{ I found Jim's very interesting email very hard to read without good quoting, I'm repeating the important part }
henk> 2.) go to ACE and ask for an "unsigned token" option, or Jim Schaad <i...@augustcellars.com> wrote: jls> I don't have a problem with this, I am not sure that I see any jls> reason for it however. See below. henk> 3.) go to CBOR and ask for a tag for "naked" CWT Claim Sets (i.e., henk> that are not signed). jls> I don't see any difference between this and option #2 jls> 4.) Just write your CWT code in a sensible manner. jls> My CWT code base does not make any assumptions about the number or jls> order of COSE security wrapping layers on a token. It thus looks jls> like jls> while (true) { jls> if input has a COSE_Encrypt tag { decrypt it; set input to the content; save the encryption information if needed e.g. shared key authentication; continue; } jls> if input has a COSE_MAC tag { validate it; set input to the content; save the MAC information if needed e.g. shared key authentication; continue;} jls> if input has a COSE_Signature tag { validate it; set input to the content; save the signer information; continue } jls> if input is a map - return input as the set of claims; jls> throw an exception because it is not the correct format. jls> } jls> This does not require a tag for a naked set of claims and would jls> allow that set of claims to be pass in the same place as a CWT can jls> be passed. What you are suggesting would require extra code to jls> exist someplace that is going to check for an additional tag. jls> IT IS jls> ALSO GOING TO LEAD TO PEOPLE THINKING THAT THIS NEW TAG SHOULD BE jls> LEGAL TO PLACE INSIDE OF A CWT. After all it makes more sense to jls> always include it than to just sometimes include it. Emphasis mine. So your suggestion is to do nothing. I also wondered why that wouldn't work, but I hadn't written enough code to ask the question intelligently. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace