Minutes interim-2021-cose-04: Wed 15:30
minutes-interim-2021-cose-04-202105121530-01
Meeting Minutes | CBOR Object Signing and Encryption (cose) WG | |
---|---|---|
Date and time | 2021-05-12 15:30 | |
Title | Minutes interim-2021-cose-04: Wed 15:30 | |
State | Active | |
Other versions | markdown | |
Last updated | 2021-05-25 |
COSE Virtual Interim
Connection details
- Date: May 12, 2021
- Time: 08:30-09:30 Pacific, 17:30 CEST:
https://www.worldtimebuddy.com/?qm=1&lid=8,12,100&h=8&date=2021-04-14&sln=8.5-9.5&hf=0 - Meeting recording link:
https://youtu.be/qDOGhcuJN-o?t=14 - Slides link:
https://datatracker.ietf.org/meeting/interim-2021-cose-03/session/cose
Attendees
- Ivaylo Petrov, Google
- Mike Jones, Microsoft
- Peter Yee, AKAYLA
- Göran Selander, Ericsson
- John Preuß Mattsson, Ericsson
- Carsten Bormann, TZI
- Michael Richardson, Sandelman Software Works
- Rikard Höglund, RISE
- Uri Blumementhal
- Christian Amsüss
- Marco Tiloca, RISE
- Jonathan Hammell, Canadian Centre for Cyber Security
- Russ Housley, Vigil Security
Action Items
- [Ivaylo]: Check discussion what x509 protects you from (contact MCR, Laurence or John if more details are needed).
- [John]: Look at RFC8747
- [John/Goran]: Provide usecases for transporting keys in COSE.
- [Ivaylo]: Start a discussion on ML for the transporting of keys in COSE.
- [MCR]: Push people for sending github summaries every week.
Minutes
0. Administrivia (Chairs)
- NOTE WELL
- Bluesheets
- Jabber + Minutes
- Agenda Bartering
1. Document Status (Chairs)
In RFC Editor queue
In RFC Editor queue
In RFC Editor queue
2. Certificates CBOR encoding
MCR: "C509" seems okay.
Carsten: It might be useful while there are systems that read only one of the types of the certificate and other systems in the same communication that read only the other.
MCR: I understood this as being able to send post quantum algorithm (in LAMPS meeting).
John: Isn't this just a new algorithm and we can use it as such?
MCR: People want to be able to issue PQ algorithm, while there might be devices that are still not capable of reading those PQ signatures.
Christian:
Something broken on audio, but:
The use case I see is using EDHOC for unilaterally authenticated operations ("Get page from weather service and be sure it's from the weather service, which is open to everyone")
That's similar but not identical to the TOFU (trust on first use?) case of SSH-style deployments.
3. AOB
- COSE Java implementation
MCR: This should not be responsiblility of the WG, but we probably should mark the code in our repository as archived and provide a link to a fork should work well.
Mike: I agree, this is not a WG project, but it would make sense to send a note on the ML if you fork it and continue to develop it.
- COSE Examples
Jonathan: How are PR accepted, who verifies them, etc.
Carsten: This is probably slightly different than the Java implementation
MCR: Probably the WG should
Mike: I agree that the WG should be responsible for that one.
MCR: Probably it would be useful to send github summary