Was looking over the -08 draft and comparing to JWS header parameters. I think the -08 draft would be much improved by explicitly saying how the end-entity cert is determined.
JWS is clear and explicit about this: - x5t always refers to an end-entity - In x5u the first cert is always the end-entity - In x5c the first cert is always the end-entity JWS uses the phrase "The certificate containing the public key corresponding to the key used to digitally sign” rather than "end-entity”. I prefer end-entity, but either is fine. By contrast, COSE X.509 only explicitly says how the end-entity is determined for an x5chain. Nothing is said for x5t, x5bag or x5u. Seems to me that COSE X.509 should be made identical to JWS for x5t, x5chain and x5u. Then COSE has the add-on bonus of x5bag. x5bag never determines the end-entity since it is un ordered. You have to have an x5t, kid or some other means of knowing which in the x5bag is the end-entity. And it is OK that x5bag doesn’t even contain the end-entity. LL _______________________________________________ COSE mailing list COSE@ietf.org https://www.ietf.org/mailman/listinfo/cose