COSE Meeting Minutes -------------------- Date: Tuesday, November 3, 2015 Time: 15:20-16:50, Tuesday Afternoon session II Chairs: Kepeng Li, Justin Richer Note taker: Hannes Tschofenig - Agenda Justin explains what the COSE working group is planning to do. Issues are recorded via Github: https://github.com/cose-wg - COSE Tokens Justin explains what COSE tokens are. Currently documented in Appendix D of https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00 Poll: Lots of people suggested that it is a good idea. Nobody objected. Where is the best place to build this? OAuth, ACE, COSE? Will be discussed on the mailing list. 3 persons didn't care. 1 person does not have enough information. Goeran: Suggest to do this in ACE since the work on profiling is happening there anyway. - ACE Object Security https://datatracker.ietf.org/doc/draft-selander-ace-object-security/ Francesca presented the slides. Sandeep: Great work. It is important to have the short message size. Can we have the sequence number as a variable field? Francesca: My remark about the fixed sequence number field I meant only that it was fixed in the example I gave. Carsten: Which version of COSE was this? Francesca: This was version -05. Carsten: How will the numbers change with -06? Francesca: I don't know exactly but we are moving closer to the modified COSE version. Mike: I did a review of draft 6. I noticed that several fields were introduced as header parameters rather than as application layer payloads. Why aren't you putting a sequence number in the payload? Ludwig: We generate the IV from the sequence #. Mike: The data is protected regardless whether it is in the header or in the payload. Jim: There is no IV that is transmitted as part of the transmitted parameters. Half of the IV comes from the pre-established information and the other half comes from the sequence number. Hannes: Responding to the questions of the slides and said that he liked the idea to flatten the structure, to make the alg parameter optional, and to define the context parameter. - COSE Messages https://datatracker.ietf.org/doc/draft-ietf-cose-msg/ Jim goes through his presentation. Issues are maintained at: https://github.com/cose-wg/cose-issues/issues Poll: Do you want to have RSA v1.5 in the document? 'No' response was stronger than 'yes' but low participation in general. Carsten: Kathleen says for a very good reason for having RSA1.5 being included. It shouldn't be included in new protocol. Hannes mentioned that he had posted examples to the list already. Matt: It might be useful to provide examples as machine-readable format so that they can be generated. Jim: That already exists. I have stolen your code. Discussion about the CDDL topic. CDDL is informative to avoid dependency to work in progress CDDL spec. Poll: Move CDDL to the appendix or leave it inline in the body. Weak hum for CDDL in the body. Stronger hum for those who do not care. Mime Type Matt: Having lots of MIME types complicates my life. I prefer one. Carsten: The reason why one should have a MIME type (or media type) for each of the different types of things is because you want to put them into the accept parameter in CoAP. We could then say "I accept signed data". Carsten adds further clarifications on how things work in CoAP. Justin: I think we need to have more discussions on this topic. Sean: We need to keep this simpler her. Mandatory-to-Implement: Maybe better to offer an application guidance. Security creation time & Reply protection Hannes: Raised the need for timestamps, sequence numbers and nonces in the context of replay protection. Not clear whether this should go into COSE headers or into application layer payloads. Mike: We should put this into the application layer context. Algorithm Identifier: Optional or not? Now looking at the issues on the github https://github.com/cose-wg/cose-issues/issues Issue #8: Will be done Issue #10: Recipients field option Jim is asking for a use case. Hannes provides the use case based on existing deployment of JWT-OAuth deployments. Justin confirms this. Mike says that an example would be good. Issue #12: counter signature Issue #16: External AAD Needed for CoAP since we don't want to duplicate parts of the CoAP header in the payload. Issue #22: Compression Jim says that he is reluctant to add compression in the context of CRIME. Ludwig: We don't want to make compression MTI since it increases the code size. Issue#23: Is 'keyops' sufficient or should we add a 'use' field (which was added for the W3C).