Minutes IETF119: cose: Tue 05:30
minutes-119-cose-202403190530-00
Meeting Minutes | CBOR Object Signing and Encryption (cose) WG | |
---|---|---|
Date and time | 2024-03-19 05:30 | |
Title | Minutes IETF119: cose: Tue 05:30 | |
State | Active | |
Other versions | markdown | |
Last updated | 2024-03-26 |
COSE IETF 119
Connection details
- Date: Mar 19, 2024
- Meeting materials:
https://datatracker.ietf.org/meeting/119/session/cose - Meeting URL:
https://meetings.conf.meetecho.com/ietf119/?session=32005 - Meeting recording meetecho:
https://play.conf.meetecho.com/Playout/?session=IETF119-COSE-20240319-0530 - Meeting recording youtube:
https://www.youtube.com/watch?v=N5cwXD3IXOA
Action Items
- [chairs] Run a call for adoption for
draft-tschofenig-cose-cwt-chain
Minutes
- Jabber scribe:
- Minutes taken by: Hannes (HT), Ivo
Opening Remarks - The Chairs [15:30-15:40]
https://datatracker.ietf.org/doc/slides-119-cose-cose-chair-slides/
- CWT claims in header: in RFC Editor Queue
- Typ Header Parameters: Scheduled for IESG Telechat, April 4th
- COSE Key Thumbprint: in IETF LC
- TSA-TST-Header-Paramter: Reviews requested
draft-ietf-cose-hpke - Hannes Tschofenig [15:40-15:55]
https://datatracker.ietf.org/doc/slides-119-cose-cose-hpke/
HT is presenting the slides.
Explains the improvements in therminology.
p4 - Explains context setting and why that is important to prevent
attacks. We will get a look by a real cryptographer, who worked on a
~recently announced attack.
MO: There was a recently presented attack
Tirumaleswar Reddy.K: It should not affect this draft
OS: There is time to figure this out
HT: Maybe it's for the draft that will be presented after this.
HT: Hopes to have this stable by next IETF.
draft-ietf-cose-key-thumbprint - Hannes Tschofenig [15:55-16:00]
https://datatracker.ietf.org/doc/slides-119-cose-cose-key-thumbprint/
There was been some feedback, there will be probably more feedback to
come (please get your feedback before april fool's day).
draft-tschofenig-cose-cwt-chain - Hannes Tschofenig [16:00-16:10]
https://datatracker.ietf.org/doc/slides-119-cose-cwt-chain/
Originally was in SUIT document (you think some CWT like a certificate,
but was not able to present a chain). Extracted it from the SUIT
document to allow using it outside of SUIT.
They didn't need the whole x509 terminology for what they needed.
Explains relation to RFC 9360.
CB: I see a pattern - can we find a more generic solution.
?: I would expect only one of the options (1-2 header parameter) to be
used at a time.
OS: There would be security implications if multiple header parameters
are present at the same time.
MJ: Anyone for and against doing a call for adoption on the list? (a few
people nod in support, no one reacts to speak against)
draft-demarco-cose-header-federation-trust-chain - John Bradley [16:10-16:15]
Talks about the federation meta-data trust chain.
Mike+Hannes pointing out that there is a possiblity to collaborate on a
common document.
Orie suggests to talk to STIR for chaining.
Casten: Do you need to know that it is an OIDC document?
John: Yes, if you want to do something more complex.
Hannes+John: Need to find out what level of application logic is needed
in the specification for parsing the trust chain.
draft-ietf-cose-dilithium and draft-ietf-cose-sphincs-plus - Mike Prorock [16:15-16:25]
https://datatracker.ietf.org/doc/slides-119-cose-pq-signatures/
Mike talked about the draft update.
Question for the group: At what point should we register the algorithms?
MikeJ: Pre-registrations could be done (for interop-testing)
MikeO: Don't register something in IANA prior to NIST completing the
work so that you do not have non-interoperable implementations
Carsten: In COSE we have several ways to use values that do not require
a final registration (e.g. private key range)
draft-ietf-cose-merkle-tree-proofs - Orie Steele [16:25-16:35]
https://datatracker.ietf.org/doc/slides-119-cose-cose-receipts/
Generic scheme for creating receipts for logs
Mike: Who can liaison with the SCITT group?
Orie: I can.
Support from the SCITT people in the receipt field.
draft-ietf-cose-cbor-encoded-cert - John Mattsson [16:35-16:45]
https://datatracker.ietf.org/doc/slides-119-cose-c509-certificates/
Would like to get the document to WGLC before the next meeting.
John starts his presentation.
Monty will requirew the document. Steve will also take a look
MikeO: If we make a breaking verification, you better make the changes
now.
Carsten: How will those who have deployed the specification already be
dealing with the proposed change with the signature algorithm?
Mike: what is the reason for moving the field?
John: Performance improvement
Mike: Is there a pre-allocation of assigned numbers?
John: No.
Mike: If it is not final, it is not final.
It is up to you what you request.
Carsten: Change the number and mark the old number as reserved.
Goran: Could we ask this question to the group?
Poll by Mike: Should we change numbers?
Mike: Support for suggestion for Carsten.
Goran: Should we reserve the old number?
John: There is no suggestion to Carsten's suggestion.
draft-ietf-cose-bls-key-representations - Tobias Looker [16:45-16:50]
Orie: Don't do the compressed curve representation of the curve. It is
similar to the ECC compression. The compressed versions are not useful.
draft-reddy-cose-jose-pqc-kem - Tiru Reddy [16:50-16:55]
https://datatracker.ietf.org/doc/slides-119-cose-pq-kems-for-cose-and-jose/
Tiru: ML-KEM does not seem to have the same security properties than the
HPKE draft.
Orie: In the COSE registry there are lots of algorithms. Does the COSE
working group wants this KEM constructions without the wrappers? Let's
not have a bunch of algorithms mostly doing the same thing.
MikeP.: A lot of feedback was alerady provided yesterday at JOSE.
AOB [16:55-17:00]
Vote on moving the alg? in c509 (outcome definite yes - 9? for, no
against).
~Should we mark as reserved the old numbers (outcome probably yes - 4-5
yes, 4-5 I don't know)