COSE Hash Envelope
draft-ietf-cose-hash-envelope-10

Yes

Paul Wouters

No Objection

Andy Newton
Deb Cooley
Éric Vyncke
Erik Kline
Gorry Fairhurst
Gunter Van de Velde
Jim Guichard
Mike Bishop
Mohamed Boucadair
Roman Danyliw

Note: This ballot was opened for revision 07 and is now closed.

Paul Wouters
Yes
Andy Newton
No Objection
Deb Cooley
No Objection
Comment (2025-10-20 for -08) Sent 
Thanks to Yaron Sheffer for his secdir review.  I think many of his comments should be incorporated, I can't see that it has happened yet.

Section 5.1:  Currently you recommend that the strength of all the algorithm components is what I call 'matchy matchy', but that isn't always necessary.  I would change this to something like:  'The hash/signature algorithm combination is *RECOMMENDED to be equal or stronger than the payload hash algorithm.'  For example, if the payload is hashed with SHA 512, but the hash/signature algorithm is P256 w/ SHA 256, then the strength of the whole thing is basically equivalent to P256 w/ SHA 256, not ideal.
Éric Vyncke
No Objection
Comment (2025-10-23 for -09) Sent 
Thanks for the work done in this document. I have some comments about

### Section 5.1

`the algorithm SHOULD be registered in the IANA COSE Algorithms registry, and should be distinguishable from non-pre hash variants that may also be present.`

Is there any reason why the first SHOULD is marked as BCP14 and not the second one ?

In which case can the first SHOULD be ignored ?

Please provide a URI for the "IANA COSE Algorithms registry"
Erik Kline
No Objection
Gorry Fairhurst
No Objection
Gunter Van de Velde
No Objection
Jim Guichard
No Objection
Mike Bishop
No Objection
Comment (2025-10-21 for -08) Sent 
The example at https://www.ietf.org/archive/id/draft-ietf-cose-hash-envelope-08.html#section-4.1 appears to repeat at least one element, about the generation of the hash as an adjacent file. Is this file at all relevant to the example, despite being mentioned twice? It seems as if the only relevant piece is that this *is* the hash of the source file.

NIT: Section 5.3, "Verifiers that not have" => "Verifiers that do not have"
Mohamed Boucadair
No Objection
Comment (2025-10-16 for -07) Sent 
Hi Orie, Steve, and Henk,

Thank you for the effort put into this document. 

I have only very few nits that I submitted as a PR using the WG Github repo [1].

Cheers,
Med

[1] https://github.com/cose-wg/draft-ietf-cose-hash-envelope/pull/58/files
Roman Danyliw
No Objection