For what it's worth, we have a similar requirement in our implementation of SCITT, where the keys exposed by the service for the purpose of receipt verification are currently exposed as a COSE_KeySet.
We currently use application-specific, custom tstr values in the COSE_Key, as allowed by RFC_9052, to describe the sequence number range that a given key is applicable to. It would be useful to have an interoperable way to describe constraints on key usage though, such as time range, sequence number range etc, whether it is embedded in the key, or travels next to it in a COSE_KeySetForPurpose. Amaury ________________________________ From: Carsten Bormann <[email protected]> Sent: 23 February 2026 15:49 To: Sipos, Brian J. <[email protected]> Cc: cose <[email protected]> Subject: [EXTERNAL] [COSE] Re: Key restriction metadata Hi Brian, On 2026-02-23, at 16:13, Sipos, Brian J. <[email protected]> wrote: > > WG, > I have a need to associate some key restriction metadata with a COSE Key > value, specifically valid time restrictions equivalent to “not before” or > “not after” times. One option is to keep this metadata outside of but > alongside each COSE Key, another is to somehow embed these as key common > parameters. Is this something that has come up in other contexts and there > really is common use? Or are these kinds of restriction (the exact > parameters) too use-case-specific? One interesting question is whether the parameters apply to the key itself or are, e.g., authorization consequences that apply once the key has been used, say, in a proof-of-possession or signature operation. Authorization consequences can change easily without the key or its parameters changing and are also typically highly application specific, so they probably should not be packaged within the key. There are guard rails for the authorization consequences in Table 5 (key_ops); similar to RFCs 7517 these are not coupled to a registry (a mistake, I tend to think). Grüße, Carsten _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
