On 2025-04-28 08:15, Carsten Bormann wrote:
On 28. Apr 2025, at 07:53, Anders Rundgren <[email protected]>
wrote:
included in the signed data
How do you know that?
(How do you know the extent of the data being covered by the signature?)
Good question! In the current solution, this is defined by validation policies
set at the API level.
Since you anyway MUST have a policy facility [*], I (for now) consider it
redundant to also provide this information as a part of the signature meta data.
The current solution offers two policy settings with respect to coverage:
map-only signature and tagged-map signature (as in the example I provided).
Regards,
Anders
*] There are many other things that are variant as well (and subject to
policy), including:
- inline public keys or not
- key identifiers
- accepted algorithms
- additional data in signature containers
- keys to trust, certificates to validate
https://github.com/cyberphone/openkeystore/blob/05fa3a40186c10b27b0353e5d9a05f69f32aae70/library/src/org/webpki/cbor/CBORValidator.java#L111
Grüße, Carsten
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
