Deb Cooley has entered the following ballot position for draft-ietf-cose-tsa-tst-header-parameter-06: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-cose-tsa-tst-header-parameter/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks to Stefan Santesson for the repeated secdir reviews. These reviews have driven change to create a better specification. The authors are lucky to have drawn a reviewer that is well versed in the subject of timestamps. I'm not sure it is possible to completely eliminate the issue of a choosing the wrong method, but I hope recent changes have made it harder for the developer to make that mistake. I will make a few comments which I hope will make it a tiny bit harder. Names of modes: Stefan points out that the two mode names are similar, perhaps too similar. Instead of choosing the mode names by the order of operation, maybe mode names that describe the operation. Perhaps 'certificate timestamps' and 'unsigned statement timestamps', recognizing that these don't create nice acronyms, and that it is a pretty pervasive change to the draft. Section 1.1: Add a sentence to the first para that this specification outlines the original mode and a new mode, where the security characteristics are different so care needs to be taken to choose the appropriate mode. Section 1.1, para 2&3: Please consider stating that this use case is the primary, or original use case that most implementations will use. Something like 'The original use case....' and then 'This primary usage scenario motivates....' Section 1.1, para 4&5: Please consider stating that this is a new use case for very specific purposes. Something like 'The new use case...' and then 'This new usage scenario....' ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 1.1, para 4: A small clarification, if the TST is acquired before the statement is signed, then the relying party knows that the statement was signed by the issuer 'not before' the times specified by the TSA. This is an early bound (vice a no later bound in the first case). _______________________________________________ COSE mailing list -- cose@ietf.org To unsubscribe send an email to cose-le...@ietf.org
