures to each other. It might be easier to convince a verifier to ignore some signatures than to rewrite the COSE_Sign message, but I don’t know your use case. For example, t_cose has plug-ins for signature type handling. You could probably make a NULL plug-in for a particular algorithm LL On Dec 23, 2024, at 9:46 AM, Orie Steele <[email protected]> wrote: Hi Panos, I've not used the "multiple signatures" feature of JOSE or COSE much, but I believe that signatures can be added, or removed incrementally. You could use crit in the top level header to try to force a verifier to be aware of some specific construction, or some application specific digest structure as noted here: https://datatracker.ietf.org/doc/html/rfc9052#section-1-8 Here are some other references I found while trying to craft a reply to your message: https://github.com/cose-wg/Examples/blob/master/sign-tests/ecdsa-01.json https://datatracker.ietf.org/doc/html/rfc8152#appendix-C.1.2 https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2 Here is some code showing how the multiple signature structure is used: https://github.com/erdtman/cose-js/blob/master/lib/sign.js#L108 Regards, OS On Fri, Dec 20, 2024 at 1:35 PM Kampanakis, Panos <[email protected]<mailto:[email protected]>> wrote: Hi COSE WG, Pardon my COSE illiteracy, but I could not find the answer. COSE can carry multiple signatures of the content which are validated independently. But could I take COSE legitimate content signed with SigAlgo1 and SigAlgo2, and remove the Algo2 signature structure, so that the verifier will only validate with Algo1? CMS prevents this by a new MultipleSignatures signed attribute defined in https://www.rfc-editor.org/rfc/rfc5752 which signifies that there are more signatures for the content and thus the other signatures cannot be stripped. I could not find if such functionality is available in COSE. Thank you, Panos _______________________________________________ COSE mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> -- ORIE STEELE Chief Technology Officer www.transmute.industries [https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/> _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
