The document draft-ietf-rfc8152bis-struct is an update to CBOR Object Signing and Encryption (COSE) to addressing outstanding errata, make other clarifications and fixes, and move it to Internet Standard. This is part of a set — this for the structure and process, the other detailing the algorithms — that together obsolete RFC 8152.
This work is a product of the COSE Working Group. The document shepherd is Matthew Miller, and the responsible Area Director is Benjamin Kaduk.
# Review and Consensus
This document received wide review from various implementers, including those used in real-world deployments. There were a number of editorial comments and some substantive commentary, with consensus to publish.
After a flaw was found in countersignatures during the IETF last call in June, the working group consensus was to deprecate the coutersignature in 8152 and work on a replacement as a stand-alone document. Therefore, this document still contains an informational reference to the RFC 8152 to point to the countersignature algorithm, and otherwise removed the text from this document to be replaced with a description and rationale for the deprecation.
The working group consensus was to keep the context string "COSE_Countersign1" for abbreviated countersignatures (used as part of the input when generating the countersignature). Technically this structure should be "0" as all information about the input is implied (no signatory is explicitly declared), however this is a breaking change that the working group could not find consensus to risk in order to maintain full consistency.
Some concerns were raised about message recovery signature algorithms, but since none are yet defined, the section on signing was updated to discuss concerns a future message-recovery-capable algorithm needs to address.
Additional care during editing and review of this document and draft-ietf-cose-rfc8152bis-algs were taken to ensure as best as possible that various (internal) references made in the original RFC 8152 have proper (external) references. All errata from RFC 8152 that is relevant to the COSE structure has been addressed therein.
The CryptoForum Research Group (CFRG) published algorithm documents as Informational; the normative reference to 8032 (EdDSA) is expected and exists in the Downref Registry. The informative references to RFC 2633 (obsoleted by 3855) and RFC 5750 (obsoleted by 8551) are intentional as they illustrate some of the original design considerations for RFC 8152.
This document and draft-ietf-cose-rfc8152bis-algs are to be published in lockstep, and so references here to -algs (and references to this document in -algs) are expected to be updated as part of publication.
# Intellectual Property
The author, to the best of his knowledge, is unaware of any applicable IPR. There are no substantive changes compared to RFC 8152, which also has no IPR notices submitted.