Deb Cooley has entered the following ballot position for draft-ietf-cose-hash-envelope-08: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-cose-hash-envelope/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks to Yaron Sheffer for his secdir review. I think many of his comments should be incorporated, I can't see that it has happened yet. Section 5.1: Currently you recommend that the strength of all the algorithm components is what I call 'matchy matchy', but that isn't always necessary. I would change this to something like: 'The hash/signature algorithm combination is *RECOMMENDED to be equal or stronger than the payload hash algorithm.' For example, if the payload is hashed with SHA 512, but the hash/signature algorithm is P256 w/ SHA 256, then the strength of the whole thing is basically equivalent to P256 w/ SHA 256, not ideal. _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
