Agree here, the ‘kid’ field includes a hint as to which key to use to verify the COSE object. If the hint is null, or an empty item, and the receiver isn’t able to use that as a hint, it can try to identify the key in some other way e.g. based on context. If that’s not possible, then it will just fail the processing.
Specific applications of COSE may pose specific requirements on a ‘kid’ being present and what format it should have. In this case, absence of a proper ‘kid’ value may lead to an error straight away. Esko From: core <[email protected]> On Behalf Of Orie Steele Sent: Tuesday, July 5, 2022 18:29 To: Michael Richardson <[email protected]> Cc: [email protected]; cose <[email protected]>; [email protected] Subject: Re: [core] [COSE] empty KID values > Should I treat a null/empty kid as if there were no kid field at all, IMO Yes. > and then use some other heuristic to find the right verification key Or just throw an error, if your use case requires `kid`... or would benefit from requiring it. I'd avoid offering to do work to process data where the issuer didn't bother doing their job (which is to make your job easier). Regards, OS On Mon, Jul 4, 2022 at 12:29 PM Michael Richardson <[email protected]<mailto:mcr%[email protected]>> wrote: RFC9254-to-be/yang-cbor says: Data nodes implemented using a CBOR array, map, byte string, or text string can be instantiated but empty. In this case, they are encoded with a length of zero. When encoding/dealing with the COSE Sign0 in draft-ietf-anima-constrained-voucher, we have some puzzling about what to do with: kid: null or: kid: "" or: kid: h'' so, two remarks. First, the kid: field is in the Sign0 structure, not actually in the YANG-CBOR, so arguably the above comment does *NOT* apply! My puzzling is about kid. Should I treat a null/empty kid as if there were no kid field at all, and then use some other heuristic to find the right verification key, or should I treat it as a entry null, which must match a null/""/h'' entry in a database for the key. Normally, it might be a hash of a public key, so seeing h'xx..xx' would be reasonable. I'm curious what COSE people say. KID is annoyingly use case specific :-( -- Michael Richardson <[email protected]<mailto:mcr%[email protected]>> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide _______________________________________________ COSE mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/cose -- ORIE STEELE Chief Technical Officer www.transmute.industries<http://www.transmute.industries> [https://drive.google.com/a/transmute.industries/uc?id=1hbftCJoB5KdeV_kzj4eeyS28V3zS9d9c&export=download]<https://www.transmute.industries/>
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
