For more context, these keys are input as part of an online exchange between two entities. So the restriction represents the sending entity asserting that "this key will be usable for ECDH/KEM within this time range, don't bother trying to use it after it expires because I may not even retain it past that time." Looking at it from a different perspective, this could be represented as a limited CWT claims set (to only allow specific claims) alongside the COSE key which would separate the two concerns.
Brian S. > -----Original Message----- > From: Carsten Bormann <[email protected]> > Sent: Monday, February 23, 2026 10:49 AM > To: Sipos, Brian J. <[email protected]> > Cc: cose <[email protected]> > Subject: [EXT] Re: [COSE] Key restriction metadata > > APL external email warning: Verify sender [email protected] before clicking links > or attachments > > Hi Brian, > > On 2026-02-23, at 16:13, Sipos, Brian J. <[email protected]> wrote: > > > > WG, > > I have a need to associate some key restriction metadata with a COSE Key > value, specifically valid time restrictions equivalent to “not before” or “not > after” times. One option is to keep this metadata outside of but alongside > each COSE Key, another is to somehow embed these as key common > parameters. Is this something that has come up in other contexts and there > really is common use? Or are these kinds of restriction (the exact > parameters) too use-case-specific? > > One interesting question is whether the parameters apply to the key itself or > are, e.g., authorization consequences that apply once the key has been > used, say, in a proof-of-possession or signature operation. Authorization > consequences can change easily without the key or its parameters changing > and are also typically highly application specific, so they probably should > not > be packaged within the key. > There are guard rails for the authorization consequences in Table 5 > (key_ops); similar to RFCs 7517 these are not coupled to a registry (a > mistake, > I tend to think). > > Grüße, Carsten
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
