-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
COSE and CBOR tags #42
Comments
I don't think this addresses COSE encryption or MAC. I don't think this parallels CWT the way I requested. |
Oh I see! Yes. We do not cover encryption or MAC for CoSWID. That is correct. Encryption and (H)MAC are out-of-scope in alignment with the ISO text. |
It would probably be good to say "encryption and MAC are allowed, but not specified by this document". It would probably be better to not use the term "COSE envelope" as that is used in 9052 to refer to encryption and this shouldn't refer to COSE_*_Message because that clearly includes encryption and MAC. While it doesn't have CDDL, I think section 7.1 of RFC 8392 is exactly what is desirable here. Even allows for nesting of signing and encryption. But you probably want to get this done and don't want to make much of a change here. But, I do think a change is needed -- say encryption and MAC are allowed, remove mention of "envelope" and mention of COSE_*_Message. |
I think what we're after for CoSWID+COSE is almost exactly the same as CWT+UCCS. It's not exactly the same because UCCS uses a different tag number than CWT and CoSWID doesn't.
I think we want to allow all variants of COSE signing, encryption and MAC just like CWT does.
What is NOT allowed, like CWT disallows, are these:
Are we in agreement on this?
An implementor should be able to use the same COSE code that recursively removes COSE layers it identifies by the COSE tags to get to the final payload just like in CWT. Maybe even exactly the same COSE code.
I think section 7 and 8 get close to this, but are not exactly right. They don't allow for encryption or mac. I think the CWT description of this is solid and correct though it doesn't use CDDL and doesn't cover UCCS.
My thought for bringing CoSWID into EAT is to have a claim that is explicitly a CoSWID so #6.1398229316() is never used. If it is COSE is used then it is a COSE tag. If COSE is not used then it is a concise-swid-tag. It is naked.
The text was updated successfully, but these errors were encountered: