►
From YouTube: IETF112-COSE-20211110-1430
Description
COSE meeting session at IETF112
2021/11/10 1430
https://datatracker.ietf.org/meeting/112/proceedings/
A
A
A
A
I'll
take
that
as
a
no
and
so
the
note
12
was
presented,
the
minutes
can
be
accessed
here.
We
will
need
a
minute
taker
or
a
person
responsible
for
the
minutes.
Are
there
any
volunteers.
A
A
Okay,
okay,
that's
perfect,
thank
you
euron,
and
we
also
need
the
chopper
person
to
be
like
monitoring.
A
The
chat-
maybe
if
there
are
no
volunteer
volunteers,
okay,
wonderful,
we
have
chris
to
help
with
jabber.
Thank
you.
Thank
you
bob.
So
then
a
reminder
this
meeting
and
the
attendance
is
recorded.
A
A
With
that,
the
the
next
draft
is
the
8152
beast,
alex
draft.
It
is
in
hot
48
for
some
time.
The
same
applies
to
the
best
document.
C
C
B
So
there
is
a
pr
on
the
on
the
struct
draft,
which
is
doing
just
that,
adding
adding
the
int
and
then
what
it
was
in
the
mail
exchange
on
what.
How
should
we
handle
this?
Given
that
the
draft
is
in
a
progress
state-
and
I
think
the
proposal
was
that
we
should
actually
try
to
make
the
change
in
the
document
now.
But
the
question
is:
do
we
need
to
have
further
reviews,
or
how
can
we.
D
So
this
is
mike
jones
speaking
as
chair.
The
point
of
taking
stuff
to
internet
standard
from
draft
standard
is
to
preserve
the
parts
that
are
in
use
without
any
changes
and
changing
the
format
of
the
key
id
is
a
breaking
change.
It
will.
If
people
use
ins,
it
will
break
existing
implementations.
D
We
should
not
do
this,
we
should
close
the
pr.
Can
you
put
a
link
to
the
pr
in
the
chat?
Please,
and
I
will
close
it.
B
So
I'm
sorry
I'm
a
little
bit
busy
doing
both
the
agenda
and
sorry
the
the
notes
and
and
trying
to
find
this
link.
But
I'm
on
my
way.
B
C
E
E
Useful,
so
we
probably
wouldn't
want
to
rearrange
the
structure
of
of
cosy
encrypt
zero
or
something
at
this
stage.
That
would
be
wrong,
but
doing
a
small
fix
like
this
is
well
within
what
can
be
done
on
the
way
from
a
proposed
standard
to
an
internet
standard.
E
I
I
don't
have
a
strong
opinion
on
the
point
itself,
whether
we
need
the
the
numeric
key,
but
I'm
also
not
working
with
the
protocols
that
would
benefit
from
that
most.
So
I
leave
it
to
others
to
make
that
point,
but
I
want
to
say
that
the
process
argument
is
important,
but
I
don't
think
it
actually
applies
to
this
particular
situation.
D
It
remains
a
breaking
change,
which
is
something
you're
not
allowed
to
do
during
the
process
of
taking
a
draft
standard
to
standard.
If
anybody
uses
this,
it
breaks
all
the
existing
implementations,
they
can't
parse
it.
B
D
Look,
I'm
sorry,
I
didn't
weigh
in
on
the
thread,
but
we
should
not
be
making
breaking
changes
in
the
internet
standard
process.
G
Yeah,
I
I
agree
with
what
harrison
said
that
this
is
something
that
is
learned
from
experience
and
can
very
well
be
done
in
an
infinite
standard.
I
definitely
don't
think
this
is
a
breaking
change,
as
this
is
as
breaking
as
registering
a
new
algorithm.
If,
if
you
use
that
new
algorithm,
none
of
the
old
deployments
will
be
able
to
talk
to
you,
so
I
I
don't
really
understand
why
this
would
be
more
breaking
than
registering
like
kiran
said.
As
a
bit
surprised.
I
think
this
was
discussed
quite
long
and
was
from
support.
G
D
D
C
And
next
q-
a
as
the
responsible
ed,
so
I
think
that
we've
seen
a
couple
of
different
perspectives
portrayed
about
what
the
standards
process
means
in
going
from
proposed
standard
to
internet
standard.
I
basically
agree
with
what
karsten
said
that
there
is
some
scope
for.
C
Last
call
and
I
believe,
also
an
itf
last
call
because,
as
mike
points
out,
this
is
in
some
sense
a
significant
change.
It's
not
something
I'm
comfortable
just
doing
at
the
last
minute.
In
all
48,
there
is
the
potential
for
real
consequences
for
implementations,
and
so
it
would
be
something
that
we
need
focused
attention
on.
C
That
would
then
update
the
internet
standard
to
be
rfc
to
make
this
change,
and
I
think
there
was
also
a
note
in
the
chat
which
maybe
bob
is
getting
up
to
the
mic,
to
say
right
after
me
about
being
able
to
change
the
when
you're
encoding,
if
there's
also
a
version
or
a
feature
flag
that
you
can
use
to
get
that.
C
D
C
D
F
Decades
and
I
can
find
going
from
proposed
to
standard
cases
where
important
changes
were
made
because
there
were
oops
or
we
lack
something
or
whatever
and
we've
had
to
make
changes
and
because
we've
fielded
things,
we've
learned
that
we
don't
have
the
flexibility
we
need,
for
whatever
reason
almost
always,
there
was
some
versioning
that
we
could
use
to
make.
So
we
didn't
break
what
was
deployed
and
make
products
migrate
cleanly
to
what
is
standard.
F
So,
hopefully,
there
is
some
version
that
we
can
use
for
making
this
change
as
to
what
was
just
mentioned
in
the
in
the
in
by
dkg.
If
we
got
products
that
don't
look
at
version
before
they
start
decoding
the
things,
that's
their
problem,
that's
why
we
have
versioning
in
in
these
sorts
of
things.
So
we
hope
we
have
urgently
so
I'll
just
wrap
up
with
that
that
at
as
a
community,
we
do
make
these
sorts
of
changes
as
a
community.
That's
why
we've
learned
painfully
to
include
versioning.
E
A
E
Just
quickly
point
out,
that
version
is
not
needed
to
allow
integers
in
this
place,
because
the
sibo
encoding
makes
sure
that
you
notice
that
there
is
something
there
that
you
didn't
expect.
E
So
a
version
would
probably
only
cloud
the
issue
here.
So
the
the
essentially
the
the
major
type
in
that
field
plays
the
same
role
that
a
vagina
would
play
in
another
situation.
So
if
I
were
going
to
build
a
separate
extension,
I
would
simply
say:
let's
extend
the
data
type
of
that
element,
and
people
will
notice.
If
they
don't
interpret
it.
A
So
I
really
think
we
should
move
on
and
discuss
this
further
either
on
the
mailing
list
or
if
we
have
time
at
the
end,
I
just
we
are,
I
think,
more
than
10
minutes.
A
So
then
tell
us
two
documents
on
this
page
are
the
x509
that
we
will
discuss
on
the
next
slide.
It
is
in
its
pasta,
adhd
evaluation,
but
there
are
still
a
few
small
things
that
we
need
to
improve
before
it
can
be
progressed
after
that
and
the
last
one
is
the
countersin
draft
which
needs
to
be
sent
to
the
is3,
and
this
will
be
done
right
after
this
meeting.
I
think
yes.
H
A
A
A
B
Was
there
an
action
there?
I'm
sorry.
A
So
the
action
for
me
is
the
chairs
and
cars,
then
to
discuss
the
media
type
or,
if
carson
already
has
a
good
idea,
what
kind
of
text
could
be
suggested?
That
would
be
wonderful.
Otherwise,
let's
have
a
small
chat
and
try
to
finish
that.
Yes,
kirsten.
A
John,
would
you
be
willing
to
take
another
look
at
the
questions
and
everyone
to
also
take
a
look
and
unless
anyone
complains
about
their
issue
not
being
resolved,
and
if
you
don't
see
anything
please,
I
just
fix
those
issues.
Would
that
be
okay
for
you.
G
A
You
so
I
think
those
were
the
important
things
and
I
guess
we
wanted
to
take
another
look.
What
are
the
phrasing
of
the
protection
over
x,
five
back
and
chain
and
x5
t
is
clear
enough.
A
A
B
B
B
The
results
from
the
rust
code,
which
is
in
the
github
repo,
there
was
one
proposal
we
discussed
this
last
time
during
the
interim,
and
that
is
that
the
revocation
parts
that's
currently
only
talking
about
crls
should
be
moved
to
a
separate
draft.
So
we
should
try
to
complete
this
part
without
revocation
and
then
have
serials
and
other
revocation
aspects
in
a
separate
drafts.
B
G
Not
much,
I
think
we
will
have
more
time
for
c
579
here
after
after
I
theft
hundred
and
twelve,
so
I
will
I
plan
to
do
some.
I
already
have
some
updated
code
or
some
bugs
in
the
old
code,
and
it
didn't
support
everything,
so
the
code
has
been
updated.
I
will
share
that
in
a
month
when
I
have
checked
it
also
yeah.
B
Okay,
so
yeah,
so
that's
it
first
question:
should
we
take
these
questions
to
the
chairs,
want
to
leave
this
question
about
separating
the
draft
into
two
pieces,
whether
we
need
to
adopt
the
the
separate
part
or
not,
and
also
it
would
be
good
to
have
a
call
for
reviews
if
there
are
any
see
if
there
are
any
volunteers.
E
E
Yeah,
I
don't
think
I
have
anything
to
add
to
this,
so
I
think
it
would
be
good
to
finish
c509.
So
if
we
can
speed
this
up
by
doing
serials
separately,
I
think
we
have
more
than
one
thing
that
could
go
into
such
a
separate
draft.
I
don't
remember
what
the
other
things
were.
E
C
There
are
multiple
ways
to
do
so,
which
include,
but
are
not
limited
to
crls
and
ocsp
as
specified
in
this
other
document.
But
if
you
want
to
do
your
own
thing
that
also
meets
the
requirements
of
this
spec.
That's
the
sort
of
construction
of
the
relationship
between
documents
that
we
see
with
some
regularity.
B
I
Some
concern
to
move
forward
with
this
draft
without
having
you
know
a
crl
draft
or
some
kind
of
revocation
draft
that
you
could
point
to
that
would
follow.
I
mean
it
seems
like
it
would
be
kind
of
a
gap
that
could
you
know
during
sector
review
or
something
else
could
be
raised
and
kind
of
block
moving
this
d509
from
moving
forward.
C
Yeah
you're
sort
of
pointing
out
that
there's
a
risk
that
we
end
up
in
a
state
where
we
try
to
publish
c509
and
the
other
stuff
just
isn't
ready
yet,
and
you
know
we
could
sort
of
force
the
issue
by
putting
in
a
normative
reference
so
that
the
rfc
will
not
actually
be
published
until
they're.
Both
ready-
and
you
know
I
I'm
amenable
to
that-
for
many
of
the
reasons
you
described,
but
I'm
reluctant
to
say
that
it
is
definitely
required
without
getting
some
further
input.
H
J
Hi
there
I
want
to
point
out
that
ocsp
doesn't
actually
necessarily
work,
all
that
well,
there's
easy
ways
to
block
ocsp,
and
I
would
be
reluctant
to
see
this
make
the
same
mistakes
that
we've
made
for
years
in
the
x59
world,
about
ocsb
in
particular,
with
x509
we've
been
pushing
on
the
ocsp
must
staple
trying
to
get
that
to
be
widely
deployed.
J
If
c509
certs
are
going
to
be
deployed.
We'd
like
I'd
like
to
see,
you
know
the
must
staple
stuff,
be
there
from
the
outset,
because
otherwise
it
introduces
privacy
issues
and.
J
Privacy
issues,
if
you
don't
do
stapling,
and
if
you
don't
require
stapling,
then
the
then
you
don't
actually
solve
the
replication
at
the
time
of
the
revocation
issue.
So
if
you're
gonna
try
to
do
revocation,
please
please
take
heed
of
the
problems
that
we've
run
into
for
basically
like
a
decade.
J
I
don't
think
that
means
that
this
should
necessarily
hold
it
up.
You
could
reference
the
existing
x-509
must-staple
questions
and
granted
that
wouldn't
work
for
it
wouldn't
necessarily
work
for
a
native
c-port,
but
you
could
normatively
reference.
Existing
x-509
must
staple
stuff
start
work
on
the
must
staple
ocsp
or
crl
work.
That's
cbore
specific
and
leave
that
out
of
a
normative
reference
in
this
particular
draft.
Just
have
that
subsequent
draft
update
this
one.
E
Okay,
so
my
my
summary
would
be
that
having
this
cla
section
would
be
a
device
to
get
this
through
the
isg,
but
well,
given
that
cis
are
usually
not
what
you
want
in
a
constrained
environment,
it's
not
what
we
would
actually
use.
So
it's
a
rfc.
E
A
Yes,
john
and
let's
stop
the
discussion
afterwards,.
G
A
A
A
If
there
are
no
reviews,
so
is
there
anything
more
for
this
presentation.
H
Okay,
all
right,
thank
you
just
as
a
bit
of
background.
This
is
work
that
was
started
in
the
suit
working
group
where
this
same
set
of
authors
was
working
on.
How
do
we
encrypt
a
firmware
load
and
we
decided
that
it
might
be
better
to
have
a
the
hpke
mechanism
in
in
cos
a
because
we
probably
weren't
the
only
ones
who
were
going
to
need
it,
and
so
basically
we
extracted
that
piece
out
of
the
suit
document
and
are
proposing
that
the
cos
a
working
group
adopted.
H
So,
as
I
said,
this
was
started
as
part
of
the
firmware
encryption.
H
You
can
see
that
the
document
suit
firmware
encryption,
zero,
zero,
basically,
is
there
we
wanted
to
be
able
to
support
pre-shared
keys,
and
that
was
already
offered
by
cos
a,
but
we
also
wanted
to
do
the
hpke
approach,
which
was
not
already
straightforward.
In
cos
a
so
we
wrote
our
own
structures
and
we
wanted
to
bring
them
here
so
that
others
can
make
use
of
that
same
work
as
opposed
to
it
being
tied
tightly
to
the
firmware
encryption
next
slide.
H
So,
like
the
other
similar
mechanisms,
it's
got
three
layers
layer,
three
maintains
the
parameters
needed
to
generate
the
shared
secret
next
slide.
H
H
We
wanted
to
point
out
that
there's
already
some
implementation
experience
with
this.
The
folks
at
arm,
in
particular
honest,
has,
has
done
this
work,
but
it's
based
on
steve,
farrell's,
happy
key
work
that
was
done
before
that
happy
key
relies
on
openness,
cell
and
so
on.
But
this
is
the
point:
is
it's
not
just
a
paper
spec?
H
So
I
think
that's
the
last
slide,
but
I
did
want
to
point
out
that
yesterday,
there's
been
some
discussion
on
the
main
list
about
this
document
already,
and
you
know
we'll
will
of
course
take
the
spec
wherever
that
discussion
leads.
If
the
group
chooses
to
adopt
it,
I
think
that's
it
over
to
the
chairs.
A
So
my
understanding
is
that
your
goal
with
this
draft
is
for
it
to
be
adopted
as
a
working
group
document
once
it
is
a
little
bit
more
advanced.
Is
that
correct.
I
H
No,
we
don't
so
in
suit.
We
always
have
a
signature
and
we
optionally
have
encryption,
and
so
we
were,
depending
on
that.
We
kose
has
a
similar
structure
where
there's
a
signature
or
an
encryption,
but
we
could
look
at
that.
If
there's
a
need
for
it,
but
that's
that's
the
current
way.
We,
the
the
division,
is
done.
K
K
Yeah
thanks,
so
you
mentioned
you
wanted
to
add
a
deterministic
authenticated
encryption
mode.
I
had
brought
up
adding
such
a
mode
to
the
hpke
and
cfrg
and
I
received
a
lot
of
pushback.
Yes,
I'm
wondering
if
you
have
a
better
use
case
than
what
I
was
suggesting.
Could
you
explain
what
your
use
case
is.
K
You
suggested
adding
aes
key
wrap.
You
said
we
need
aes
key
wrap
in
hpke
and
that's
a
deterministic
authenticated
encryption
mode.
H
That
is
so
that,
when
a
firmware
package
is
distributed
to
multiple
recipients,
they
each
receive
the
same
ciphertext
and
obtain
the
content
encryption
key
by
unwrapping
the
that
key
using
the
one
that
was
encapsulated,
a
kek
that
was
encapsulated
just
for
them.
That's
the
the
mechanism
we
it
for.
K
H
G
Yep,
I
think
this
is
great
work.
I
think,
because
I
should
work
on
this.
Just
the
more
high
level
question
to
cool
see.
How
do
we
see
is
hpk
the
future
of
key
exchange
in
in
cozy
or
do
we
continue
to
add
more
non
hpk
algorithms,
also
to
cosi
in
very
shortly
there
will
be
new
pqc
cams,
they
will
probably
be
added
to
hpke
and
they
will
need
to
be
supported
in
cosi,
will
be.
G
H
Yeah,
I
I
don't
know
the
answer
to
that
either.
I
think
lamps
is
struggling
with
the
same
question
as
the
post-quantum
kem's
come
along.
What's
the
cleanest
way
to
embrace
them,
we're
talking
about
a
kem
recipient
info
in
that
environment,
a
similar
thing
could
be
considered
here.
I
don't
know
what
the
best
answer
is,
and
it's
really
hard
to
guess
what
future
algorithms
will
will
look
like
and
what
parameters
they
all
need.
So
I
guess
this
is
part
of
the
pain
of
being
algorithm,
agile,.
H
Okay,
so
is
the
I
didn't
hear
anybody
speak
against
doing
this.
Does
that
mean
we'll
have
a
call
for
adoption
on
the
list.
A
A
Okay,
thank
you
for
the
presentation
and
the
discussion
and
with
that
and
let's
move
to
the
last
topic
for
today,
the
fast
verification
print
the
ecd
ac.
I
guess
just
sick.
A
C
L
L
L
All
right,
good
morning
afternoon,
everybody
I
see
I
have
less
than
five
minutes
left,
so
it's
probably
going
to
be
hard
to
go
through
the
slides,
but
I
will
try
anyway,
I
to
catch
the
main
concept.
So
what
I
wanted
to
do
today
is
try
to
introduce
a
way
to
use
ecdsa,
which
is
very
well
known
and
has
been
over
20
years
in
a
way
that
allows
faster
verification,
and
I
think
it's
a
useful
effort
for
this
group.
L
So
this
is
a
very
nice
algorithm
and
has
been
widely
adopted,
but
the
problem
with
it
is
that
it
doesn't
really
allow
a
fast
batch
verification,
so
checking
a
number
of
sequences.
At
the
same
time,
there's
also
a
way
to
speed
up
a
single
verification,
but
that
is
only
possible
if
we
use
similar
to
like
ed
dsa,
so
the
essentially
the
bernstein
signature,
where
the
signature
instead
of.
L
L
Ecd
is
a
star
slide,
and
then
it
suddenly
becomes
only
an
algebraic
equation
that
has
to
be
checked,
and
so
that
allows
a
speed
up
of
roughly
30
percent
in
the
single
verification
case,
and
if
you
have,
for
example,
a
certificate
chain
or
you
have
for
whatever
reason
you
want
to
check
multiple
signatures,
the
same
load,
balancing
or
something
like
that,
then
you
can
get
a
speed
up
of
roughly
a
factor.
Six
and
the
downside
is
that
that
the
speed
up
only
applies
if
we
use
a
slightly
different
format
for
the
signature
itself.
L
So
the
objective
of
the
next
few
slides
is
to
show
that
actually,
the
format
can
be
the
same.
L
L
Rs
that's
option,
one
that
is
printed
in
that
specification.
An
important
thing
to
notice
is
that
with
ecdsa
you
always
get
two
signatures
that
are
possible,
and
that
is
due
to
the
so-called
b9
malleability
property
of
ecdsa.
L
So,
in
terms
of
this
example,
you
get
two
options
for
the
signature
and
the
important
property
is
that
in
one
of
the
options,
the,
if
you
actually
would
do
the
verification
step
itself,
you
would
have
an
ephemeral
signing
key
where
the
so-called
y-coordinate
of
this
thermal
signing
key
is
odd
and
the
other
one
is
even
so.
L
What
he
can
do
is
he
can
try
to
pick
any
ecdsa
signature
of
these
two
options
at
will
and,
as
you
see
if
we
have,
for
example,
the
rule
that
we
always
want
to
have
the
y
corner
to
be
even
then,
we
in
this
case
pick
option
two,
but
in
in
any
case
in
in
all
in
all
signatures.
We
have
two
options,
one
of
them
with
the
assigning
keys
y
corner
to
be
odd
and
the
other
one.
Even
so,
let's
look
at
this
suppose.
L
L
So
it
remains
an
ecdsa
signature,
but
since
the
signature
consists
of
the
the
x-coordinate
of
the
signing
key
and
the
y-coordinate,
if
we
know
this
the
parity
of
that
y-coordinate,
we
can
uniquely
recover
the
thermal
signing
key
from
the
signature
itself
without
first
doing
the
entire
verification
and
that
allows
to
speed
up
so
the
procedure
to
get
to
more
of
these
two
signature
schemes.
Versions
together
is
that
we
generate
the
signature,
always
in
the
same
way
as
we
have
done
the
like
the
last
20
years.
A
L
Interest
yeah
yeah
go
to
the
last
slide,
so
I
think
we
don't
really
have
time
to
go
over
all
the
details,
but
the
main
reason
that
I
wanted
to
present
something
is
right
now:
there's
lots
of
interest
in
initiatives
that
use
josie
signatures,
for
example,
in
e-health
initiatives,
for
example,
just
to
get
in
a
restaurant.
You
have
to
show
you
qr
codes,
there's
lots
of
things
and
that
uses
jws
signatures
and
I
think,
there's
an
excellent
opportunity
to
make
some
of
these
things
speedier.
L
A
Yes,
thank
you
for
the
presentation.
If
people
are
interested
for
sure
be
sure
to
reach
out
to
renee,
he
hasn't
smells
to
demonically,
so
you'll
find
also.
There
are
his
coordinates
and
we
are
quite
over
time.
So
unless
there
are
any
special
comments,
I
think
we
can
close
at
that.
Thank
you
very
much
for
the
participation
and
have
a
nice
day.