Thank you Orie and LL. That is unfortunate. The use-case is for a typical downgrade attack: When I am migrating to a new algorithm because an old one is no longer secure but I can’t upgrade all verifiers to understand the new algorithm at the same time, I would use two signatures with both algorithms. The verifier would verify the one it understands depending if it has been upgraded or not. Now, if I was a bad guy, I could strip the new algorithm signature and force even upgraded verifiers to verify only the insecure algorithm. If the COSE signature included some binding between the two like the CMS MultipleSignatures structure, the bad guy would not be able to strip the signature it did not like.
From: lgl island-resort.com <[email protected]> Sent: Monday, December 23, 2024 1:31 PM To: Orie Steele <[email protected]>; Kampanakis, Panos <[email protected]> Cc: [email protected] Subject: RE: [EXTERNAL] [COSE] Strip signatures from COSE_Sign structures? CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Yes, I’m 90% sure you can strip COSE signatures. Just delete the CBOR for the signature and reduce the count of the array that holds the signatures by 1. I looked over my COSE implementation (“t_cose”) to try to confirm and I don’t see anything that binds signatures to each other. It might be easier to convince a verifier to ignore some signatures than to rewrite the COSE_Sign message, but I don’t know your use case. For example, t_cose has plug-ins for signature type handling. You could probably make a NULL plug-in for a particular algorithm LL On Dec 23, 2024, at 9:46 AM, Orie Steele <[email protected]<mailto:[email protected]>> wrote: Hi Panos, I've not used the "multiple signatures" feature of JOSE or COSE much, but I believe that signatures can be added, or removed incrementally. You could use crit in the top level header to try to force a verifier to be aware of some specific construction, or some application specific digest structure as noted here: https://datatracker.ietf.org/doc/html/rfc9052#section-1-8 Here are some other references I found while trying to craft a reply to your message: https://github.com/cose-wg/Examples/blob/master/sign-tests/ecdsa-01.json https://datatracker.ietf.org/doc/html/rfc8152#appendix-C.1.2 https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2 Here is some code showing how the multiple signature structure is used: https://github.com/erdtman/cose-js/blob/master/lib/sign.js#L108 Regards, OS On Fri, Dec 20, 2024 at 1:35 PM Kampanakis, Panos <[email protected]<mailto:[email protected]>> wrote: Hi COSE WG, Pardon my COSE illiteracy, but I could not find the answer. COSE can carry multiple signatures of the content which are validated independently. But could I take COSE legitimate content signed with SigAlgo1 and SigAlgo2, and remove the Algo2 signature structure, so that the verifier will only validate with Algo1? CMS prevents this by a new MultipleSignatures signed attribute defined in https://www.rfc-editor.org/rfc/rfc5752 which signifies that there are more signatures for the content and thus the other signatures cannot be stripped. I could not find if such functionality is available in COSE. Thank you, Panos _______________________________________________ COSE mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> -- ORIE STEELE Chief Technology Officer www.transmute.industries<http://www.transmute.industries> [https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/> _______________________________________________ COSE mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
