Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COSE and CBOR tags #42

Closed
laurencelundblade opened this issue Mar 4, 2021 · 4 comments
Closed

COSE and CBOR tags #42

laurencelundblade opened this issue Mar 4, 2021 · 4 comments

Comments

@laurencelundblade
Copy link

I think what we're after for CoSWID+COSE is almost exactly the same as CWT+UCCS. It's not exactly the same because UCCS uses a different tag number than CWT and CoSWID doesn't.

I think we want to allow all variants of COSE signing, encryption and MAC just like CWT does.

concise-swid-tag — Naked, no COSE, not CBOR tag, like a UCCS

#6.1398229316(concise-swid-tag) - Just a CoSWID tag, no COSE, like a CWT with no COSE

#6.1398229316(#6.18(COSE-Sign1<concise-swid-tag>)) A CoSWID tag with signing

#6.1398229316(#6.17(COSE-Mac01<concise-swid-tag>))

#6.1398229316(#6.18(COSE-Sign1(#6.96(cose_encrypt<concise-swid-tag>)))

…plus lots more combos of signing, encrypting and mac’ing 

#6.18(COSE-Sign1<concise-swid-tag>) Signing not a CoSWID CBOR tag

#6.17(COSE-Mac01<concise-swid-tag>) Mac, not a CoSWID CBOR tag

#6.18(COSE-Sign1(#6.96(cose_encrypt<concise-swid-tag>)) Signed and encrypted not a CoSWID CBOR tag

…plus the same combos of signing, encrypting and mac'ing

What is NOT allowed, like CWT disallows, are these:

#6.1398229316(COSE-Sign1<concise-swid-tag>)

#6.1398229316(COSE-Mac01<concise-swid-tag>)

#6.1398229316(COSE-Sign1<cose_encrypt<concise-swid-tag>>)

Are we in agreement on this?

An implementor should be able to use the same COSE code that recursively removes COSE layers it identifies by the COSE tags to get to the final payload just like in CWT. Maybe even exactly the same COSE code.

I think section 7 and 8 get close to this, but are not exactly right. They don't allow for encryption or mac. I think the CWT description of this is solid and correct though it doesn't use CDDL and doesn't cover UCCS.

My thought for bringing CoSWID into EAT is to have a claim that is explicitly a CoSWID so #6.1398229316() is never used. If it is COSE is used then it is a COSE tag. If COSE is not used then it is a concise-swid-tag. It is naked.
@henkbirkholz
Copy link
Member

Addressed in https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-22.html#name-cbor-tagged-coswid-tags

@laurencelundblade
Copy link
Author

I don't think this addresses COSE encryption or MAC. I don't think this parallels CWT the way I requested.

@henkbirkholz
Copy link
Member

Oh I see! Yes. We do not cover encryption or MAC for CoSWID. That is correct.

Encryption and (H)MAC are out-of-scope in alignment with the ISO text.

@laurencelundblade
Copy link
Author

It would probably be good to say "encryption and MAC are allowed, but not specified by this document".

It would probably be better to not use the term "COSE envelope" as that is used in 9052 to refer to encryption and this shouldn't refer to COSE_*_Message because that clearly includes encryption and MAC.

While it doesn't have CDDL, I think section 7.1 of RFC 8392 is exactly what is desirable here. Even allows for nesting of signing and encryption. But you probably want to get this done and don't want to make much of a change here.

But, I do think a change is needed -- say encryption and MAC are allowed, remove mention of "envelope" and mention of COSE_*_Message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@laurencelundblade @henkbirkholz