CBOR Object Signing and Encryption (COSE): Countersignatures
draft-ietf-cose-countersign-10
Yes
Roman Danyliw
No Objection
Erik Kline
Warren Kumari
Zaheduzzaman Sarker
(Alvaro Retana)
(Andrew Alston)
(Martin Duke)
Note: This ballot was opened for revision 09 and is now closed.
Paul Wouters
(was Discuss)
Yes
Comment
(2022-09-20)
Sent
Thanks for addressing my DISCUSS. I updated my ballot to YES. Old DISCUSS: gem install cbor-diag I am concerned about adding install commands for "programs from the internet" within an RFC. If the rubygem for some reason becomes malicious, we cannot pull it from the RFC (even if we pull it from the datatracker link, it would still live on in copies of the RFC elsewhere and malicious people could point to copies of those original RFCs to point people to downlod the malicious rubygem. I would be okay with an iet.org download location of a ruby gem. NITS: CBOR grammar in this document is uses Remove "is" to deal with > as an entity This is a render error for '>' ? they apply these apply Languages: There are three different languages that are currently supported: Java and C#. That's two not three? Text below suggests there might be a 3rd one in C ?
Roman Danyliw
Yes
Erik Kline
No Objection
John Scudder
No Objection
Comment
(2022-09-07 for -09)
Sent
Thanks, Russ, for your work on getting this very readable document over the finish line. Below are a few nits I noted while reviewing it. - "migrate used of the previous" --> "migrate uses of the previous" - "CBOR grammar in this document is uses" --> "CBOR grammar in this document uses" - "More information on how countersignatures is used" --> "More information on how countersignatures are used" - "it's cryptographic functions" -> "its cryptographic functions" - "The deterministic encoding rules defined in Section 4.2 of [RFC8949]." -> "The deterministic encoding rules are defined in Section 4.2 of [RFC8949]."
Murray Kucherawy
No Objection
Comment
(2022-09-08 for -09)
Sent for earlier
I support Paul's DISCUSS. The shepherd writeup is over a year old. It says Ben Kaduk is the sponsoring AD. BCP 14 language is so sparsely used that you might consider not using it at all. We miss you, Jim.
Warren Kumari
No Objection
Zaheduzzaman Sarker
No Objection
Éric Vyncke
No Objection
Comment
(2022-09-05 for -09)
Sent
# Éric Vyncke, INT AD, comments for draft-ietf-cose-countersign-09 CC @evyncke Thank you, Russ, for finishing the work put into this document. Please find below some non-blocking COMMENT points , and some nits. Special thanks to Michael Richardson for the shepherd's detailed write-up including the WG consensus even if there is no justification of the intended status. I hope that this review helps to improve the document, Regards, -éric ## COMMENTS ### Abstract and/or introduction A concise definition of countersignature (e.g., from section 3) would make the document more readable. ### Section 1 ``` With the publication of this document, implementers are encouraged to migrate used of the previous countersignature algorithm to the one specified in this document. ``` Is it "used" or "uses" ? ### STD94 The reference in 4 should be to STD94 rather than RFC8949 (or change the anchor in the references). ### Section 3.2 `The attribute is defined below.` perhaps adding a reference (even if just to confirm that it is section 3.3) ? ### Section 3.3 `external_aad` adding an expansion for "aad" will probably help the reader. ### IANA considerations `The majority of the actions are to update the references to point to this document.`, suggest to add a sub-section for this part and be specific about the registry. ## NITS ### Section 1.2 ``` CBOR grammar in this document is uses the CBOR Data Definition Language (CDDL) [RFC8610]. ``` "is" should probably be removed ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments
Robert Wilton Former IESG member
Yes
Yes
(2022-09-05 for -09)
Sent
Russ, I would like to say thank you for shepherding this document through the IETF process on Jim's behalf. Minor level comments: (2) p 4, sec 2. Countersignature Header Parameters following structures: COSE_Sign1, COSE_Signature, COSE_Encrypt, COSE_recipient, COSE_Encrypt0, COSE_Mac, and COSE_Mac0. It wasn't intuitive to me where these structures are defined. I found them in RFC 8152, but perhaps it would be clearer if the document terminology explicitly referenced them? (3) p 5, sec 2. Countersignature Header Parameters every map; header parameters required in specific maps are discussed above. It's not clear to me what this sentence is referring to, i.e., where parameters are specified as actually being required. (4) p 9, sec 3.3. Signing and Verification Process 3. Call the signature verification algorithm passing in K (the key to verify with), alg (the algorithm used sign with), ToBeSigned (the value to sign), and sig (the signature to be verified). This may be a daft question, but is the signature to be verified the "COSE_Countersignature[0] structure, or the "signature" field contained within it? I presume the latter, will this be obvious to readers? Nit level comments: (5) p 7, sec 3.1. Full Countersignatures term archiving services. More information on how countersignatures is used can be found in the evidence record syntax described in s/is used/are used/ (6) p 7, sec 3.1. Full Countersignatures COSE_Countersignature_Tagged = #6.9999(COSE_Countersignature) COSE_Countersignature = COSE_Signature Am I right to presume that #6.9999 is a temporary value to replaced with CBOR TBD0, perhaps worth flagging this to the RFC editor so that it doesn't get missed during the editing process? (7) p 12, sec 7.1. Author's Versions * Languages: There are three different languages that are currently supported: Java and C#. Should that be two languages, or are you missing one? (8) p 12, sec 7.1. Author's Versions * Coverage: Both implementations can produce and consume both the old and new countersignatures. Both implies two, but the beginning of section 7.1. states 3 implementations.
Alvaro Retana Former IESG member
No Objection
No Objection
(for -09)
Not sent
Andrew Alston Former IESG member
No Objection
No Objection
(for -09)
Not sent
Lars Eggert Former IESG member
(was Discuss)
No Objection
No Objection
(2022-09-08 for -09)
Sent for earlier
# GEN AD review of draft-ietf-cose-countersign-09 CC @larseggert Thanks to Elwyn Davies for the General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/jrTPQpNSafEhkpyMYn3r250_ghM). ## Comments ### Missing references No reference entries found for: `[RFC8949]`. ### Inclusive language Found terminology that should be reviewed for inclusivity; see https://www.rfc-editor.org/part2/#inclusive_language for background and more guidance: * Term `traditional`; alternatives might be `classic`, `classical`, `common`, `conventional`, `customary`, `fixed`, `habitual`, `historic`, `long-established`, `popular`, `prescribed`, `regular`, `rooted`, `time-honored`, `universal`, `widely used`, `widespread` ## Nits All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. ### Outdated references Reference `[RFC8152]` to `RFC8152`, which was obsoleted by `RFC9052` and `RFC9053` (this may be on purpose). ### Grammar/style #### Section 1, paragraph 3 ``` structure where there is no cryptographic computed value. The new algorithm d ^^^^^^^^^^^^^^^^^^^^^^ ``` Make sure that the adjective "cryptographic" is correct. Possibly, it should be an adverb (typically ~ly) that modifies "computed". Possibly, it should be the first word in a compound adjective (hyphenated adjective). Possibly, it is correct. #### Section 1, paragraph 5 ``` mar CBOR grammar in this document is uses the CBOR Data Definition Language ^^^^^^^ ``` The verb form seems incorrect. #### Section 1.2, paragraph 7 ``` of the context can come from several different sources including: protocol i ^^^^^^^^^^^^^^^^^ ``` Consider using "several". #### Section 3.2, paragraph 1 ``` untersignature needs to have all of it's cryptographic functions finalized b ^^^^ ``` Did you mean "its" (possessive pronoun) instead of "it's" (short for "it is")? #### Section 3.3, paragraph 22 ``` Value Registry column will be blank and the Reference column will be [[This ^^^^ ``` Use a comma before "and" if it connects two independent clauses (unless they are closely connected and short). #### Section 7, paragraph 4 ``` e and algorithm in the document. Currently examples dealing with countersign ^^^^^^^^^ ``` A comma may be missing after the conjunctive/linking adverb "Currently". ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT]. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments [IRT]: https://github.com/larseggert/ietf-reviewtool
Martin Duke Former IESG member
No Objection
No Objection
(for -09)
Not sent