Here's a quick follow-up to my round trip through [email protected] [1] In short, see Harald's reply [2] for the details, in order to extend the acceptable "usage" values, we'd need "[...] to get IESG approval on the change. Whether you need to publish an update to RFC 9360 or an additional RFC is probably going to be decided by the WG, your AD, and the IESG."
So, given the ambiguity surrounding the encoding of COSE_X509 raised by John and MCR, we may wish to bundle these two together in a brief update to RFC 9360. WDYT? cheers! [1] https://mailarchive.ietf.org/arch/msg/media-types/4476Van-thNySvPj1pMAvkZvxlw/ [2] https://mailarchive.ietf.org/arch/msg/media-types/ypYevlqM9zc9vLK3m17eH48j8Xc/ On Fri, 3 Oct 2025 at 21:14, Thomas Fossati <[email protected]> wrote: > > Hi, Michael. > > On Fri, 3 Oct 2025 at 18:28, Michael Richardson <[email protected]> wrote: > > Thomas Fossati <[email protected]> wrote: > > > We want to transport DICE [0] certificate chains in CMWs [1], and for > > > that, we need a media type. > > > > > Note that DICE certificate chains differ semantically from standard > > > X.509 certificate chains in that they also represent attestation > > > Evidence [2]. Therefore, using > > > * application/pkcs7-mime; smime-type="certs-only" > > > * application/cose-x509; usage=chain, and > > > * application/pkix-pkipath > > > would provide too coarse typing information, so we'd like to improve > > this. > > > > > One way would be to extend the application/cose-x509 "usage" parameter > > > to include the value "dice-chain", i.e., application/cose-x509; > > > usage=dice-chain. > > > > cose-x509. I was thinking this is from cbor-encoded-cert, but it defines > > cose-c509-cert. > > And that definition has usage=chain, so was this a typo? NOPE. > > cose-x509 is RFC9360... and COSE_X509 is a CBOR sequence of bstr wrapped > > DER-encoded PKIX certificates. > > I think that this means that there is CBOR definite(?) array of bytes. > > > > So this becomes a dice-chain. > > And after you do CoAP/Content-Format registration, you get an integer for > > the > > CBOR CMW, so any verbosity of the media type is a moot point. > > > > > Would that be acceptable? If so, what steps need to be taken to > > > register the new parameter value? > > > Do we need a specification, and if so, what kind? Or is a request to > > > the media-types list sufficient? > > > > I understand that an email to [email protected] with the template is > > enough. However, I find that one has to poke the reviewers. > > I'm hoping IANA's new DE RT system will get help.. > > OK, thanks for the tip; I'll forward the request to [email protected] then. > > cheers, t _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
