Cross posting what I came up with for the SCITT scenario we are trying to model:
https://mailarchive.ietf.org/arch/msg/scitt/P3tuZXFqCQhy6PTMcamGPNv5L28/ critical feedback is very much welcome. I opted to use the reserved for private use space of cose key labels for x5c and x5t. Regards, OS On Wed, Oct 25, 2023 at 2:12 PM Orie Steele <[email protected]> wrote: > I am looking for a matching entry in COSE Key, similar to: > > https://datatracker.ietf.org/doc/html/rfc7517#section-4.7 > > I'm also not exactly sure what the verifier API should look like for cose > sign1's that contain x5c in protected headers. > > normally it would be: > > verified = verify(message, signature, publicKey) > > But when x5c is present in the protected header, we expect the last cert > to verify the signature always (right?): > > https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.6 > > So what reference value should be supplied to such a verifier API? > > Some background in case it's helpful, I'm trying to implement an identity > based verification scheme for SCITT, > where the issuer can use a regular cose key or a certificate chain > terminating in some trusted reference value. > > I can imagine supplying a list of certificate thumbprints that are > trusted, and checking that each cert in the chain matched the thumbprint > list. > > or just supplying a list of root thumbprints, and only checking that the > root is in the list... > > verified = verify(message, signature, trustedRootThumbprints) > > I'm not very familiar with building x509 related APIs, or working with > both x509 and COSE. > > Thanks for your reply! > > OS > > > On Wed, Oct 25, 2023 at 1:54 PM Emil Lundberg <[email protected]> wrote: > >> There is the COSE header parameter 33, "x5chain: An ordered chain of >> X.509 certificates". Is that what you're looking for? >> >> Emil Lundberg >> >> Senior Software Engineer | Yubico <http://www.yubico.com/> >> >> >> >> >> On Wed, Oct 25, 2023 at 7:52 PM Orie Steele <[email protected]> >> wrote: >> >>> I was expecting to see it here: >>> https://www.iana.org/assignments/cose/cose.xhtml#key-common-parameters >>> >>> Which label do I use to convert a JWK with x5c to a COSE Key? >>> >>> If there is no answer, what do I do until there is one? >>> >>> Pick an arbitrary label from "Reserved for Private Use" ? >>> >>> Regards, >>> >>> OS >>> >>> -- >>> >>> >>> ORIE STEELE >>> Chief Technology Officer >>> www.transmute.industries >>> >>> <https://transmute.industries> >>> _______________________________________________ >>> COSE mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/cose >>> >> > > -- > > > ORIE STEELE > Chief Technology Officer > www.transmute.industries > > <https://transmute.industries> > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
