I read draft-lopez-opsawg-yang-provence-07 yesterday. I do not quite understand
I don't think you need canonicalization rules for CBOR, I think you should be citing RFC9254 (rather than RFC89439) which I think already has the rules. I find the way that the provenance leaf can appear anywhere (section 4.1) to questionable. Does YANG really allow this? I'm not sure I understand how the verifier knows what is being signed. I guess it's everything at that level, with the provenance leaf it self being empty. I don't think OPSAWG is the right place for this work. I think it belongs in NETMOD, as this seems like YANG infrastructure, not a random model for some random protocol, which is more of an OPSAWG thing. An IoTDIR/SECDIR review from a COSE expert is probably needed. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
