►
From YouTube: COSE WG Interim Meeting, 2021-02-17
Description
COSE WG Interim Meeting, 2021-02-17
A
A
A
A
B
A
A
A
A
A
A
A
C
A
A
A
C
E
C
C
There
is
some
qualitative
difference
between
what's
going
on
in
terms
of
you
have
this
third
party,
and
I
mean
I
think
what
this
text
says,
that
the
person
generating
the
cozy
message
does
need
to
have
a
trust
relationship
with
the
party.
That's
hosting
the
referred
to
resource
in
terms
of
they
will
provide
the
correct
certificate
when
requested,
but
the
chain
of
reasoning
between
I
need
to
have
a
trust
relationship
with
this
other
party
to
why
that
specifically
needs
to
be
in
the
protected
header
bucket
protected,
attribute
bucket.
F
Ben
this
is
russ.
I
think
the
idea
is
there's
two
ways
that
you
could
get
back
a
certificate.
That
is
not
the
one
the
sender
intended
one
is
the
url
in
the
message
could
be
changed
by
putting
it
in
the
protected
bucket.
You
prevent
that,
and
the
second
is
whatever
server
you're
contacting
with
that.
C
G
I
think
that's
really
the
key
thing,
and
I
don't
understand
this,
this
connection.
This
is
michael.
I
don't
understand
this
statement
at
all.
I
think
that
it
is
equivalent
to
downloading
the
certificate,
putting
it
in
x5
bag
and
then
what
is
a
what
occurs
and
the
other
complexity
about
this
is
what
about
the
6125
stuff.
D
Value
yeah,
I
think
I
think
we
need
to
discuss
if
we
want
to
put
some
protect
something
and
then
what
there
is.
It
might
be
reason
to
protect
identities,
for
example,
but
then
it
would
be.
I
agree
with
russ
that
pushing
a
hash
in
the
protected
would
protect
would
provide
protection,
but
that
would
be
bad
for
the
use
cases
we
have
in
ad
hoc,
which
already
put
the
end
certificate
in
the
external
aad.
D
H
So
if
this
certificate
is
is
intended
to
be
validated
under
the
same
authorization
policies
as
the
other
ones,
I
I
don't
understand
what
the
special
relationship
is
here
and
the
other
question
I
have
is
what
exactly?
What
do
we
mean
by
protecting
it?
Are
we
talking
about
integrity
or
are
we
talking
about
for
confidentiality?
F
I
So
this
is
hank
on
my
ad
and
what
are
we
losing
when
it's
in
the
unprotected
header
and
therefore,
if
someone
strips
it
out,
do
we
lose
anything
here?
That's
intended
to
be
there
and
it's
reliably
there
so
that
sometimes
the
integrity
domain
of
the
signature
is
used
to
make
sure
that
some
stuff
reaches
the
intended
destination.
D
I
think
one
I
think
bill
drastic
larry
mentioned
that
you
need
protection,
I
don't
know
what
they
intended.
They
can,
but
one
reason
why
you
might
want
to
integrity,
protect
that
is,
for
example,
mentioning
the
sigma
protocol
is.
That
is
the
attack
where
somebody
borrows
your
public
key
and
register
it
with
a
different
identity.
I
A
D
I
I
can
try
to
provide
something
and
try
to.
I
guess
it
was.
Maybe
we
need
more
discussion
on
this
also
at
the
itf
meeting,
but
I
can
try
to
put
in
some
work
I'm
depending
on
these
drafts,
as
the
normative
reference
in
ad
hoc,
close
as
a
informal
reference
for
the
seaboard
certificate
work,
so
yeah,
okay,.
I
Yeah,
this
is
adding
to
that
yeah.
There
are
a
few.
I
think,
efforts
that
realize.
Oh,
this
is
really
useful
and
are
starting
to
include
in
in
their
own
ids,
but
I
don't
think
there
is
a
cluster
problem,
yet
I
don't
know
so.
But
yes,
I
think
I
would
support
the
notion
that
there
is
has
been
making
made
use
of
this
work
and
we
should
see
that
as
it's
progressing.
I
I'm
not
rushing,
not
pressuring,
but
we
should
not
end
on
the
other
side.
H
H
H
H
C
C
A
C
C
C
E
E
Hi
this
is
jonathan
hamill,
so
that
that's
a
good
point
in
that
that
could
trigger
like.
If,
if
the
sender
or,
if
the
receiver
of
the
message,
I
guess
is
expecting
some
sort
of
privacy
of
if
there's
additional
confidentiality
protections
that
that
that,
on
the
message
that
they
received,
that
this
outbound
connection
trigger
might
inform
someone
that
that
a
certain
recipient
has
received.
That.
E
D
D
C
A
D
H
Yet
so,
if,
if
I
give
an
oscar
implementation,
something
that
starts
with
the
corp
s
scroll
on
facebook.com,
it's
not
quite
clear
what
what
the
oscar
implementation
is
supposed
to
do
with
that.
So
I
don't
think
we
can
make
that
feature.
Extension
at
this
point
in
time.
We
might,
we
might
be
able
to
do
that
later.
A
A
A
A
D
A
D
D
And
first,
the
defining
a
structure
similar
to
x,
509
that
can
hold
one
or
more
certificates
and
then
that
same
structure
is
used
in
bag
in
chain
and
in
the
uri
option,
and
also
in
the
keyboard
tag
that
was
requested
at
the
last
interim
or
on
the
list.
I
don't
remember
yeah,
but
I
think
the
same
structure
could
be
used
in
all
these
four
places
and
also
it
seems
to
that.
D
D
D
E
This
is
jonathan
hamill.
I
have
a
comment,
so
you
said
the
formatting
is
similar
to
x5
bag
and
x5
chain,
but
in
the
for
those
components,
if
it's
a
single
certificate,
then
it's
encoded
as
as
a
beaster
where
it
and
then,
if
there's
multiple
components,
it's
it's
the
array,
whereas
I
think
you've
defined
it
differently.
There.
D
H
D
A
B
B
So
as
it's
defined
today,
the
algorithms
are
typically
not
bundled
with
a
curve.
So,
for
example,
signature
algorithm
is
bundled
with
with
a
hash
function,
but
not
with
elliptic
curve
and
the
rfc
8152,
and
also
the
this
document
specifies
how
to
handle
this
when
new
curves
are
are
considered
and
there's
been.
B
The
reason
why
we're
discussing
is
is
the
quest,
because
there
is
also
an
example
of
a
case
where
it's
actually
defined,
bundled
with
the
curve,
and
we
seem
to
agree
on
on
the
mailing
list
that
this
case
is
actually
an
exception,
which
was
used
to
restrict
the
use
of
core
c2
legacy
case
and
also
limit
some
security
issues.
Related
to
that.
B
B
B
D
B
That's
the
case:
how
to
handle
the
fact
of
the
case
when
we
have
easy
groups
with
cofactor
different
from
one
so
rfc
8152
is
is
not
looking
at
that
case
and
to
handle
that
case.
There
is
a
need
to
multiply
the
cofactor
in
the
helmet
calculations
or
the
shaft
secret
calculations
to
protect
certain
attacks,
and
the
question
is:
how
do
we
handle
do?
B
How
how
to
how
to
multiply
with
the
cofactor
that
can
be
defined
in
the
curve
specification,
so
those
are
two
candidate
solutions.
I've
heard
from
this
mainly
in
hillary's,
provided
input
here,
and
some
support
would
be
good
to
hear
if
there
are
other
other
solutions
and
if
there
is
any
preferred
solution-
and
there
was
a
voice
here
about
saying
that
solution
2
seems
more
robust,
because,
basically,
if
you
define
it
with
with
a
curve,
there
is
no
way
to
perform
the
wrong
ecbh
operation
or
share
secret
calculation.
D
B
C
So
this
is
not
a
terribly
substantive
comment,
but
it
seems
potentially
of
an
issue
where,
if
you
know
the
procedures
for
multiplying
by
the
cofactor
are
somehow
buried
in
a
obscure
corner
of
the
specification
for
using
that
curve,
I
don't
know
how
much
of
a
risk
there
is
that
somebody
would
overlook
that
just
assume.
They
know
how
to
do
ecdh
and
and
miss
that
part,
but
that's
a
pretty
speculative
risk
and
I
don't
have
any
concrete
thing.
I
can
point
to.
I
So
those
who
think
I
can
see
how
you
you're,
of
course,
struggling
with
the
pro
concierge
ben
in
general,
why
actually
yeah
specify
more,
but
but
again,
I
think
that
is
the
more
robust
solution,
too
has
a
ring
to
it,
and
I
would
agree
with
the
could
that
be
buried
so
far
away
that
people
not
very
familiar
familiar
with
this
with
this
context
might
miss
that
and
do
that
actually
wrong.
So
then
they
think
that's
a
valid
cause
because
everybody's
doing
it
some
point
and
and
everybody's
gonna
create
this.
I
And
it's
a
point
and
it's,
I
think
a
clear
statement
seems
very
naively
from
my
point
of
view
to
be
way
more
interesting
than
yeah.
Well,
you
know
it's
a
co-factor.
It's
it's
been
buried
somewhere,
so
I
guess
having
a
more
clear,
robust
option
too,
but
I'm
not
sure
where
the
specification
actually
would
happen.
I
B
Yes,
that's
that's
one
one
point
and
I
think
yeah.
I
think
that
you
could.
Still
I
mean
if
this
is
written
in
one
specification,
you
could
still
imagine
that
someone
who
hasn't
read
that
particular
text
might
make
the
wrong
choice
for
the
code
point
as
as
well
as
as
algorithm
here,
yeah,
not
saying
anything
new,
so
okay,
so
it
seems
that
you
have
a
slight
preference
for
for
solution.
Two.
B
B
B
B
Yes,
yes,
we
can
so
my
my
I
went
into
some
sleep
mode
here,
not
not
personally,
my
computer
went
in
some
sleep,
so
that's
why
I
asked
so.
This
is
about
a
comment
about
deterministic
signatures,
whether
that
has
a
any
impact
on
the
code
points
and
it's
we
agreed
in
the
group
that
that
is
only
recommendation,
so
that
should
not
be
any
reason
to
not
use
the
particular
code
point,
but
we
should
probably
just
change
this
recommendation,
or
that
was
a
discussion
point.
B
B
B
B
C
B
B
C
C
B
And
it's
the
last
slide,
so
there
was
also
request
to
specify
a
curve
with
multiple
key
types
for
both
ec2
and
kp.
Currently,
the
registration
has
only
one
key
type
per
curve,
and
this
is
so.
This
is
related
to
an
ecdsa
application.
So
it
actually
is
the
case
that
rfc
on
8152
only
define
ecdsa
in
terms
of
ec2,
at
least
to
me,
it's
unclear
if
we
can
deviate
from
that.
B
The
only
case
where
we
speak
about
deviation,
it's
basically
that
we
can
add
new
curves,
and
it's
not
really
clear
to
me
actually
why
okp
is
needed
with
cdsa,
so
yeah,
I'm
looking
for
input
here.
First
of
all,
whether
we
need
it
and
what
kind
of
specification
we
would
require,
and
then,
if
this
needs
to
be
one
or
multiple
code,
points.
B
C
H
C
H
The
issue
is
that
the
the
short
labels
are
standards
action
and
we
we
now
have
a
document
that
wants
to
register
a
short
label,
but
that's
informational,
and
I
think
we
we
just
miss
the
fact
that
that
security
area
documents
are
often
informational
when
when
they
are
kind
of
creating
standards,
so
we
have
a
gap
there.
So
we
would
have
to
make
this
document
standard
strict
for
only
the
reason
that
it
wants
to
have
a
short.