As I noted above, there were changes from the IESG evaluation which needed to be published.
The current version in datatracker is -10 https://datatracker.ietf.org/doc/draft-ietf-cose-hash-envelope/ I believe the current -10 text and the markdown file are aligned, and should be the input to this stage. It appears that github releases for this draft broke some time ago... so getting the markdown from -09 is going to be hard... is it necessary? Regards, OS On Tue, Nov 18, 2025 at 1:23 PM Sarah Tarrant <[email protected]> wrote: > Hi Orie, > > Hmm... Neither of these match the files we have for -09, which we got from > datatracker. I've noted the differences below: > > A) There's an extra paragraph in Section 4 of the attached MD: > > Output from hash algorithms is generally small, and so the payload is > > typically expected to be inline. But it can also be detached, as in > > any other [RFC9052] message. > > > B) The code in Section 4.1 has one line that's a little different: > > Current: > > # As seen in manifest.spdx.json.sha256 > > > > Attached md: > > # SHA256 digest of manifest.spdx.json" > > > C) There's another difference in Section 4.1: > > Current: > > The payload of this COSE_Sign1 is the SHA256 hash of the > > manifest.spdx.json, which is typically found in an adjacent file > > (manifest.spdx.json.sha256). > > > > Attached md: > > The payload of this COSE_Sign1 is the SHA256 hash of the > > manifest.spdx.json. > > > D) Sections 5.1, 5.2, and 5.3 also have some different text. > > 5.1 Current: > > Note that when using a pre-hash > > algorithm, the algorithm SHOULD be registered in the IANA COSE > > Algorithms registry, and should be distinguishable from non-pre hash > > variants that may also be present. > > 5.1 Attached MD: > > Note that when using a pre-hash > > algorithm, the algorithm MUST be registered in the IANA COSE > > Algorithms registry (https://www.iana.org/assignments/cose/ > > cose.xhtml#algorithms), and MUST be distinguishable from non-pre hash > > variants that may also be present. > > > 5.2 Current: > > Only COSE_Sign/COSE_Sign1 and COSE_Mac/COSE_Mac0 are in scope for > > this document. COSE_Encrypt/COSE_Encrypt0 is out of the scope of > > this document. > > 5.2 Attached MD: > > Only COSE_Sign/COSE_Sign1 and COSE_Mac/COSE_Mac0 are in scope for > > this document. COSE_Encrypt/COSE_Encrypt0 is out of the scope of > > this document. At the time of publishing, there is no known use case > > for COSE_Encrypt/COSE_Encrypt0. It may be covered by a future > > extension, which would address whether the hash function is applied > > before or after encryption, and clarify privacy considerations. > > > 5.3 Current: > > Verifiers that not have access to the internet and obtain the > > preimage via other means will not be able to perform that check, nor > > to derive utility from it. > > 5.3 Attached MD: > > Verifiers that do not have access to the internet and obtain the > > preimage via other means will not be able to perform that check, nor > > to derive utility from it. > > > Is there another link or attachment that matches what is in datatracker? > > Sorry for being such a pain! > Sarah Tarrant > RFC Production Center > > > > On Nov 18, 2025, at 12:06 PM, Orie <[email protected]> wrote: > > > > Is this link ok > https://github.com/cose-wg/draft-ietf-cose-hash-envelope/blob/main/draft-ietf-cose-hash-envelope.md > ? > > > > I attached the markdown file just in case. > > > > On Tue, Nov 18, 2025 at 9:54 AM Sarah Tarrant < > [email protected]> wrote: > > Hi Orie, > > > > Thanks for the heads up! Could you send along the markdown file for > version -10? > > > > Sincerely, > > Sarah Tarrant > > RFC Production Center > > > > > On Nov 15, 2025, at 1:23 PM, Orie <[email protected]> wrote: > > > > > > Hi, > > > > > > I have published the new version: > > > > > > > https://author-tools.ietf.org/iddiff?url1=draft-ietf-cose-hash-envelope-09&url2=draft-ietf-cose-hash-envelope-10&difftype=--html > > > > > > Apologies for the delay. > > > > > > Regards, > > > > > > OS > > > > > > On Wed, Oct 29, 2025 at 9:44 AM Sarah Tarrant < > [email protected]> wrote: > > > Hi Orie, > > > > > > Thank you for your reply! > > > > > > Regarding: > > > > We need to publish a new version that includes recent changes, > unfortunately we can't do that so close to the plenary week. > > > > > > > > > While we await the new version, I'll record these inline answers and > move this draft from AUTH state to IESG state so that we can keep track of > the incoming new version. > > > > > > Sincerely, > > > Sarah Tarrant > > > RFC Production Center > > > > > > > On Oct 28, 2025, at 6:13 PM, Orie <[email protected]> wrote: > > > > > > > > Hi, > > > > > > > > We need to publish a new version that includes recent changes, > unfortunately we can't do that so close to the plenary week. > > > > > > > > Inline: > > > > > > > > On Tue, Oct 28, 2025 at 4:10 PM Sarah Tarrant < > [email protected]> wrote: > > > > Author(s), > > > > > > > > Congratulations, your document has been successfully added to the > RFC Editor queue! > > > > The team at the RFC Production Center (RPC) is looking forward to > working with you > > > > as your document moves forward toward publication. To help reduce > processing time > > > > and improve editing accuracy, please respond to the questions below. > Please confer > > > > with your coauthors (or authors of other documents if your document > is in a > > > > cluster) as necessary prior to taking action in order to streamline > communication. > > > > If your document has multiple authors, only one author needs to > reply to this > > > > message. > > > > > > > > As you read through the rest of this email: > > > > > > > > * If you need/want to make updates to your document, we encourage > you to make those > > > > changes and resubmit to the Datatracker. This allows for the easy > creation of diffs, > > > > which facilitates review by interested parties (e.g., authors, ADs, > doc shepherds). > > > > * If you feel no updates to the document are necessary, please reply > with any > > > > applicable rationale/comments. > > > > > > > > > > > > Please note that the RPC team will not work on your document until > we hear from you > > > > (that is, your document will remain in AUTH state until we receive a > reply). Even > > > > if you don't have guidance or don't feel that you need to make any > updates to the > > > > document, you need to let us know. After we hear from you, your > document will start > > > > moving through the queue. You will be able to review and approve our > updates > > > > during AUTH48. > > > > > > > > Please feel free to contact us with any questions you may have at > > > > [email protected]. > > > > > > > > Thank you! > > > > The RPC Team > > > > > > > > -- > > > > > > > > 1) As there may have been multiple updates made to the document > during Last Call, > > > > please review the current version of the document: > > > > > > > > * Is the text in the Abstract still accurate? > > > > > > > > Yes, although it is a bit wordy. > > > > * Are the Authors' Addresses, Contributors, and Acknowledgments > > > > sections current? > > > > > > > > Yes. > > > > > > > > > > > > 2) Please share any style information that could help us with > editing your > > > > document. For example: > > > > > > > > * Is your document's format or its terminology based on another > document? > > > > If so, please provide a pointer to that document (e.g., this > document's > > > > terminology should match DNS terminology in RFC 9499). > > > > > > > > We have CBOR Extended Diagnostic Notation examples and JSON > examples, here are the relevant RFCs & drafts: > > > > > > > > https://datatracker.ietf.org/doc/html/rfc7517 > > > > https://www.rfc-editor.org/rfc/rfc8610#appendix-G > > > > https://datatracker.ietf.org/doc/draft-ietf-cbor-edn-literals/ > > > > > > > > We also have CDDL in Section 4 based on > https://datatracker.ietf.org/doc/html/rfc8610 > > > > > > > > * Is there a pattern of capitalization or formatting of terms? > (e.g., field names > > > > should have initial capitalization; parameter names should be in > double quotes; > > > > <tt/> should be used for token names; etc.) > > > > > > > > > > > > We use `value` to highlight CBOR labels, and other example values in > the text. > > > > > > > > 3) Please review the entries in the References section carefully > with > > > > the following in mind. Note that we will update as follows unless we > > > > hear otherwise at this time: > > > > > > > > * References to obsoleted RFCs will be updated to point to the > current > > > > RFC on the topic in accordance with Section 4.8.6 of RFC 7322 > > > > (RFC Style Guide). > > > > > > > > * References to I-Ds that have been replaced by another I-D will be > > > > updated to point to the replacement I-D. > > > > > > > > * References to documents from other organizations that have been > > > > superseded will be updated to their superseding version. > > > > > > > > Note: To check for outdated RFC and I-D references, you can use > > > > idnits <https://author-tools.ietf.org/idnits>. You can also help the > > > > IETF Tools Team by testing idnits3 < > https://author-tools.ietf.org/idnits3/> > > > > with your document and reporting any issues to them. > > > > > > > > > > > > 4) Is there any text that should be handled extra cautiously? For > example, are > > > > there any sections that were contentious when the document was > drafted? > > > > > > > > > > > > We have restated the "detached payload" language originating from > https://datatracker.ietf.org/doc/html/rfc8152#section-2 > > > > https://datatracker.ietf.org/doc/html/rfc8152#section-4.1 > > > > > > > > I think we may have lost some opportunities for clarity in our > repetition. > > > > > > > > 5) Is there anything else that the RPC should be aware of while > editing this > > > > document? > > > > > > > > This document is really just new header parameters for cose sign 1 > payloads that are the output of a hash function. > > > > > > > > > > > > > > > > 6) This document uses one or more of the following text styles. > > > > Are these elements used consistently? > > > > > > > > * fixed width font (<tt/> or `) > > > > * italics (<em/> or *) > > > > * bold (<strong/> or **) > > > > > > > > > > > > We only use ` ... I suspect we might be better off using " for a few > values instead of `, and reserve ` for highlighting code points and not > examples. > > > > > > > > > > > > 7) This document contains sourcecode: > > > > > > > > * Does the sourcecode validate? > > > > > > > > Yes. > > > > * Some sourcecode types (e.g., YANG) require certain references > and/or text > > > > in the Security Considerations section. Is this information correct? > > > > * Is the sourcecode type indicated in the XML? (See information > about > > > > sourcecode types.) > > > > > > > > We did not manage the draft in xml, but the proper source code type > for CDDL is: <sourcecode type="cddl" ... > > > > > > > > > > > > 8) Would you like to participate in the RPC Pilot Test for editing > in kramdown-rfc? > > > > If so, please let us know and provide a self-contained kramdown-rfc > file. For more > > > > information about this experiment, see: > > > > > https://www.rfc-editor.org/rpc/wiki/doku.php?id=pilot_test_kramdown_rfc. > > > > > > > > Yes please! > > > > > > > > > On Oct 28, 2025, at 4:05 PM, [email protected] wrote: > > > > > > > > > > Author(s), > > > > > > > > > > Your document draft-ietf-cose-hash-envelope-09, which has been > approved for publication as > > > > > an RFC, has been added to the RFC Editor queue > > > > > <https://www.rfc-editor.org/current_queue.php>. > > > > > > > > > > If your XML file was submitted using the I-D submission tool > > > > > <https://datatracker.ietf.org/submit/>, we have already retrieved > it > > > > > and have started working on it. > > > > > > > > > > If you did not submit the file via the I-D submission tool, or > > > > > if you have an updated version (e.g., updated contact > information), > > > > > please send us the file at this time by attaching it > > > > > in your reply to this message and specifying any differences > > > > > between the approved I-D and the file that you are providing. > > > > > > > > > > You will receive a separate message from us asking for style > input. > > > > > Please respond to that message. When we have received your > response, > > > > > your document will then move through the queue. The first step > that > > > > > we take as your document moves through the queue is converting it > to > > > > > RFCXML (if it is not already in RFCXML) and applying the > formatting > > > > > steps listed at < > https://www.rfc-editor.org/pubprocess/how-we-update/>. > > > > > Next, we will edit for clarity and apply the style guide > > > > > (<https://www.rfc-editor.org/styleguide/>). > > > > > > > > > > You can check the status of your document at > > > > > <https://www.rfc-editor.org/current_queue.php>. > > > > > > > > > > You will receive automatic notifications as your document changes > > > > > queue state (for more information about these states, please see > > > > > <https://www.rfc-editor.org/about/queue/>). When we have > completed > > > > > our edits, we will move your document to AUTH48 state and ask you > > > > > to perform a final review of the document. > > > > > > > > > > Please let us know if you have any questions. > > > > > > > > > > Thank you. > > > > > > > > > > The RFC Editor Team > > > > > > > > > > > > <draft-ietf-cose-hash-envelope.md> > >
-- auth48archive mailing list -- [email protected] To unsubscribe send an email to [email protected]
