Benjamin Kaduk has entered the following ballot position for draft-ietf-cose-x509-08: Yes
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-cose-x509/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (I posted a PR on github to fix a few editorial nits.) There are some issues still in the open state at https://github.com/cose-wg/X509/issues Some of them have been fully or essentially addressed and could probably be closed, but a couple seem to still be noteworthy: https://github.com/cose-wg/X509/issues/30 and https://github.com/cose-wg/X509/issues/31 cover related issues, relating to the "trust relationship" between signer and host of URI (that we say needs to be authenticated), and whether there are similar considerations relating to other header parameters. The answer seems to be that "yes, there are sometimes such considerations", and it would be okay to document them if we have a concise explanation. That COSE mandates x5u appear in the protected headers is a divergence from JWS, but it would feel out of place to attempt to amend JWS in this document; the other header parameters can appear either in the protected or unprotected buckets, which allows for pretty much all use cases. JWS does have some text relating to header parameters that must be integrity protected "if the information that they convey is to be utilized in a trust decision", which is vague enough that it may not actually be helpful to replicate that terminology. (We did not seem to have immediate agreement on what it meant when this topic was discussed in the WG.) There is perhaps just one remaining point in https://github.com/cose-wg/X509/issues/29 ; whether we should be more explicit that 'x5t' refers to the end-entity cert. I'd be okay with doing so, but it doesn't feel particularly critical. _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
