COSE definition for proof support

[quartzjer]

Similar to adapting JWP for JOSE by creating a new top-level type, COSE will also need the same treatment.

COSE currently has three major types for Sign, Encrypt, and Mac, each with their own variant for the common use cases of single signer/recipient of Sign1, Encrypt0, and Mac0.

Plan is to introduce a fourth major type of Proof and Proof1, who's definition is very similar to Sign/Sign1 but instead of a bstr payload it would be:

COSE_Proof1 = [
       Headers,
       payloads : [+ bstr / nil],
       proof : bstr
]

[quartzjer]

Proposing to add to draft, include note that it may become own spect.

[OR13]

I suggest we explicitly move COSE out of scope for the time being, and come back to it when with have figured out the JSON side better.

[cyberphone]

In case you find that you need to make considerable modifications to JWT, creating a CBOR package from scratch may be an option: https://test.webpki.org/csf-lab/home
CBOR deterministic serialization eliminates dressing headers, claims, etc. in Base64Url. In diagnostic notation:

{
  "Over 18": true,
  "US citizen": false,
  "SignatureValue": {
    1: -8,
    4: {
      1: 1,
      -1: 6,
      -2: h'fe49acf5b92b6e923594f2e83368f680ac924be93cf533aecaf802e37757f8c9'
    },
    6: h'3aa724ea90b0056d79c7e993f6f96ce16643d600e90ebf40b434461ac3aa6db6e6934ba61ed5d6cec51618b36b89c94f523d3851b9c9d7548f42fb582b257c0a'
  }
}

[dwaite]

Assigning to draft 4. We should create an up-to-date proposal and take it to the COSE WG.

[selfissued]

We are chartered to do the CBOR/COSE/CWT version of JWPs in this working group. I believe that spreading the work between working groups would only create unnecessary divergence in the representations.

[OR13]

If you want SPICE to look at it, we would be happy to help, but I feel it would make alignment more difficult.