Last Call Review of draft-ietf-cose-msg-18

Request Review of draft-ietf-cose-msg
Requested rev. no specific revision (document currently at 24)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-09-27
Requested 2016-09-15
Authors Jim Schaad
Draft last updated 2016-09-22
Completed reviews Genart Last Call review of -18 by Meral Shirazipour (diff)
Secdir Last Call review of -18 by Stephen Kent (diff)
Assignment Reviewer Stephen Kent
State Completed
Review review-ietf-cose-msg-18-secdir-lc-kent-2016-09-22
Reviewed rev. 18 (document currently at 24)
Review result Has Issues
Review completed: 2016-09-22


          review of draft-ietf-cose-msg-18


          have reviewed this document as part of the
          security directorate's ongoing effort to review all IETF
          documents being
          processed by the IESG.


          were written with the intent of improving security
          requirements and
          considerations in IETF drafts.


          not addressed in last call may be included in AD reviews
          during the IESG


          editors and WG chairs
          should treat these comments just like any other last call


          document defines formats
          for signing and/or encryption of data encoded using CBOR
          (RFC7049). The
          signing/encryption approach adopted here is based on the
          standards developed in
          JOSE (RFCs 7515-18), since CBOR is based on JSON. 


This is a
          large document:
          about 90 pages plus almost 30 pages of appendices (providing
          useful examples). 


          to half of the (non-appendix portion)
          document is devoted to specifications for a set of algorithms
          for encryption,
          signatures, message authentication, and key distribution. Only
          when the reader
          reaches page 73 is it made clear that the algorithm
          descriptions are not MTI;
          they define a set from which application developers must (?)
          choose when
          creating a profile for COSE use in a specific application
          context. Given the
          long-standing IETF policy to trying to facilitate algorithm


I think it
          preferable to
          extract these descriptions and publish them as separate RFCs,
          a practice often
          employed in documenting many other security protocols
          (including JOSE, from
          which this work is based). 



          document begins with a
          brief explanation of how COSE differs from JOSE, an excellent
          preface to the
          document. The cited design differences all seem very
          appropriate for CBOR,
          e.g., using binary encoding instead of base64url, shedding
          some of the odd
          constraints adopted in JOSE because of pre-existing work in
          the area, and
          updating the list of algorithms.


Since there
          is no standard
          grammar for CBOR, the author adopted the primitive types
          defined in an I-D


          to allow for a concise specification of COSE formats. I
          recommend that this document
          be held for publication until that I-D is approved. I also
          note that the cited
          I-D is Informational, but this document is Standards Track.
          the cited I-D is
          listed as informative, but the syntax it defines is used
          extensively throughout
          this document, thus I believe it really is normative.



Section 2
          defines the
          basic COSE data structure. The description seems clear and
          logical, but the
          list of message types is a bit puzzling (absent information
          that is provided
          later, in Sections 4 and 5). For example, there is a Single
          Signer data Object,
          and a Signed Data Object. If the latter accommodates multiple
          signers, why not
          make that part of the name? The same nomenclature confusion
          arises for
          encrypted objects directed to a single recipient vs. multiple



Section 3
          Describes the
          header parameters. It provides generally good, detailed
          descriptions of the
          common header elements and explains why certain conventions
          are adopted. It
          clearly describes requirements imposed on senders and



Section 4
          describes the
          objects used to convey one or more signatures for objects. The
          description here
          is a bit confusing when it discusses one vs. multiple
          signatures. The format
          that allows carriage of multiple signatures does not
          necessarily imply that
          there are multiple signers, e.g., the multiple signatures may
          be present to
          accommodate different algorithm capabilities for different
          recipients. The
          introduction to 4.2 says: 


“The COSE_Sign1 signature structure is used
          when only one signer
          is going to be placed on a message.”

Perhaps it
          would be
          clearer to say that this structure is used when only one 

            is to be
            placed in

 a message.


          this section is
          well written and provides useful details about how to compute
          signatures and
          counter signatures.



Section 5
          describes the
          COSE encryption objects. I disagree with one choice of
          terminology adopted
          here: “recipient algorithm classes” which is described in
          5.1.1. This is really
          a discussion of classes of key distribution/management
          algorithms, focusing on
          how each recipient of an encrypted message acquires the CEK
          used to decrypt the
          message. I’d prefer a less obscure name for this sub-section.
          Otherwise this
          section is well written and provide lots of useful details
          about how to encrypt
          and decrypt messages for two classes of encryption algorithms.



Section 6
          describes the
          MAC objects. Here too there are two types of structures,
          depending on whether a
          recipient implicitly knows what key to use to verify the MAC,
          or whether an ID
          for one or more MAC keys must be communicated. The text here
          closely parallels that
          of Section 5 and is very good.



Section 7
          describes the COSE
          key structure. It is designed to accommodate the data needed
          by a wide range of
          key distribution mechanisms and encryption techniques.



Section 8
          defines two classes
          of signature algorithms that can be used with COSE, specifies
          an algorithm of
          each type, and provides security guidance for each algorithm.
          I think it would
          be preferable to remove the detailed algorithm descriptions
          (Sections 8.1 and
          8.2) and associated security considerations (which are well
          written) from this
          document. The comments below apply to sections 9, 10, 11 and


I have
          several concerns
          about including the algorithm (vs. algorithm class)
          descriptions here. For many
          security protocols (and security-focused data formats), we
          usually (though not
          always) specify mandatory and optional to implement algorithms
          in separate
          documents, to facilitate algorithm agility. I think we should
          follow that model
          for COSE. Also, the text here does not mandate support for
          these algorithms; it
          merely provides details for a set of algorithms that a sender
          and/or receive
          may choose to implement. One has to read the final sentence of
          the opening
          paragraph of Section 15 to learn that this is the intent,
          i.e., that selection
          of specific algorithms is deferred to the each application
          that makes use of
          COSE. Given that later statement, it appears that the
          algorithms specified in
          Sections 8-12 ate intended to define the set from which
          application developer
          MUST choose, but that too is not clearly stated. I think this
          makes it even
          more appropriate to remove the detailed algorithm discussions
          from this



Section 12
          describes the
          “recipient algorithm classes” aka key distribution/management
          methods. Most of
          this section is analogous to the preceding sections (9-11)
          where specific
          algorithms are described for use with COSE, and thus my
          comments about undue
          bundling of algorithms with a protocol specs apply here too. I
          do not object to
          describing key transport, key wrapping and key agreement
          methods in general,
          but the detailed specs in 12.2.1, 12.4.1 and 12.5.1 seem
          inappropriate here,
          for the reasons noted above.



Section 13
          parameters for key objects used by COSE. The specs here are
          generic that they do not suffer from the problems I noted for
          Sections 8-12.



Section 15
          guidance for application developers making use of COSE. This
          is where a reader
          finally discovers that 


          described in Sections 8-12 are not MTI, and that each
          application is expected
          to specify which algorithms are MTI in that context, to


Section 16
          (IANA Considerations)
          describes the registries that need to be created for COSE, and
          extensions to
          the CoAP registry to support COSE. It seem to be well written


Section 18
          Considerations) is a good adjunct to the already well-written
          considerations discussions provided for the algorithms in
          Sections 8-12.



Typos and suggested rewording.


Section 2:


          object structure
          is designed so that there can be a large amount of common code
          when parsing and
          processing the different



-> The COSE object
          structure is designed so
          that there can be a large amount of common code when parsing
          and processing the

types of



          messages are also
          built using the concept of using layers to … 

          messages are
          built using the concept of layers to …


Section 3:


The integer
          and string
          values for labels has been divided …


-> The integer and
          string values for labels


 been divided …


          perform the same checks that the same label …

          Applications SHOULD 


          that the same label …


          should have a
          statement if the label can be omitted.



 (?) have a
          statement if the label can be


          are from the
          "CoAP Content-Formats" IANA registry table. (




As the IV
          is authenticated
          by the encryption process, it can be placed in the unprotected
          header bucket. 

(in general, an
            encryption process will not “authenticate” an
            IV, but use of a modified IV will yield mangled plaintext,
            which can be
            detected by an integrity check or a signature. the same
            comment applies to the
            similar statement in the “partial IV” description.)



Section 4:


          Digital Signature Algorithm
          (EdDSA) signature algorithm and with the Elliptic Curve
          Digital Signature
          Algorithm (ECDSA) signature algorithm.

          Edwards Digital
          Signature Algorithm (EdDSA) 


          and with the
          Elliptic Curve Digital Signature Algorithm (ECDSA) 




One of the
          supplied in the COSE document is the ability…

-> One
          of the features 

offered by the COSE

 is the ability …


          algorithm takes in
          the body information …


The signing and verification processes

          take in the
          body information …


          signatures provide
          a method of having a different signature occur on some piece
          of content.

          Counter signatures
          provide a method of 

            different signatures
            generated by different signers with

 some piece of



Section 5




The key is randomly



The key is
          randomly or 





Section 6


          knowledge of sender
          assumes that there are only two parties involved and you did
          not send the
          message yourself.)

-> (This
          knowledge of
          sender assumes that there are only two parties involved and
          you did not send
          the message 





Section 15:


It is
          intended that a
          profile of this document be created that

defines the



t is intended that a profile
          of this document be
          created that


defines the