Use of the HSS/LMS Hash-Based Signature Algorithm with CBOR Object Signing and Encryption (COSE)
draft-ietf-cose-hash-sig-09
Note: This ballot was opened for revision 07 and is now closed.
Roman Danyliw Yes
Benjamin Kaduk (was Discuss) Yes
Comment (2019-12-04 for -08)
Thank you for addressing my Discuss and comment points!
Barry Leiba Yes
(Alexey Melnikov) Yes
Deborah Brungard No Objection
Alissa Cooper No Objection
Comment (2019-12-03 for -07)
Please respond to the Gen-ART review. I agree with the Gen-ART reviewer that the reference to the SUIT working group in Section 1.1 should be removed.
(Suresh Krishnan) No Objection
Warren Kumari No Objection
(Mirja Kühlewind) No Objection
Alvaro Retana No Objection
(Adam Roach) No Objection
Comment (2019-12-03 for -07)
Thanks for the work that went into creating this document. I have no comments on its contents (the crypto is somewhat outside my area of expertise), although I have a few observations regarding the examples. --------------------------------------------------------------------------- Appendix A: > This appendix provides a non-normative example of a COSE full message > signature and an example of a COSE_Sign1 message. This section > follows the formatting used in [RFC8152]. I would suggest that RFC 8610 might be a better reference here, as it is the document that actually defines the extended CBOR diagnostic format. In particular my recommendation is: "This section is formatted according to the extended CBOR diagnostic format defined by [RFC8610]." --------------------------------------------------------------------------- §A.1: > 98( > [ > / protected / h'a10300' / { > \ content type \ 3:0 > } / , > / unprotected / {}, > / payload / 'This is the content.', > / signatures / [ > [ > / protected / h'a101382d' / { > \ alg \ 1:-46 \ HSS-LMS \ > } / , > / unprotected / { > / kid / 4:'ItsBig' > }, > / signature / ... > ] > ] > ] > ) I think there are two things here that need to be addressed. First, section 3 of this document specifies: > o The 'kty' field MUST be present, and it MUST be 'HSS-LMS'. I can't find a 'kty' field in this example. Also, this example uses '-46' as the identifier for HSS-LMS, while section 6.1 specifies the value as "TBD." This example needs a clear note added for the RFC editor that the "-46" needs to be replaced by the IANA-assigned value. A similar annotation will be required for the 'kty' field, regarding the value assigned for section 6.2. --------------------------------------------------------------------------- §A.2: Same comments as A.1, above.