All, I would like to be able to securely and confidentially transport key material in a way similar to the CMS Encrypted Key Package [1] for symmetric and asymmetric key material and attributes, but without needing the ASN.1 infrastructure. There are many possible ways to do this, and I'm interested in getting feedback for what may already exist or have already been experimented with.
The first thing that came to mind is simply enveloping a COSE_Key within a COSE_Encrypt and using the layer-0 header "content type" (3) with value "application/cose-key" (101). This would serve the minimal purpose but would rely on the COSE_Key to have all needed attributes, and right now there are no key common parameters to reflect things like starting and ending validity time. The next I looked at was using an encrypted CWT, which can contain a COSE_Key as a cnf (8) claim along with other attributes like validity time, which is structurally similar to what I'm interested in but the semantics are backwards. Rather than conveying private key material, the cnf claim is meant to prove pre-existing possession of private key material. So it seems like maybe the thing I'm looking for does not yet exist in an interoperable way. Any suggestions for what may already exist for this kind of thing? Brian S. [1] https://www.rfc-editor.org/rfc/rfc6032.html
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
