Yes, the only issue of yours that addresses is the ability to access the profile claim before decoding, decrypting and verifying the COSE payload.
LL > On Mar 2, 2022, at 11:38 PM, Anders Rundgren <[email protected]> > wrote: > > On 2022-03-02 19:33, Laurence Lundblade wrote: >> Makes sense to me. Helps out for the EAT claim named “profile” which gives >> information about the type of the token you might want before fully >> verifying it. Addresses an issue Anders brought up about the profile claim. > > Not so fast :) I brought up a bunch of things which can be illustrated by > this (just implemented...) example of an encryption object: > > 211(["https://example.com/myobject"; <https://example.com/myobject>, { > / COSE content encryption algorithm = A256GCM / > 1: 3, > / Key encryption container / > 2: { > / COSE Key encryption algorithm = ECDH-ES+A256KW / > 1: -31, > / Key identifier / > 3: "mykey", > / Ephemeral key / > 5: { > / COSE Key type = OKP / > 1: 1, > / COSE Curve = X25519 / > -1: 4, > / COSE X coordinate / > -2: h'33a04b83d4428824b6d5477522d4a88fac4441122bc46136c0203faa308c3929' > }, > / Encrypted key / > 10: > h'e08977c25aeccaecd63b3367de2e2b8f700c82e098ad1e5099d9db510920ccff14debf820427e4ba' > }, > / Tag / > 8: h'59a84826983e3247fbec4295f75cc138', > / IV / > 9: h'fd8556c122cff2bc128d5119', > / Encrypted data / > 10: > h'e16b16c29da5163eb0131dd1f10f080f8850f55df2ae9d89a3b839ad50952858445f290dfb60' > }]) > > The core of this builds on Deterministic CBOR which unleashes the true power > of CBOR in a way legacy solutions do not. The enhancements include: > Eliminating wrapping of header and (unencrypted) application data. > Using the entire container (modulo the algorithm output variables which are > added lastly) as input to a signature process and to the authentication part > of an encryption process. In the example that includes the top-level CBOR > tag as well. cryptoOperation(cborObject.encode()) is all that it takes on > the encoder's side. > This is pretty much what the X.509 folks have been doing from the very start > so there is close to zero innovation here 😁 > <https://apps.timwhitlock.info/emoji/tables/unicode#emoji-modal> > > In the example I have also used a URL as profile/object type indicator since > IANA CBOR custom tag 1537244 or whatever you end-up with, simply isn't pretty > enough :) To be more serious: URLs are decentralized and would in this > context probably be browseable as well. > > Cheers, > Anders >
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
