Hi Orie, Oh my, you're absolutely right. Apologies for my lunacy!
The MD for -09 is totally unnecessary as the new md and the version -10 match perfectly. I'll be moving this from IESG to EDIT state momentarily. Thank you, Sarah Tarrant RFC Production Center > On Nov 18, 2025, at 1:33 PM, Orie <[email protected]> wrote: > > As I noted above, there were changes from the IESG evaluation which needed to > be published. > > The current version in datatracker is -10 > https://datatracker.ietf.org/doc/draft-ietf-cose-hash-envelope/ > > I believe the current -10 text and the markdown file are aligned, and should > be the input to this stage. > > It appears that github releases for this draft broke some time ago... so > getting the markdown from -09 is going to be hard... is it necessary? > > Regards, > > OS > > > > On Tue, Nov 18, 2025 at 1:23 PM Sarah Tarrant <[email protected]> > wrote: > Hi Orie, > > Hmm... Neither of these match the files we have for -09, which we got from > datatracker. I've noted the differences below: > > A) There's an extra paragraph in Section 4 of the attached MD: > > Output from hash algorithms is generally small, and so the payload is > > typically expected to be inline. But it can also be detached, as in > > any other [RFC9052] message. > > > B) The code in Section 4.1 has one line that's a little different: > > Current: > > # As seen in manifest.spdx.json.sha256 > > > > Attached md: > > # SHA256 digest of manifest.spdx.json" > > > C) There's another difference in Section 4.1: > > Current: > > The payload of this COSE_Sign1 is the SHA256 hash of the > > manifest.spdx.json, which is typically found in an adjacent file > > (manifest.spdx.json.sha256). > > > > Attached md: > > The payload of this COSE_Sign1 is the SHA256 hash of the > > manifest.spdx.json. > > > D) Sections 5.1, 5.2, and 5.3 also have some different text. > > 5.1 Current: > > Note that when using a pre-hash > > algorithm, the algorithm SHOULD be registered in the IANA COSE > > Algorithms registry, and should be distinguishable from non-pre hash > > variants that may also be present. > > 5.1 Attached MD: > > Note that when using a pre-hash > > algorithm, the algorithm MUST be registered in the IANA COSE > > Algorithms registry (https://www.iana.org/assignments/cose/ > > cose.xhtml#algorithms), and MUST be distinguishable from non-pre hash > > variants that may also be present. > > > 5.2 Current: > > Only COSE_Sign/COSE_Sign1 and COSE_Mac/COSE_Mac0 are in scope for > > this document. COSE_Encrypt/COSE_Encrypt0 is out of the scope of > > this document. > > 5.2 Attached MD: > > Only COSE_Sign/COSE_Sign1 and COSE_Mac/COSE_Mac0 are in scope for > > this document. COSE_Encrypt/COSE_Encrypt0 is out of the scope of > > this document. At the time of publishing, there is no known use case > > for COSE_Encrypt/COSE_Encrypt0. It may be covered by a future > > extension, which would address whether the hash function is applied > > before or after encryption, and clarify privacy considerations. > > > 5.3 Current: > > Verifiers that not have access to the internet and obtain the > > preimage via other means will not be able to perform that check, nor > > to derive utility from it. > > 5.3 Attached MD: > > Verifiers that do not have access to the internet and obtain the > > preimage via other means will not be able to perform that check, nor > > to derive utility from it. > > > Is there another link or attachment that matches what is in datatracker? > > Sorry for being such a pain! > Sarah Tarrant > RFC Production Center > > > > On Nov 18, 2025, at 12:06 PM, Orie <[email protected]> wrote: > > > > Is this link ok > > https://github.com/cose-wg/draft-ietf-cose-hash-envelope/blob/main/draft-ietf-cose-hash-envelope.md > > ? > > > > I attached the markdown file just in case. > > > > On Tue, Nov 18, 2025 at 9:54 AM Sarah Tarrant > > <[email protected]> wrote: > > Hi Orie, > > > > Thanks for the heads up! Could you send along the markdown file for version > > -10? > > > > Sincerely, > > Sarah Tarrant > > RFC Production Center > > > > > On Nov 15, 2025, at 1:23 PM, Orie <[email protected]> wrote: > > > > > > Hi, > > > > > > I have published the new version: > > > > > > https://author-tools.ietf.org/iddiff?url1=draft-ietf-cose-hash-envelope-09&url2=draft-ietf-cose-hash-envelope-10&difftype=--html > > > > > > Apologies for the delay. > > > > > > Regards, > > > > > > OS > > > > > > On Wed, Oct 29, 2025 at 9:44 AM Sarah Tarrant > > > <[email protected]> wrote: > > > Hi Orie, > > > > > > Thank you for your reply! > > > > > > Regarding: > > > > We need to publish a new version that includes recent changes, > > > > unfortunately we can't do that so close to the plenary week. > > > > > > > > > While we await the new version, I'll record these inline answers and move > > > this draft from AUTH state to IESG state so that we can keep track of the > > > incoming new version. > > > > > > Sincerely, > > > Sarah Tarrant > > > RFC Production Center > > > > > > > On Oct 28, 2025, at 6:13 PM, Orie <[email protected]> wrote: > > > > > > > > Hi, > > > > > > > > We need to publish a new version that includes recent changes, > > > > unfortunately we can't do that so close to the plenary week. > > > > > > > > Inline: > > > > > > > > On Tue, Oct 28, 2025 at 4:10 PM Sarah Tarrant > > > > <[email protected]> wrote: > > > > Author(s), > > > > > > > > Congratulations, your document has been successfully added to the RFC > > > > Editor queue! > > > > The team at the RFC Production Center (RPC) is looking forward to > > > > working with you > > > > as your document moves forward toward publication. To help reduce > > > > processing time > > > > and improve editing accuracy, please respond to the questions below. > > > > Please confer > > > > with your coauthors (or authors of other documents if your document is > > > > in a > > > > cluster) as necessary prior to taking action in order to streamline > > > > communication. > > > > If your document has multiple authors, only one author needs to reply > > > > to this > > > > message. > > > > > > > > As you read through the rest of this email: > > > > > > > > * If you need/want to make updates to your document, we encourage you > > > > to make those > > > > changes and resubmit to the Datatracker. This allows for the easy > > > > creation of diffs, > > > > which facilitates review by interested parties (e.g., authors, ADs, doc > > > > shepherds). > > > > * If you feel no updates to the document are necessary, please reply > > > > with any > > > > applicable rationale/comments. > > > > > > > > > > > > Please note that the RPC team will not work on your document until we > > > > hear from you > > > > (that is, your document will remain in AUTH state until we receive a > > > > reply). Even > > > > if you don't have guidance or don't feel that you need to make any > > > > updates to the > > > > document, you need to let us know. After we hear from you, your > > > > document will start > > > > moving through the queue. You will be able to review and approve our > > > > updates > > > > during AUTH48. > > > > > > > > Please feel free to contact us with any questions you may have at > > > > [email protected]. > > > > > > > > Thank you! > > > > The RPC Team > > > > > > > > -- > > > > > > > > 1) As there may have been multiple updates made to the document during > > > > Last Call, > > > > please review the current version of the document: > > > > > > > > * Is the text in the Abstract still accurate? > > > > > > > > Yes, although it is a bit wordy. > > > > * Are the Authors' Addresses, Contributors, and Acknowledgments > > > > sections current? > > > > > > > > Yes. > > > > > > > > > > > > 2) Please share any style information that could help us with editing > > > > your > > > > document. For example: > > > > > > > > * Is your document's format or its terminology based on another > > > > document? > > > > If so, please provide a pointer to that document (e.g., this document's > > > > terminology should match DNS terminology in RFC 9499). > > > > > > > > We have CBOR Extended Diagnostic Notation examples and JSON examples, > > > > here are the relevant RFCs & drafts: > > > > > > > > https://datatracker.ietf.org/doc/html/rfc7517 > > > > https://www.rfc-editor.org/rfc/rfc8610#appendix-G > > > > https://datatracker.ietf.org/doc/draft-ietf-cbor-edn-literals/ > > > > > > > > We also have CDDL in Section 4 based on > > > > https://datatracker.ietf.org/doc/html/rfc8610 > > > > > > > > * Is there a pattern of capitalization or formatting of terms? (e.g., > > > > field names > > > > should have initial capitalization; parameter names should be in double > > > > quotes; > > > > <tt/> should be used for token names; etc.) > > > > > > > > > > > > We use `value` to highlight CBOR labels, and other example values in > > > > the text. > > > > > > > > 3) Please review the entries in the References section carefully with > > > > the following in mind. Note that we will update as follows unless we > > > > hear otherwise at this time: > > > > > > > > * References to obsoleted RFCs will be updated to point to the current > > > > RFC on the topic in accordance with Section 4.8.6 of RFC 7322 > > > > (RFC Style Guide). > > > > > > > > * References to I-Ds that have been replaced by another I-D will be > > > > updated to point to the replacement I-D. > > > > > > > > * References to documents from other organizations that have been > > > > superseded will be updated to their superseding version. > > > > > > > > Note: To check for outdated RFC and I-D references, you can use > > > > idnits <https://author-tools.ietf.org/idnits>. You can also help the > > > > IETF Tools Team by testing idnits3 > > > > <https://author-tools.ietf.org/idnits3/> > > > > with your document and reporting any issues to them. > > > > > > > > > > > > 4) Is there any text that should be handled extra cautiously? For > > > > example, are > > > > there any sections that were contentious when the document was drafted? > > > > > > > > > > > > We have restated the "detached payload" language originating from > > > > https://datatracker.ietf.org/doc/html/rfc8152#section-2 > > > > https://datatracker.ietf.org/doc/html/rfc8152#section-4.1 > > > > > > > > I think we may have lost some opportunities for clarity in our > > > > repetition. > > > > > > > > 5) Is there anything else that the RPC should be aware of while editing > > > > this > > > > document? > > > > > > > > This document is really just new header parameters for cose sign 1 > > > > payloads that are the output of a hash function. > > > > > > > > > > > > > > > > 6) This document uses one or more of the following text styles. > > > > Are these elements used consistently? > > > > > > > > * fixed width font (<tt/> or `) > > > > * italics (<em/> or *) > > > > * bold (<strong/> or **) > > > > > > > > > > > > We only use ` ... I suspect we might be better off using " for a few > > > > values instead of `, and reserve ` for highlighting code points and not > > > > examples. > > > > > > > > > > > > 7) This document contains sourcecode: > > > > > > > > * Does the sourcecode validate? > > > > > > > > Yes. > > > > * Some sourcecode types (e.g., YANG) require certain references and/or > > > > text > > > > in the Security Considerations section. Is this information correct? > > > > * Is the sourcecode type indicated in the XML? (See information about > > > > sourcecode types.) > > > > > > > > We did not manage the draft in xml, but the proper source code type for > > > > CDDL is: <sourcecode type="cddl" ... > > > > > > > > > > > > 8) Would you like to participate in the RPC Pilot Test for editing in > > > > kramdown-rfc? > > > > If so, please let us know and provide a self-contained kramdown-rfc > > > > file. For more > > > > information about this experiment, see: > > > > https://www.rfc-editor.org/rpc/wiki/doku.php?id=pilot_test_kramdown_rfc. > > > > > > > > Yes please! > > > > > > > > > On Oct 28, 2025, at 4:05 PM, [email protected] wrote: > > > > > > > > > > Author(s), > > > > > > > > > > Your document draft-ietf-cose-hash-envelope-09, which has been > > > > > approved for publication as > > > > > an RFC, has been added to the RFC Editor queue > > > > > <https://www.rfc-editor.org/current_queue.php>. > > > > > > > > > > If your XML file was submitted using the I-D submission tool > > > > > <https://datatracker.ietf.org/submit/>, we have already retrieved it > > > > > and have started working on it. > > > > > > > > > > If you did not submit the file via the I-D submission tool, or > > > > > if you have an updated version (e.g., updated contact information), > > > > > please send us the file at this time by attaching it > > > > > in your reply to this message and specifying any differences > > > > > between the approved I-D and the file that you are providing. > > > > > > > > > > You will receive a separate message from us asking for style input. > > > > > Please respond to that message. When we have received your response, > > > > > your document will then move through the queue. The first step that > > > > > we take as your document moves through the queue is converting it to > > > > > RFCXML (if it is not already in RFCXML) and applying the formatting > > > > > steps listed at > > > > > <https://www.rfc-editor.org/pubprocess/how-we-update/>. > > > > > Next, we will edit for clarity and apply the style guide > > > > > (<https://www.rfc-editor.org/styleguide/>). > > > > > > > > > > You can check the status of your document at > > > > > <https://www.rfc-editor.org/current_queue.php>. > > > > > > > > > > You will receive automatic notifications as your document changes > > > > > queue state (for more information about these states, please see > > > > > <https://www.rfc-editor.org/about/queue/>). When we have completed > > > > > our edits, we will move your document to AUTH48 state and ask you > > > > > to perform a final review of the document. > > > > > > > > > > Please let us know if you have any questions. > > > > > > > > > > Thank you. > > > > > > > > > > The RFC Editor Team > > > > > > > > > > > > <draft-ietf-cose-hash-envelope.md> > -- auth48archive mailing list -- [email protected] To unsubscribe send an email to [email protected]
