►
From YouTube: COSE WG Interim Meeting, 2021-05-12
Description
COSE WG Interim Meeting, 2021-05-12
A
And
we
should
be
recording
now
so
hello,
everyone,
my
name
is
fifa
lupetrov,
and
I
will
be
kick
off
this
cozy
internet
meeting.
This
is
an
official
itf
meeting
and
as
such,
the
note
will
applies.
A
A
Okay,
so
yes,
as
you
should
be
already
aware,
the
recharge
has
completed,
and
now
the
zipper
certificate
encoding
is
officially
part
of
our
charter.
As
I
was
working
on
some
additional
algorithms.
B
Well,
what
happened
is
pretty
interesting.
The
rfc
editor
has
a
number
of
states
in
which
documents
can
be
and
they
have
a
state
progression
mechanism,
and
in
this
case
they
managed
to
get
these
three
drafts
wedged
against
each
other
in
such
a
way
that
only
manually
pressing,
a
button
for
a
state
progression
could
unwedge
them.
B
So
sometimes
you
have
to
to
look
at
documents
that
are
in
the
rfc
editor
queue
and
see
whether
they
they
got
wedged
in
in
any
particular
way
and
and
alarm
the
rfc
editor,
and
they
are
getting
better
in
this,
but
some
of
the
process
steps
are
still
manual
and
they
can
really
get
stuck
indefinitely.
So
if
you
don't
pay
attention,
it
may
take
a
long
time
before
it
finally
advances
again,
but
we
are
beyond
that
now.
A
A
A
A
With
saying
that
this
had
some
additional
code
to
the
implementation,
so
there
was
the
question
whether
it
makes
sense
to
to
keep
this
this
option
ben
and
has
pointed
out
that
at
this
stage
it
might
be
a
little
bit
more
difficult
change
to
do
all
those
still,
of
course
possible.
A
C
Yeah,
yes,
I
covered
some
on
the
pr
35
today.
I
comment
on.
I
think,
ben's
comment
on
that
po
were
mostly
misunderstandings
from
ben's
sides.
I
don't
really
think
there's
any
need
for
changes,
then
there's
a
discussion
with
michael
richardson
and
lawrence
glenblade
regarding
must
or
should
then
what
what
kusi
should
protect.
You
from,
I
think,
that's
more
trickier
issue
to
to
resolve
with
more
opinions,
how
much
cost
you
should
protect
you
from
and
what
you
can
assume
from
the
ca
and
so
on.
A
A
Go
to
the
next
slide
is
so
well,
the
cause
is
simpler
and
encoded
certificates
is
now
uploaded.
A
A
C
C
Slide,
we
have
also
migrated
the
github
repository
to
the
cozy
working
group,
github
repository.
C
Then
there's
some
changes
and
I
think
that
one
change
that
we
made
was
the
realization
that
the
the
draft
did
not
refer
to
deterministic
seabor,
meaning
that
you
could
actually
encode
the
integers
in
a
lot
of
different
ways.
So
an
update
that
is
also
in
the
last
submitter
version
is
that
there
is
a
new
text
stating
that
whenever
zebra
is
used,
it's
always
deterministic
seabor,
referring
to
the
seaboard
or
the
the
relevant
section
of
the
seaboard
rfc.
C
C
C
B
Well,
the
the
obvious
use
case
is
that
you,
you
doing
some
process
with
both
non-constrained
and
constrained
environments
and
the
non-constrained
environment,
some
hsms
that
only
can
verify
x509
signatures
and
the
constrained
devices
actually
want
to
stay
on
the
silver
side
of
things.
So
having
both
signatures
in
there
may
be
a
good
way
to
to
cover
this
continuum,
and
I
would
prefer,
if
we
made
this
as
painless
as
possible,
to
do
so.
B
You
you
can
just
have
one
or
the
other
or
both
and
and
things
is
it's
easy
to
have
them,
because
in
the
end,
the
the
certificate
is
the
it's
the
content
plus
signatures
and
in
the
end
it
doesn't
really
matter
from
a
security
point
of
view
which
kind
of
signature
you
you
have.
B
E
Side
to
it,
which
I
understood
when
you
wrote
double
assigned
certificates,
which
was
not
at
all
what
carson
just
said,
and
that
is
that
in
lamps
there
is
some
process
about
to
start
with,
having
both
post
quantum
signatures
and
legacy
signatures,
and
some
of
the
pro
some
of
the
ways
that
this
is
proposed
to
do
essentially
look
like
auxiliary
data
in
a
the
legacy
certificate.
E
So
that's
what
I
thought
the
word
double
sign,
certificates
meant,
and
so
maybe
I've
just
suggested.
There's
tripoli
sign
certificates
now,
so
I
don't
know
how
that
fits
into
the
space
of
this,
but
I
don't
think
we
should
did
I
get
this
right.
This
is
essentially.
B
It's
the
signature
actually
means
something
different.
E
Well,
so
you're
gonna
have
to
spend
some
time
puzzling
through
the
documents,
as
I
am
but
effectively
there's
one
proposal
that
says
that
the
same
ca
will
sign
both
legacy
and
post
quantum
public
keys
with
both
and
we'll
sign
it
with
a
legacy
and
a
post
quantum
signature.
E
E
In
the
thing
process,
with
with
one
of
them
being
there's
completely
separate
certificates
for
the
two
things
and
the
other
one
is
that
the
the
data
is
mixed
together
using
various
kinds
of
extensions,
and
I
I
can't
say
to
you,
I
can't
say
which
one
is
the
dominant
choice
right
now,
because
I'm
not
sure
anyone
understands
that
and
there's
some
good
presentations
in
the
archives
from
the
last
in
the
previous
lamps
meeting,
and
if
it
makes
your
head
spin
mine
too,.
C
E
What's
the
problem
and
the
issue
is
that
it
turns
out
that
people
are
saying
yeah,
but
I
don't
know
how
to
process
the
new
certificates
yet
yet
I
want
to
issue
them,
so
you
want
to
have
both
signatures
in
each
certificate
specifically,
so
that
the
older
devices
can
continue
to
do
something
and
and
that
we
don't
know
at
what
point
some
long-lived
certificate
is
suddenly
going
to
become
forgiable
and
that
way,
so
so
that's
part
of
the
consideration
is
that
it's
not
just
an
algorithm
change
and
that's
why
I
suggest
you
watch
the
videos.
F
More
than
one
signature
on
a
certificate,
especially
if
you
consider
the
sizes
of
a
post-quantum
keys
and
signatures,
seems
pardon
my
strong
language
absurd,
not
all.
D
E
Are
not
all
of
the
post
quantum
or
the
quantum
safe
signature?
Algorithms
are
actually
bigger,
some
of
them
are
smaller,
but
some
of
them
may
be
right,
so
we
don't
know
yet.
I'm.
F
I'm
considering
those
that
are
in
nist
around
three
at
the
finalists.
C
F
So
the
argument
wait.
Wait.
Let
me
finish,
please
my
my
point
is
saying:
well,
we
want
to
produce
certificates
which
we
do
not
quite
know
how
to
process
yet
sounds
like
I
want
to.
F
I
do
not
know
how
to
fly
in
a
plane,
but
I
want
to
be
an
airline
pilot
now,
if,
if,
if
you
need
legacy
for
now
and
post
quantum
for
later,
do
that
because
the
likely
sizes,
especially
since
the
signature
usually
is
the
at
least
for
post
quantum,
it
would
dominate
the
size
of
the
third
for
classic.
F
Well
arguable.
Are
you
talking
rsa?
Are
you
talking
elliptic
curve?
Are
you
talking
elliptic
curve
over
p256
or
are
you
talking
errors,
say
1496
or
bigger
anyways
you,
you
need
certificates
for
different
processes,
get
two
certificates
and
this
would
alleviate
the
risk
that
on
a
double
signed
certificate,
for
example,
the
classic
part
is
forged,
and
now
you
have
a
cert
with
one
signature,
fine,
another
signature
not,
and
if
you
can
process
only
one
of
the
two,
how
are
you
going
to
tell
the
difference
be
between
fake
and
honest?
F
D
So
yeah
I
mean
the
chart,
I
think
the
charter
it
talks
about
exploring,
but
it's
also
clear
what
I
think,
what
what
what
is
going
to
be
what
should
be
explored.
If
anything
and
that's
that
you
have
this
sort
of
the
same
setup,
same
keys
same
same
parameters,
but
you
include
both
the
signature
over
the
c
board
and
the
signature
over
the
daring
coding
that
that
that's
what
the
charter
speaks
about,
and
I
think
there
are
many
interesting
exp
ways
to
expand
this.
D
F
And
the
main
reason
to
use
cyborg,
as
I
said
in
chat,
is
it's
smaller
size?
How
is
they're
going
to
arrive
at
the
recipient
you
sending
it
together
with
cbor?
Then
it
completely
doesn't
make
sense.
Do
you
expect
the
recipients
to
re-encode
the
cyborg
in
there
and
then
validate
the
signature.
D
Yes,
that's
exactly
how
it's
in
that's
type
type,
one
that's
sort
of
re-encoding
in
there
so
and
I
think
your
idea
would
having
an
an
option
to
strip
off
the
constraints
the
that
they're
encoding,
that
that
that
makes
sense.
I
think,
but
perhaps
we
should
wait
for
ben
to
see
more
more
in
detail
what
he
is.
C
Yeah
my
question
on
this
slide
was
my
understanding
is
that
it
would
be
a
seabor
certificate
with
seabor
encoding.
Only
and
what
would
be
added
is
the
original
signature,
so
it
will
be,
would
be
64,
bytes,
larger,
and
my
understanding
would
be
that
the
this
would
be
an
optional
expansion
of
the
current
draft,
so
nothing
that
you
do
on
by
default,
but
I'm
I'm
not
sure
it's
worth
doing
but
kirsten
seems
to
think
it
had
use
cases.
C
Maybe
we
should
agree
to,
I
think
the
next
part
of
the
discussion
should,
if
we
explore
this
further.
The
next
part
should
maybe
be
more
explicit
details
on
on
how
this
could
be
used,
but
also
use
case
discussions
why
it
should
be
used.
Then.
A
Yes,
so
maybe
we
can
try
to
have
this
discussion
also
on
the
mailing
list.
But
yes,
what
I
hear
is
that,
while
writing
this,
there
were
some
considerations
that
we
might
need
to
support,
at
least
that
first,
both
in
standing,
the
their
equivalent
of
the
civil
war,
encoded
certificate
or
the
civil
certificate
itself,
and
I
think
part
of
the
reason
was
also
to
have
simpler
parsing
on
the
device,
not
only
the
size
of
the
of
the
messages,
but
that
will
be
maybe
cleared
out
during
the
discussion.
C
A
Can
try
to
write
some
summary
of
the
discussion
here
and
we
can
try
to
see
what
would
be
the
best
way
to
go
forward
with
this,
whether
it's
it
makes
sense
to
support
it
only
in
some
cases,
what
would
be
the
cases
etc.
C
Let's
continue
now
when
the
document
is
adopted
and
the
document
is
currently
registering
a
new
tls
certificate
type,
so
I
have
requested
time
from
the
tls
tiers
at
it
f111
to
shortly
describe
this
to
the
for
the
tls
working
group.
Let's
see
if
we
get
that
acceptable,
I
think
it's
essential
to
collaborate
and
coordinate
with
the
tls
working
group
before
cosi
registers,
tls
parameters-
maybe
the
tls
working
group,
I've.
What
I
heard
from
tls
people
seems
that
they
seem
interested
in
this.
So
I
assume
that
will
be
the
case.
C
C
And
that
is
basically
the
current
updates.
Then
the
next
slides
are
about
sending
rpk
by
value.
This
was
brought
up
in
the
lake
working
group
like
working
group.
As
you
probably
know,
it's
designing.
The
ad
hoc
key
exchange
protocol
and
ad
hoc
is
very
heavily
relying
on
cosi,
for
basically
everything
both
crypto
and
to
identifying
certificates
and
so
on,
and
one
of
the
things
in
the
lake
requirement
document
is
to
include
them
that
the
initial
focus
should
be
on
rpk
by
value.
C
This
was
recently
brought
up
again
by
christian
amsas
on
in
the
lake
working
group
in
the
re-meeting.
That
needs
needs
to
be
done,
and
there
has
also
been
several
industrial
partners
that
we
know
of
that
thinks.
This
is
an
important
use
case,
so
educ
currently
relies
on
cosi
to
transport
and
identify
credentials,
use
all
the
cosy
header
parameters.
C
C
B
So,
can
I
quickly
ask
you
a
question
when
you
say
rpk,
do
you
mean
rfc
7250
or
do
you
mean
the
concept
of
a
raw
public
key.
D
But
carson
your
question
is,
is
well
well
put
and
timely,
because
one
of
the
solutions
is
that
we
do
like
in
rfc,
7250,
basically
strip
off
the
signature
of
of
certificate
structure.
C
B
C
B
So
in
in
the
cozy
world,
are
we
talking
about
proof
of
procession
keys,
or
I
mean
there
are
already
structures
for
that.
C
C
Let
me
continue
with
this
slide.
We
can
discuss
so
what
jiren
and
I
discussed
for
for
ad
hoc
was
so
far.
We
are
looked
at
cozy
key
or
stripped
down
c509.
That
could
be
differently
stripped
down
positive
things
with
koseki
is
that
it's
available
in
cosy
implementations?
If
you
have
cozy
you
have
that
it's
not
designed
for
transport
on
the
buyer,
but
it
could
of
course,
be
fixed.
C
There's
currently,
a
new
header
parameter
to
send
to
use
it
by
value.
You
can
refer
to
it
by
a
kid,
but
that
necessary.
Then
you
need
to
have
it
in
your
on
your
side
beforehand.
Kozuki
only
supports
a
limited
amount
of
key
ops.
There
have
been
it
does
not
support.
I
think
the
key
usage
for
the
hellmann
key
derivation
and
also
has
been
discussion
that
ad
hoc
would
maybe
need
some
dedicated
key
usages
or
key
ops.
C
Kozuki
does
not
include
additional
functionality
that
is
available
in
a
certificate
like
validity
and
subject
name.
It
can
just
be
discussed
whether
these
are
needed
or
not.
C
If
you
want
to
align
with
the
sigma
protocol
specification,
then
you
need
to
have
a
subject
name.
That's
my
understanding
is
that
that
stated,
as
a
must
in
like
that's
something
that
the
sigma
protocol
have.
So
if
you
start
to
remove
that,
then
you
can
be
questionable.
If
you
are
sigma
or
not,
and
then
validity
and
key
usage
seems
to
be,
could
be
useful,
also
for
a
raw
public
key
or
a
public
key.
C
C
C
And
here
is
an
example
of
how
slightly
slimmed
down
version
c509,
the
in
the
cdl
here
the
issuer
and
the
issuer,
signature
algorithm
and
the
issue
signature
is
removed
and
you
have
something
looking
like
on
the
right
here.
This
is
the
example
signature
examples
that
you
get
with
these
fields
removed.
C
C
C
D
Input
and
there's
also
some
needs
for
canonicalization.
I
suppose
in
this.
D
C
C
A
It
sounds
to
me
as
well
that
that
could
belong
to
the
cozy
working
group.
Of
course
we
need
to
discuss
that
also
with
ben,
and
I
don't
know
if
mike
has
any
other
opinion,
but
at
first
glance
that
that
sounds,
it
could
be
long
here.
The
other
point
is,
of
course,
having
the
consensus
that
this
is
something
we
want
to
be
working
on.
A
G
My
question
is:
are
there
real
use
cases
for
this?
If
so,
we
could
consider
it
I'd
like
to
see
like
a
paragraph
or
two
write
up
on
the
mailing
list,
saying
why
we
would
want
to
do
this
and
what
use
cases
would
be.
C
C
D
I
think
they're
basically
several
ways
of
doing
this,
but
I
mean
it's
probably
easy
to
argue
that
for
certain
use
cases
we
need
to
transport
the
raw
public
key
like
like
the
example
john
gave
here.
But
what
is
more
difficult
is
to
say
what
exactly
which
option
should
we
go
for
because
there
are
more
than
one
and
yeah,
and
then
there
is
this
slide
with
the
different
pros
and
cons
where
we
can
argue
add
arguments
to.
D
G
E
A
A
Okay,
are
there
some
other
comments
on
this,
or
maybe
we
can
be
discussing
the
future
of
the
java
implementation.
G
G
G
A
Okay,
so
are
there
any
opinions
about
the
future
of
the
causes
java
implementation?
H
H
And
the
problem
is,
I
would
say,
two
number
one
is:
is
there
anyone
that
can
kind
of
take
over
from
him
and
maintain
this
code
and
accept
incoming
pull
requests?
Now,
I
I
reached
out
to
ivaido
and
he
could
accept
one
pull
request.
I
created
there,
which
was
very
nice,
but
I
guess
there
is
a
need
for
a
more
long-term
solution,
so
the
code
maintenance
is
one
question.
H
The
second
question
is
that
this
course
yoga
library,
it's
also
released
on
maven
as
a
maven
project
and
that's
typically
how
we
use
it
as
a
third
party
library
through
maven.
So
there
is
also
a
need
for
someone
to
regularly
release
new
versions
of
the
cosio
library
onto
maven,
because
now,
even
though
I
managed
to
get
my
pull
request
accepted
to
the
to
the
java
code,
if
that's
not
released,
if
the
latest
version
is
not
released
as
a
maven
project,
we
can't
really
link
and
use
that
as
a
third-party
library
in
ace,
for
instance.
H
How
can
this
is
also,
I
see
like
we're
using
it
for
some
projects
and
all
if
I
look
at
maybe
there
are
other
projects
using
this
code,
so
it
would
be
a
shame
if
it
kind
of
went
away
or
if
no
one
took
it
upon
them
to
continue
developing
this
code,
since
it's
used
here
and
there.
So
that's
basically
the
question
like:
what's
the
plans
for
the
future
for
this
code,
that,
with
tim
sharp's
unfortunate
passing,
is
there
any
plans
on
how
this
can
be
continued
to
to
be
maintained?
E
Actually,
I
think
that
you
should
fork
it
on
github
to
a
repo
that
an
organization
you
control
and
I
actually
think
we
should
mark
that
code
as
archived
in
our
repo
and
point
it
someplace
that
elsewhere,
because
I
don't
think
that
as
a
working
group,
we
have
a
responsibility
or
authority
to
figure
that
out.
G
H
Okay,
okay,
so
the
recommendation
is
that
this
is
not
a
task
that
this
is
the
responsibility
of
the
working
loop,
like
you
said,
or
under
the
authority
of
the
working
group.
So
the
current
code
there
in
the
in
the
github
of
the
working
group,
can
be
marked
as
archived
and
then,
if
anyone
wants
to
continue
to
use
this,
it's
more
upon
them
themselves
to
to
fork
it
and
manage
that
on
their
own.
E
Unfortunately,
yeah
I
mean
that
doesn't
mean
that
I
think
that
postings
to
the
working
group
mainly
saying
that
you're
doing
this
and
other
people
are
unwelcome,
but
that's
really.
It.
G
H
Okay,
let
us
think
of
it
on
our
side
and
then,
if
we
decide
to
to
do
this
act
and
fork
it,
we
can
send
a
post
to
the
mailing
list
to
announce
this,
that
we
will
try
to,
let's
say,
take
over
this
code
in
a
sense.
I
Hey
I
I
have
one
similar
to
the
to
this
discussion
on
on
the
github
repo
there's
an
examples,
cozy
examples
project
and
I
was
just
wondering
how
that's
being
maintained.
B
Well,
the
working
group
doesn't
create
products
like
that,
but
I
think
it's
do
something
that
people
in
the
working
group
can
be
interested
in
maintaining.
So
I
think
this
is
the
case
where,
where
this
is
close
enough
to
what
we
are
doing
in
our
documents,
but
we
also
need
examples.
B
I
think
these
examples
actually
are
in
81
52
bits,
so
we
would
be
well
served
by
keeping
this
code
alive
in
case
we
ever
need
to
update
that.
So
I
think
it's
slightly
different
from
from
the
java
code
case.
E
So
I
actually,
for
instance,
I
actually
import
that
examples
into
my
code
as
a
sub
module
to
run
my
tests
against.
So
I
don't
know
what
your
pull
request
is,
but
I'll
certainly
look
at
it.
I
don't
know
how
we
can
achieve
authoritate
authority
on
this
well,
but
I
think
this
is
perhaps
within
the
working
group
to
decide.
G
It
kind
of
reminds
me
of
rfc
7520,
which
was
jose
examples
which
our
own
matt
miller
wrote
in
2015,
that
that
was
considered
important
enough
to
interoperable
adoption
that
it's
published
as
an
rfc.
In
our
case,
we've
published
examples
in
our
rfcs
and
given
that
this
is
an
input
to
our
rfcs,
I
think
it's
worth.
E
A
I
don't
think
this
is
configured
there
right
now,
but
yes,
we
can
do
it.
E
E
Yeah,
okay,
yeah
spencer,
did
it
for
the
working
group
that
he
and
I
are
co-chair,
and
I
am
blissfully
ignorant.
A
D
B
A
A
Okay,
so
again,
that's
all.
Thank
you,
everyone
for
the
participation.
Please
take
a
look
at
the
minutes
and
once
they
are
published
and
see
you
again
in
about
a
month.