> Would sticking in a CWT (COSE label 15) header parameter with a sole iat > claim (CWT label 6) in it work for you?
For the cBRSKI case, the COSE payload is a CBOR "voucher" as defined by draft-ietf-anima-rfc8366bis. This doesn't use the CWT format. Therefore the idea was to use the COSE parameters to carry extra information, which can't fit into the "voucher". Meanwhile we're also working to add either 1) a simple created-on timestamp, or 2) vendor-specific data, to the voucher definition. If 1) is done then there's no need anymore to add such information to the COSE object header. Although it could still be useful to have the option of a 'simple' timestamp for multiple applications of COSE (also the non-CWT ones). Esko ________________________________ From: Carsten Bormann <[email protected]> Sent: Wednesday, March 5, 2025 10:12 To: Esko Dijk <[email protected]> Cc: [email protected] <[email protected]>; [email protected] <[email protected]> Subject: Re: [COSE] Simple numeric timestamp in COSE header (RFC 8392 "iat" style) Hi Esko, > On 2025-03-05, at 09:40, Esko Dijk <[email protected]> wrote: > > Hi all, > > Based on cBRSKI work in the ANIMA WG (which uses COSE-Sign1 data objects) the > question came up if the COSE signature can be timestamped in a simple way. > "Simple" meaning here a single numeric uint value in seconds, something like > defined in RFC 8392 for the "iat" claim for CWTs in Section 3.1.6. > > This has the benefit that a constrained device can relatively easily parse it > - no codebase needed to parse strings, timezones, etc. Timezone is always UTC. Definitely useful. Would sticking in a CWT (COSE label 15) header parameter with a sole iat claim (CWT label 6) in it work for you? That’s what we’ve been recently recommending. It does cost two extra bytes (assuming a IAT header parameter would get a single-byte number), but seems to meet the requirements you stated otherwise. > So this would rule out the use of draft-ietf-cose-tsa-tst-header-parameter > defined protected header parameter. tsa-tst is for the case when you already have a traditional RFC 3161 TSA in your picture, which it seems you don’t. Grüße, Carsten
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
