Last Call Review of draft-ietf-cose-hash-algs-06
review-ietf-cose-hash-algs-06-secdir-lc-weis-2020-07-06-00

This is a very tardy security considerations review; many apologies to the ADs
and the author. After reviewing draft-ietf-cose-hash-algs-06 I have only two
minor wording suggestions, which Jim can choose to implement or not.

(1) Referencing BCP 201 in the second paragraph of Section 2 was a good
addition to this sentence:
   Applications should also make sure that the ability to change
   hash functions is part of the base design, as cryptographic advances
   are sure to reduce the strength of a hash function [BCP201].

But reading the BCP does point out that perhaps the current wording is not
precise.  I have always considered “cryptographic advances” as the
strengthening of algorithms or development of new stronger algorithms rather
than increased success of attacks on algorithms. The BCP uses the wording
"advances in computing power or advances in cryptoanalytic techniques” to
describe this phenomenon. Maybe “cryptographic advances” could be replaced with
that phrase from the BCP, or at least change “cryptographic” to “cryptanalytic”.

(2) Security Considerations describes two properties of a hash function. By the
time the reader gets to this section they should well understand what is
collision resistance. But  then second pre-image resistance is mentioned
offhand without any explanation. Adding a parenthetical definition for second
pre-image resistance would be helpful to the reader. For example, by adding
“(i.e., where it is computationally infeasible to find any second input which
has the same output as that of a specified input)” to the end of the sentence.
(This text was lifted from the Wikipedia “Preimage attack” article.)