Hi Ben and all, On 2022-02-18 05:59, Benjamin Kaduk wrote:
Hi all,The chairs and I are continuing to work through the AUTH48 process for the 8152bis drafts, and a couple topics have come up that would benefit from some broader input. The other question is in -algs; in https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-cose-rfc8152bis-algs%23section-8&data=04%7C01%7Cmarco.tiloca%40ri.se%7C634eeebfc73d4bda82d108d9f29b9b26%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637807572981435893%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=A1x%2BuzSMoO%2FwsjO%2BjpLGCj%2BCRhK2BRRLCdqLrKFTw88%3D&reserved=0 we start off with a rather awkward sentence "There are some situations that have been identified where identification of capabilities of an algorithm or a key type need to be specified." In particular (at least to me), the "identification ... needs to be specified" seems like the verb tenses don't even match up properly, or something of that nature, but I can't properly describe exactly what seems off. The current proposal from the RFC Editor is to dramatically replace this sentence with the bland "The capabilities of an algorithm or key type need to be specified in some situations". Does anyone object to that change?
==>MTOn -algs, I agree with the proposed simplification for the first sentence, and I have now also had a deeper look into the following sentence, i.e.:
"One example of this is in [I-D.ietf-core-oscore-groupcomm] where the capabilities of the counter signature algorithm are mixed into the traffic key derivation process."
Note that the COSE -algs document is referring to version -09 of -core-oscore-groupcomm. That version was indeed still using COSE capabilities, but not as part of a key derivation process. Rather, they were used to build the OSCORE external_aad to bind requests and responses, see [1].
After a few revisions, we removed the explicit use of COSE capabilities altogether from -core-oscore-groupcomm. In fact, it was agreed to rather have the external_aad including full-fledged authentication credentials, i.e., the public key together with metadata related to the signature algorithm. This is the case in the latest version -13, see [2].
Practically, it is probably better to remove the following two sentences from the COSE -algs document:
* In Section 8, the second sentence of the first paragraph, also quoted above, i.e., "One example of this ... key derivation process."
* In Section 8.3, the second sentence of the first paragraph, i.e., "This is the approach that is being used by the group communication KDF in [I-D.ietf-core-oscore-groupcomm]."
For what is worth, the COSE capabilities are used with a descriptive purpose in the ACE documents [3] and [4] about key provisioning for group communication. That is, the Key Distribution Center responsible for a group can leverage COSE capabilities to provide a description of how the group works, in terms of signature algorithm parameters and signature key parameters. I am not suggesting to add these examples to the COSE -algs document :-)
Best, /Marco[1] https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm-09#section-4.3.1
[2] https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm-13#section-4.3
[3] https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-groupcomm[4] https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-groupcomm-oscore
<==
Thanks, Ben _______________________________________________ COSE mailing list [email protected] https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcose&data=04%7C01%7Cmarco.tiloca%40ri.se%7C634eeebfc73d4bda82d108d9f29b9b26%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637807572981435893%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=j%2FhYXB2SOOMyUp8wKYztlpuOLJXSYtuOOkFxSXPcMik%3D&reserved=0
-- Marco Tiloca Ph.D., Senior Researcher Division: Digital System Department: Computer Science Unit: Cybersecurity RISE Research Institutes of Sweden https://www.ri.se Phone: +46 (0)70 60 46 501 Isafjordsgatan 22 / Kistagången 16 SE-164 40 Kista (Sweden)
OpenPGP_0xEE2664B40E58DA43.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
