[COSE] Re: Help on making a real small CBOR sub-certificate

[Michael Richardson]

Robert Moskowitz <rgm-...@htt-consult.com> wrote:
    > On 2/12/26 8:55 AM, Michael Richardson wrote:
    >> Robert Moskowitz <rgm-sec=40htt-consult....@dmarc.ietf.org> wrote: >
    >> subjectAltName (SAN) IPv4 (aircraft's 24-bit number prefixed with
    >> ZERO)
    >>
    >> What's that?  It does not sound like a v4-address... are just abusing
    >> this SAN?

    > Yes, I am hacking the 24-bit aircraft number (24AN) into IPv4 space by
    > setting the first octet at ZERO.  There is no good OID for this thing. 
    > "Common practice" for many airlines is to put it in CN= in subject.

I think this won't pass IESG.
SAN+otherName+OID you get from FAA or that you assign from your PEN, or from
an IETF arc.  Maybe there is one which is shorter (in bytes) than other things.

    > My hack is at least recogonizable over all the different uses of CN= by
    > aviation.  Plus 24AN is assigned in blocks, of varying sizes, to each
    > member state.  The size was determined on usage patterns some years
    > ago.  Thus at the issuer level, IPv4Network could be used and for US it
    > would be 0.160.0.0/12 (though probably subdivided for civil and gov
    > spaces).  Kyrgyzstan has 0.96.16.0/22; and probably does not subdivide
    > their space.

uhm, sure, but both IPv4Network and CN= seem like horrible things to do in 2026.
If you weren't so byte-constrained, I'd say just go ask for another /64 from
2001:3x::/32..

    >> I don't remember if C509 let's us define extensions in pure CDDL/CBOR.
    >> I think not...

    > Nope.  If it is not in 5280, you have to get creative.

That seems a poor thing for Natively-signed(COSE)-C509.
Maybe TBSCertificate CDDL could be extended with "cbor_extensions"
Or maybe there is further tricks we can do with extensionID to create a
C509-only extension registry.

I still don't like the name "Natively signed", because whether people from
DER world will think of DER as "native"...  CBOR/COSE is the "new" thing.
(And also, that word is less welcome in RFCs now)
I still think the bifurcation that it causes it not sufficiently explained in
cbor-encoded-cert.



--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-                      *I*LIKE*TRAINS*

signature.asc
Description: PGP signature

_______________________________________________
COSE mailing list -- cose@ietf.org
To unsubscribe send an email to cose-le...@ietf.org