I have also reviewed the draft and I also think the document is ready for COSE WG adoption.
Some comments: - "for use in CBOR Object Signing and Encryption (COSE) messages" I assume it can also be used in COSE_MAC(0) - The draft should make it clear that is registers CMAC as a MAC algorithm. CMAC is sometimes also used as a PRF/KDF. - "The CMAC mode of operation is an alternative to AES-CBC-MAC which is approved by US NIST FIPS 140." I don't think we need CBC-MAC mentioned in the abstract - "US NIST [SP800-38B]." I would suggest removing US. NIST is a globally recognized SDO. - "FIPS 140" I would move FIPS 140 to security considerations. The main reason for doing this is that CBC-MAC is a bad algorithm, and CMAC is a good one. - "Future allocations can define the use of AES-CMAC with shortened tag lengths." I think this should just be done now. 64-bit tags are perfect for most constrained IoT. Cheers, John Preuß Mattsson From: Russ Housley <[email protected]> Date: Friday, 20 March 2026 at 11:06 To: [email protected] <[email protected]> Subject: [COSE] draft-sipos-cose-cmac During the COSE session at IETF 125, I agreed to review this draft. In my view, the document is ready for COSE WG adoption. I also offer some suggested improvements below. CONCERN: In Section 1, the document says that there are "no extra parameters (_e.g._, key length or tag length)", but Section 2 says "The parameters associated with AES-CMAC are: key length and tag length." This feels like a contradiction. I think that it would be better to re-write Section 1 to say that key length and tag length are the only parameters. Section 2, para 3 begins with "This document restricts the allocated code points...". I think it would be better to say that this document registers the two parameter sets as shown in Table 1. This allows some other document to add additional code point in the future if there is a need as stated in the last sentence of the paragraoh. The word "restricts" is concerning to me. NITS: Section 1.1: The first sentence needs to be broken into multiple sentences or include at least one semi-colon. Section 1.1: The second paragraph is not a "scope" statement. If you want to keep it, move it to Section 1. _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
