An different take on the same problem, is using discovery services where each
service declares its capabilities, where crypto is just one of many items that
may be subject to upgrades.
This is intended for an EU Digital Identity Wallet proposal currently in the
workings.
A JSON-based predecessor using such a scheme:
https://test.webpki.org/saturn-payeebank/authority
Anders
https://cyberphone.github.io/doc/defensive-publications/authority-objects.pdf
On 2024-12-30 06:08, Kampanakis, Panos wrote:
Thank you Orie and LL.
That is unfortunate. The use-case is for a typical downgrade attack: When I am
migrating to a new algorithm because an old one is no longer secure but I can’t
upgrade all verifiers to understand the new algorithm at the same time, I would
use two signatures with both algorithms. The verifier would verify the one it
understands depending if it has been upgraded or not. Now, if I was a bad guy,
I could strip the new algorithm signature and force even upgraded verifiers to
verify only the insecure algorithm. If the COSE signature included some binding
between the two like the CMS MultipleSignatures structure, the bad guy would
not be able to strip the signature it did not like.
*From:* lgl island-resort.com <[email protected]>
*Sent:* Monday, December 23, 2024 1:31 PM
*To:* Orie Steele <[email protected]>; Kampanakis, Panos
<[email protected]>
*Cc:* [email protected]
*Subject:* RE: [EXTERNAL] [COSE] Strip signatures from COSE_Sign structures?
*CAUTION*: This email originated from outside of the organization. Do not click
links or open attachments unless you can confirm the sender and know the
content is safe.
Yes, I’m 90% sure you can strip COSE signatures. Just delete the CBOR for the
signature and reduce the count of the array that holds the signatures by 1.
I looked over my COSE implementation (“t_cose”) to try to confirm and I don’t
see anything that binds signatures to each other.
It might be easier to convince a verifier to ignore some signatures than to
rewrite the COSE_Sign message, but I don’t know your use case. For example,
t_cose has plug-ins for signature type handling. You could probably make a NULL
plug-in for a particular algorithm
LL
On Dec 23, 2024, at 9:46 AM, Orie Steele <[email protected]
<mailto:[email protected]>> wrote:
Hi Panos,
I've not used the "multiple signatures" feature of JOSE or COSE much, but I
believe that signatures can be added, or removed incrementally.
You could use crit in the top level header to try to force a verifier to be
aware of some specific construction, or some application specific digest
structure as noted here:
https://datatracker.ietf.org/doc/html/rfc9052#section-1-8
<https://datatracker.ietf.org/doc/html/rfc9052#section-1-8>
Here are some other references I found while trying to craft a reply to
your message:
https://github.com/cose-wg/Examples/blob/master/sign-tests/ecdsa-01.json
<https://github.com/cose-wg/Examples/blob/master/sign-tests/ecdsa-01.json>
https://datatracker.ietf.org/doc/html/rfc8152#appendix-C.1.2
<https://datatracker.ietf.org/doc/html/rfc8152#appendix-C.1.2>
https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2
<https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2>
Here is some code showing how the multiple signature structure is used:
https://github.com/erdtman/cose-js/blob/master/lib/sign.js#L108
<https://github.com/erdtman/cose-js/blob/master/lib/sign.js#L108>
Regards,
OS
On Fri, Dec 20, 2024 at 1:35 PM Kampanakis, Panos
<[email protected] <mailto:[email protected]>> wrote:
Hi COSE WG,
Pardon my COSE illiteracy, but I could not find the answer.
COSE can carry multiple signatures of the content which are validated
independently. But could I take COSE legitimate content signed with SigAlgo1
and SigAlgo2, and remove the Algo2 signature structure, so that the verifier
will only validate with Algo1?
CMS prevents this by a new MultipleSignatures signed attribute defined in
https://www.rfc-editor.org/rfc/rfc5752 <https://www.rfc-editor.org/rfc/rfc5752>
which signifies that there are more signatures for the content and thus the other
signatures cannot be stripped.
I could not find if such functionality is available in COSE.
Thank you,
Panos
_______________________________________________
COSE mailing list -- [email protected] <mailto:[email protected]>
To unsubscribe send an email to [email protected]
<mailto:[email protected]>
--
*ORIE STEELE
*Chief Technology Officer
www.transmute.industries <http://www.transmute.industries>
<https://transmute.industries/>
_______________________________________________
COSE mailing list -- [email protected] <mailto:[email protected]>
To unsubscribe send an email to [email protected]
<mailto:[email protected]>
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
