►
From YouTube: COSE WG Interim Meeting, 2021-02-17
Description
COSE WG Interim Meeting, 2021-02-17
A
A
A
So
this
is
the
agenda
for
today,
we'll
start
with
a
few
updates
for
draft
status
and
test
charter
and
to
spend
the
biggest
chunk
of
time
discussing
x,
509.
Hopefully,
all
the
issues
that
we
have
could
be
resolved
today,
but
in
any
case
we
would
like
at
least
to
have
very
better
clarity.
B
Are
you
you're
here
yeah.
A
I
guess
that
should
be
fine,
provided
that
we
managed
to
finish
with
the
x
509
discussion
a
little
bit
earlier.
How
much
time
would
you
need
for
for
diana
discussion
and
yeah
in
the
slides.
B
A
A
A
Yes,
please
help
us
also
see
any
important
discussions
that
are
happening
there
and
yes,
the
meeting
and
attendance
are
recorded,
so
the
in
the
minutes.
There
is
attendees
list.
Please
write
your
name
there.
If
you
are
not
already
in
the
list.
A
A
A
A
C
Yes,
so
the
last
time
that
I
looked
at
it,
there
was
one
pull
request
open
in
github
that
looked
like
it
was
correct.
So
I
believe
we
should
merge
that
pull
request,
and
then
I
can
put
it
into
the
data
tracker
and
get
the
official
rechartering
process
started.
A
So
the
next
point
is
about
the
x509.
I
saw
that
there
are
also
some
flights
provided
by
john,
so
I
haven't
had
the
chance
to
look
at
them
yet.
A
A
A
Okay,
yes,
there
is
the
discussion
around
the
trust,
relation
that
is
connected
to
the
hex
5u
attribute
header
parameter
and.
A
In
discussions
with
people,
what
I
think
ben
summarized
her
in
one
email
was
that
not
having
the
x-5u
header
in
the
protected
fields
could
potentially
lead
to
some
larger
attack
surface,
and
that
is
the
main
reason.
A
I
guess
jim
thought
of
it
this
way
and
it
sounded
reasonable
to
me
what
was
mentioned
is
that
in
the
other
cases
we
always
have
the
certificate,
so
there
is
no
chance
to
and
to
slap
a
certificate,
keeping
the
same
key,
and
when
we
use
this
header
parameter
in
theory,
an
attacker
might
be
able
to
do
something
like
that.
C
C
I
think
I
what
you
described
and
what
I
said
earlier
is
sort
of
a
potential
explanation,
but
I
think
right
now
we
are
kind
of
trying
to
reverse
engineer
why
jim
wrote
this
text
and
I
almost
wonder
if
it
would
be
safer
or
better
to
just
try
to
do
a
clean
analysis
of
the
situation
from
the
start
in
terms
of
what
the
pieces
of
information
are
and
how
they
are
flowing
and
what
needs
to
be
protected
under
which
circumstances
and
what
does
not,
because
that
would
sort
of
catch
if
there
are
any
other.
E
C
C
There
is
some
qualitative
difference
between
what's
going
on
in
terms
of
you
have
this
third
party,
and
I
mean
I
think
what
this
text
says,
that
the
person
generating
the
cozy
message
does
need
to
have
a
trust
relationship
with
the
party.
That's
hosting
the
referred
to
resource
in
terms
of
they
will
provide
the
correct
certificate
when
requested,
but
the
chain
of
reasoning
between
I
need
to
have
a
trust
relationship
with
this
other
party
to
why
that
specifically
needs
to
be
in
the
protected
header
bucket
protected,
attribute
bucket.
F
Ben
this
is
russ.
I
think
the
idea
is
there's
two
ways
that
you
could
get
back
a
certificate.
That
is
not
the
one
the
sender
intended
one
is
the
url
in
the
message
could
be
changed
by
putting
it
in
the
protected
bucket.
You
prevent
that,
and
the
second
is
whatever
server
you're
contacting
with
that.
F
Url
could
send
you
the
wrong
thing
and
that's
why
the
trust
relationship,
because
we
don't
have
a
protection
against
that
the
only
way
to
to
prevent
to
get
that
would
be
to
put
a
hash
in
the
parameter
of
the
thing
you're
expected
to
get
back.
C
G
I
think
that's
really
the
key
thing,
and
I
don't
understand
this,
this
connection.
This
is
michael.
I
don't
understand
this
statement
at
all.
I
think
that
it
is
equivalent
to
downloading
the
certificate,
putting
it
in
x5
bag
and
then
what
is
a
what
occurs
and
the
other
complexity
about
this
is
what
about
the
6125
stuff.
G
If
this
is
an
http
link
that
we're
supposed
to
retrieve
the
certificate
from
how
do
we
know
whether
we've
done
that
right,
and
so
I
would
prefer
not
to
put
it
in
the
in
the
protected
attribute,
I
don't
think
there's
any.
D
Value
yeah,
I
think
I
think
we
need
to
discuss
if
we
want
to
put
some
protect
something
and
then
what
there
is.
It
might
be
reason
to
protect
identities,
for
example,
but
then
it
would
be.
I
agree
with
russ
that
pushing
a
hash
in
the
protected
would
protect
would
provide
protection,
but
that
would
be
bad
for
the
use
cases
we
have
in
ad
hoc,
which
already
put
the
end
certificate
in
the
external
aad.
D
H
Yeah,
thank
you
to
make
the
life
easier
for
the
note
taker,
I
wrote
up
what
I'm
going
to
say
so,
the
the
the
other
certificate
containers
we
have
there
are
there
to
divulge
information
to
the
recipient.
H
So
it's
strictly
adding
information
that
the
recipient
may
not
have
at
this
point
in
time,
so
nothing
is
identified
as
as
being
in
any
way
special
or
trusted
or
anything,
and
so
there
is
no
consequence
if
the
wrong
information
is
being
divided,
except
that
well,
the
the
chains
won't
validate,
so
that
the
whole
thing
is
not
going
to
to
have
the
the
intended
effect.
H
So
if
this
certificate
is
is
intended
to
be
validated
under
the
same
authorization
policies
as
the
other
ones,
I
I
don't
understand
what
the
special
relationship
is
here
and
the
other
question
I
have
is
what
exactly?
What
do
we
mean
by
protecting
it?
Are
we
talking
about
integrity
or
are
we
talking
about
for
confidentiality?
H
So
I'm
not
sure
we
have
even
talked
about
confidentiality
in
this
context,
but
of
course
there
may
be
some
confidentiality
objectives
here
as
well.
F
I
So
this
is
hank
on
my
ad
and
what
are
we
losing
when
it's
in
the
unprotected
header
and
therefore,
if
someone
strips
it
out,
do
we
lose
anything
here?
That's
intended
to
be
there
and
it's
reliably
there
so
that
sometimes
the
integrity
domain
of
the
signature
is
used
to
make
sure
that
some
stuff
reaches
the
intended
destination.
D
I
think
one
I
think
bill
drastic
larry
mentioned
that
you
need
protection,
I
don't
know
what
they
intended.
They
can,
but
one
reason
why
you
might
want
to
integrity,
protect
that
is,
for
example,
mentioning
the
sigma
protocol
is.
That
is
the
attack
where
somebody
borrows
your
public
key
and
register
it
with
a
different
identity.
D
I
Yeah,
maybe
that's
just
a
security
consideration,
part
of
this
and
not
the
extra
body
or
maybe
a
worthwhile
to
make
an.
I
A
Okay,
so
as
a
way
forward,
it
sounds
like
we
would
need
to
try
to
re-evaluate
what
is
the
types
of
attacks
that
we
want
to
yeah.
What
is
the
security?
D
I
I
can
try
to
provide
something
and
try
to.
I
guess
it
was.
Maybe
we
need
more
discussion
on
this
also
at
the
itf
meeting,
but
I
can
try
to
put
in
some
work
I'm
depending
on
these
drafts,
as
the
normative
reference
in
ad
hoc,
close
as
a
informal
reference
for
the
seaboard
certificate
work,
so
yeah,
okay,.
A
Of
course,
this
does
not
mean
we
should
rush
this
thing,
just
something
to
keep
in
mind.
I
Yeah,
this
is
adding
to
that
yeah.
There
are
a
few.
I
think,
efforts
that
realize.
Oh,
this
is
really
useful
and
are
starting
to
include
in
in
their
own
ids,
but
I
don't
think
there
is
a
cluster
problem,
yet
I
don't
know
so.
But
yes,
I
think
I
would
support
the
notion
that
there
is
has
been
making
made
use
of
this
work
and
we
should
see
that
as
it's
progressing.
I
I'm
not
rushing,
not
pressuring,
but
we
should
not
end
on
the
other
side.
H
So
that
that
might
be
an
agenda
item,
an
action
item
to
to
find
that
out.
So
we
better
understand
what
how
people
are
currently
interpreting
this.
H
Yeah
so
having
we
actually
have
this.
What
would
be
useful?
I
don't
know
if
that's
actually
available.
H
H
Yeah,
so
the
the
the
question
I
I
have
in
mind
really
is:
does
providing
this
certificate
lended
any
any
special
position,
any
special
meaning
any
special
authorization,
in
effect
from
the
point
of
view
of
the
kosi
sender
that
that
needs
to
be
recognized
by
the
recipient,
because
I
think
that's
really
the
the
place
where
we
generate
security
problems
where,
where
sender
and
receiver
don't
agree
on
the
semantics
to
of
putting
some
some
data,
some
signature
or
something
it's
in
a
specific
position,
and
we
have
to
be
very
very
clear
about
what
that
actually
means
that
something
is
in
x5.
H
C
C
A
C
C
A
C
E
E
Hi
this
is
jonathan
hamill,
so
that
that's
a
good
point
in
that
that
could
trigger
like.
If,
if
the
sender
or,
if
the
receiver
of
the
message,
I
guess
is
expecting
some
sort
of
privacy
of
if
there's
additional
confidentiality
protections
that
that
that,
on
the
message
that
they
received,
that
this
outbound
connection
trigger
might
inform
someone
that
that
a
certain
recipient
has
received.
That.
E
D
Yeah
I
can,
I
can
try
to
provide
some
initial
suggestion
or
explanation
of
the
problem
and
yeah
no
later
than
the
next
in
the
idf
meeting.
Maybe
I'll
send
something
to
the
mailing
list
before
that.
D
I
C
A
A
Okay,
so
john
did
we
discuss?
D
H
Yet
so,
if,
if
I
give
an
oscar
implementation,
something
that
starts
with
the
corp
s
scroll
on
facebook.com,
it's
not
quite
clear
what
what
the
oscar
implementation
is
supposed
to
do
with
that.
So
I
don't
think
we
can
make
that
feature.
Extension
at
this
point
in
time.
We
might,
we
might
be
able
to
do
that
later.
A
A
A
D
I
think
that
would
be
an
easy,
quick
fix.
Do
that
solve
your
problems,
michael.
A
D
A
D
D
And
first,
the
defining
a
structure
similar
to
x,
509
that
can
hold
one
or
more
certificates
and
then
that
same
structure
is
used
in
bag
in
chain
and
in
the
uri
option,
and
also
in
the
keyboard
tag
that
was
requested
at
the
last
interim
or
on
the
list.
I
don't
remember
yeah,
but
I
think
the
same
structure
could
be
used
in
all
these
four
places
and
also
it
seems
to
that.
D
D
D
E
This
is
jonathan
hamill.
I
have
a
comment,
so
you
said
the
formatting
is
similar
to
x5
bag
and
x5
chain,
but
in
the
for
those
components,
if
it's
a
single
certificate,
then
it's
encoded
as
as
a
beaster
where
it
and
then,
if
there's
multiple
components,
it's
it's
the
array,
whereas
I
think
you've
defined
it
differently.
There.
D
Yes,
so
this
is
a
single
certificate
here
is
defined
as
a
sequence,
so
even
a
single
certificate
needs
to
be
wrapped
in
an
array,
and
then
the
idea
here
would
be
that
you
wrap
one
or
more
certificates
in
a
single
array.
D
H
D
Definitely
possible
to
decode
it's
you
get
a
unique
encoding
for
everything,
but
then
the
question
is:
if
this
is
previously
gotten
questions
about
how
easy
things
are
to
implement,
with
with
seaboard
libraries
and
so
on,
I
think
that's
discussion.
We
need
to
get
back
to.
A
B
B
So
as
it's
defined
today,
the
algorithms
are
typically
not
bundled
with
a
curve.
So,
for
example,
signature
algorithm
is
bundled
with
with
a
hash
function,
but
not
with
elliptic
curve
and
the
rfc
8152,
and
also
the
this
document
specifies
how
to
handle
this
when
new
curves
are
are
considered
and
there's
been.
B
The
reason
why
we're
discussing
is
is
the
quest,
because
there
is
also
an
example
of
a
case
where
it's
actually
defined,
bundled
with
the
curve,
and
we
seem
to
agree
on
on
the
mailing
list
that
this
case
is
actually
an
exception,
which
was
used
to
restrict
the
use
of
core
c2
legacy
case
and
also
limit
some
security
issues.
Related
to
that.
B
So
we
seem
to
agree
that
there
is
when
we
get
new
requests
for
new
registration.
We
try
to
follow
the
rule
about
separating
the
algorithm
from
from
the
curve,
and
similarly
this
should
apply
to
to
ecdh,
which
is
bundled
with
key
derivation
or
keywrap,
but
not
really
the
curve.
B
B
D
B
That's
the
case:
how
to
handle
the
fact
of
the
case
when
we
have
easy
groups
with
cofactor
different
from
one
so
rfc
8152
is
is
not
looking
at
that
case
and
to
handle
that
case.
There
is
a
need
to
multiply
the
cofactor
in
the
helmet
calculations
or
the
shaft
secret
calculations
to
protect
certain
attacks,
and
the
question
is:
how
do
we
handle
do?
B
So
we
like
like
to
do
something
in
general,
and
the
two
candidate
solutions
are
one
is
that
we
we
basically
duplicate
all
the
iffy
helmet
registrations
and
define
copy
of
the
registration,
but
with
co-factor
different
than
one
and
another
solution
is
that
we
allow
this
the
current
registration
to
include
multiple
sort
of
co-factors
different
from
one
as
well
as
co-factor
equal
to
one
and
that
could
be
handled
by
defining
in
the
ecdh
operation
or
the
shared
secret
encoding.
B
How
how
to
how
to
multiply
with
the
cofactor
that
can
be
defined
in
the
curve
specification,
so
those
are
two
candidate
solutions.
I've
heard
from
this
mainly
in
hillary's,
provided
input
here,
and
some
support
would
be
good
to
hear
if
there
are
other
other
solutions
and
if
there
is
any
preferred
solution-
and
there
was
a
voice
here
about
saying
that
solution
2
seems
more
robust,
because,
basically,
if
you
define
it
with
with
a
curve,
there
is
no
way
to
perform
the
wrong
ecbh
operation
or
share
secret
calculation.
D
I
think
yeah,
I
think,
several
of
curve,
two
five,
five
one,
one
nine
and
curve
four
four
eight
already
have
cofactors.
So
I
think
it's
not
if
a
helmet
with
cofactors
in
general,
it's
if
a
helmet
referring
to
60
90
with
cofactors,
all
right,
good,
good.
B
C
So
this
is
not
a
terribly
substantive
comment,
but
it
seems
potentially
of
an
issue
where,
if
you
know
the
procedures
for
multiplying
by
the
cofactor
are
somehow
buried
in
a
obscure
corner
of
the
specification
for
using
that
curve,
I
don't
know
how
much
of
a
risk
there
is
that
somebody
would
overlook
that
just
assume.
They
know
how
to
do
ecdh
and
and
miss
that
part,
but
that's
a
pretty
speculative
risk
and
I
don't
have
any
concrete
thing.
I
can
point
to.
B
So
what
you're
saying,
then,
is
that
if
we
introduce
a
specific
registration,
especially
a
code
point,
would
that
make
that
less
less
likely.
I
So
those
who
think
I
can
see
how
you
you're,
of
course,
struggling
with
the
pro
concierge
ben
in
general,
why
actually
yeah
specify
more,
but
but
again,
I
think
that
is
the
more
robust
solution,
too
has
a
ring
to
it,
and
I
would
agree
with
the
could
that
be
buried
so
far
away
that
people
not
very
familiar
familiar
with
this
with
this
context
might
miss
that
and
do
that
actually
wrong.
So
then
they
think
that's
a
valid
cause
because
everybody's
doing
it
some
point
and
and
everybody's
gonna
create
this.
I
And
it's
a
point
and
it's,
I
think
a
clear
statement
seems
very
naively
from
my
point
of
view
to
be
way
more
interesting
than
yeah.
Well,
you
know
it's
a
co-factor.
It's
it's
been
buried
somewhere,
so
I
guess
having
a
more
clear,
robust
option
too,
but
I'm
not
sure
where
the
specification
actually
would
happen.
I
C
C
That
needs
to
be
very
clear
about
what's
happening,
but
if
I
remember
correctly,
we
do
have
the
iona
designated
experts
that
are
going
to
look
at
these
things
as
they
come
in,
and
so
we
should
be
able
to
rely
on
the
experts
to
remember
that
cofactor
is
a
thing
and
request
that
the
specification
be
more
clear
about
it
if
needed.
B
Yes,
that's
that's
one
one
point
and
I
think
yeah.
I
think
that
you
could.
Still
I
mean
if
this
is
written
in
one
specification,
you
could
still
imagine
that
someone
who
hasn't
read
that
particular
text
might
make
the
wrong
choice
for
the
code
point
as
as
well
as
as
algorithm
here,
yeah,
not
saying
anything
new,
so
okay,
so
it
seems
that
you
have
a
slight
preference
for
for
solution.
Two.
B
B
B
B
Yes,
yes,
we
can
so
my
my
I
went
into
some
sleep
mode
here,
not
not
personally,
my
computer
went
in
some
sleep,
so
that's
why
I
asked
so.
This
is
about
a
comment
about
deterministic
signatures,
whether
that
has
a
any
impact
on
the
code
points
and
it's
we
agreed
in
the
group
that
that
is
only
recommendation,
so
that
should
not
be
any
reason
to
not
use
the
particular
code
point,
but
we
should
probably
just
change
this
recommendation,
or
that
was
a
discussion
point.
B
B
There
is
a
request
to
register
a
curve
for
use
with
ecdsa
and
shake
256.,
which
means
that,
following
this,
the
principle
we
have
discussed,
we
need
to
register
ecds.
We
check
256..
B
B
C
Because
this
is,
you
have
to
fix
the
output
length
of
the
shake
as
well.
So
this
is
the
512
bit
output
of
shake
256.
B
B
C
C
B
And
it's
the
last
slide,
so
there
was
also
request
to
specify
a
curve
with
multiple
key
types
for
both
ec2
and
kp.
Currently,
the
registration
has
only
one
key
type
per
curve,
and
this
is
so.
This
is
related
to
an
ecdsa
application.
So
it
actually
is
the
case
that
rfc
on
8152
only
define
ecdsa
in
terms
of
ec2,
at
least
to
me,
it's
unclear
if
we
can
deviate
from
that.
B
The
only
case
where
we
speak
about
deviation,
it's
basically
that
we
can
add
new
curves,
and
it's
not
really
clear
to
me
actually
why
okp
is
needed
with
cdsa,
so
yeah,
I'm
looking
for
input
here.
First
of
all,
whether
we
need
it
and
what
kind
of
specification
we
would
require,
and
then,
if
this
needs
to
be
one
or
multiple
code,
points.
B
Great
I've
got
good
feedback
and
I
know
how
to
progress.
My
evaluation
of
these
requests.
B
C
H
C
H
The
issue
is
that
the
the
short
labels
are
standards
action
and
we
we
now
have
a
document
that
wants
to
register
a
short
label,
but
that's
informational,
and
I
think
we
we
just
miss
the
fact
that
that
security
area
documents
are
often
informational
when
when
they
are
kind
of
creating
standards,
so
we
have
a
gap
there.
So
we
would
have
to
make
this
document
standard
strict
for
only
the
reason
that
it
wants
to
have
a
short.
C
H
So
I'm
wondering
whether
we
can
just
get
away
with
a
variance
here
where
we
say
okay,
this
is
not
a
standards
track
document
formally,
but
the
for
all
intents
and
purposes
it
is
or
whether
we
actually
have
to
create
a
document
that
changes.
The
inf
policy
here.