On Thu, Jul 03, 2025 at 05:48:21PM +0000, Sipos, Brian J. wrote: > WG, > > I was looking for, and have failed to find, any requirement in the base COSE > specification [1] that if the protected header map is non-empty the > associated algorithm must support additional authenticated data (AAD). The > non-normative text and examples seem to support this but I don't see > anything normative around this. Am I just missing something? Or does this > seem like something that deserves a constraint? >
I guess this was what was intended — like intending to only have authenticated symmetric encryption so to not need algorithm binding — but it wasn't explicitly written anywhere. The section on AE certainly forbids protected headers. -Ilari _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
