The document draft-ietf-rfc8152bis-algs is an update to CBOR Object Signing and Encryption (COSE) to addressing outstanding errata, make other clarifications and fixes. This is part of a set — this for the algorithms, the other detailing the structure and process — that together obsolete RFC 8152.
This work is a product of the COSE Working Group. The document shepherd is Matthew Miller, and the responsible Area Director is Benjamin Kaduk.
# Differing Statuses
This -algs document is intended to be published as informational, rather than as Internet Standard as is its -struct counterpart. This is intentional: cryptographic algorithms become obsolete over time as improvements in computing and mathematics can realize vulnerabilities and deficiencies not possible when first published. Publishing as Information marks the state of consensus at the time of publication, and allows for the flexibility to deprecate and obsolete in the future.
# Review and Consensus
This document received wide review from various implementers, including those used in real-world deployments. There were a number of editorial comments and some substantive commentary, with consensus to publish.
Additional care during editing and review of this document and draft-ietf-cose-rfc8152bis-struct were taken to ensure as best as possible that various (internal) references made in the original RFC 8152 have proper (external) references. All errata from RFC 8152 that is relevant to the COSE algorithms has been addressed therein.
The CryptoForum Research Group (CFRG) published algorithm documents as Informational; the normative references are expected and exist in the Downref Registry. The only exception is RFC 8439 (ChaCha20/Poly1035), which ought to be added to the Downref Registry.
The normatively referenced documents from NIST and SECG are the authoritative description for those algorithms; these "downrefs" are expected.
This document and draft-ietf-cose-rfc8152bis-algs are to be published in lockstep, and so references here to -struct (and references to this document in -struct) are expected to be updated as part of publication. The referent to draft-ietf-cose-hash-sig, which is already in the RFC Editor's queue, is also expected to be updated as part of publication.
# Intellectual Property
The author, to the best of his knowledge, is unaware of any applicable IPR. There are no substantive changes compared to RFC 8152, which also has no IPR notices submitted.