Michael Richardson wrote: "I think that this means that there is CBOR definite(?) array of bytes."
COSE_X509 and COSE_C509 are both defines as bstr / [ 2*bstr ] which means they they are either a single CBOR byte string or an CBOR array of CBOR bytes strings. While Section 9 of RFC 9052 requires that "Encoding MUST be done using definite lengths, and the length of the (encoded) argument MUST be the minimum possible length" and draft-ietf-cose-cbor-encoded-cert states that "When referring to CBOR, this specification always refers to Deterministically Encoded CBOR as specified in Sections 4.2.1 and 4.2.2 of [RFC8949], I cannot find any text in RFC 9360 restricting CBOR to deterministic CBOR. - I think you could read RFC 9360 as indefinate arrays and non-minumum length encodings are allowed. - I think you could also see the lack of deterministic encoding requirements in RFC 9360 as an errata. Cheers, John From: Michael Richardson <[email protected]> Date: Friday, 3 October 2025 at 18:29 To: Thomas Fossati <[email protected]> Cc: cose <[email protected]> Subject: [COSE] Re: extending application/cose-x509 Thomas Fossati <[email protected]> wrote: > We want to transport DICE [0] certificate chains in CMWs [1], and for > that, we need a media type. > Note that DICE certificate chains differ semantically from standard > X.509 certificate chains in that they also represent attestation > Evidence [2]. Therefore, using > * application/pkcs7-mime; smime-type="certs-only" > * application/cose-x509; usage=chain, and > * application/pkix-pkipath > would provide too coarse typing information, so we'd like to improve this. > One way would be to extend the application/cose-x509 "usage" parameter > to include the value "dice-chain", i.e., application/cose-x509; > usage=dice-chain. cose-x509. I was thinking this is from cbor-encoded-cert, but it defines cose-c509-cert. And that definition has usage=chain, so was this a typo? NOPE. cose-x509 is RFC9360... and COSE_X509 is a CBOR sequence of bstr wrapped DER-encoded PKIX certificates. I think that this means that there is CBOR definite(?) array of bytes. So this becomes a dice-chain. And after you do CoAP/Content-Format registration, you get an integer for the CBOR CMW, so any verbosity of the media type is a moot point. > Would that be acceptable? If so, what steps need to be taken to > register the new parameter value? > Do we need a specification, and if so, what kind? Or is a request to > the media-types list sufficient? I understand that an email to [email protected] with the template is enough. However, I find that one has to poke the reviewers. I'm hoping IANA's new DE RT system will get help.. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
