Hi all, Based on cBRSKI work in the ANIMA WG (which uses COSE-Sign1 data objects) the question came up if the COSE signature can be timestamped in a simple way. "Simple" meaning here a single numeric uint value in seconds, something like defined in RFC 8392 for the "iat" claim for CWTs in Section 3.1.6.
This has the benefit that a constrained device can relatively easily parse it - no codebase needed to parse strings, timezones, etc. Timezone is always UTC. So this would rule out the use of draft-ietf-cose-tsa-tst-header-parameter defined protected header parameter. (Not sure if that draft aims to be equivalent to the CMS "Signing Time" in Section 11.3 of RFC 5652?) The constrained device then can check the signature and inspect the time of signing i.e. time of issuing the content in the COSE payload. Has something like this been considered? Best regards, Esko Dijk IoTconsultancy.nl | Email/Teams: [email protected]<mailto:[email protected]>
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
