On 2022-03-02 19:33, Laurence Lundblade wrote:
Makes sense to me. Helps out for the EAT claim named “profile” which gives information about the type of the token you might want before fully verifying it. Addresses an issue Anders brought up about the profile claim.
Not so fast :) I brought up a bunch of things which can be illustrated by this (just implemented...) example of an encryption object: 211(["https://example.com/myobject";, { / COSE content encryption algorithm = A256GCM / 1: 3, / Key encryption container / 2: { / COSE Key encryption algorithm = ECDH-ES+A256KW / 1: -31, / Key identifier / 3: "mykey", / Ephemeral key / 5: { / COSE Key type = OKP / 1: 1, / COSE Curve = X25519 / -1: 4, / COSE X coordinate / -2: h'33a04b83d4428824b6d5477522d4a88fac4441122bc46136c0203faa308c3929' }, / Encrypted key / 10: h'e08977c25aeccaecd63b3367de2e2b8f700c82e098ad1e5099d9db510920ccff14debf820427e4ba' }, / Tag / 8: h'59a84826983e3247fbec4295f75cc138', / IV / 9: h'fd8556c122cff2bc128d5119', / Encrypted data / 10: h'e16b16c29da5163eb0131dd1f10f080f8850f55df2ae9d89a3b839ad50952858445f290dfb60' }]) The core of this builds on /Deterministic CBOR/ which unleashes the /true power/ of CBOR in a way legacy solutions do not. The enhancements include: * Eliminating wrapping of header and (unencrypted) application data. * Using the entire container (modulo the algorithm output variables which are added lastly) as input to a signature process and to the authentication part of an encryption process. In the example that includes the top-level CBOR tag as well. cryptoOperation(cborObject.encode()) is all that it takes on the encoder's side. This is pretty much what the X.509 folks have been doing from the very start so there is close to zero innovation here 😁<https://apps.timwhitlock.info/emoji/tables/unicode#emoji-modal> In the example I have also used a URL as profile/object type indicator since IANA CBOR custom tag 1537244 or whatever you end-up with, simply isn't pretty enough :) To be more serious: URLs are /decentralized/ and would in this context probably be /browseable/ as well. Cheers, Anders
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
