Skip to main content

Last Call Review of draft-ietf-cose-key-thumbprint-04

Request Review of draft-ietf-cose-key-thumbprint
Requested revision No specific revision (document currently at 04)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2024-04-02
Requested 2024-03-12
Authors Kohei Isobe , Hannes Tschofenig , Orie Steele
I-D last updated 2024-04-01
Completed reviews Genart Last Call review of -04 by Mallory Knodel
Secdir Last Call review of -04 by Derrell Piper
Artart Last Call review of -04 by Patrik Fältström
Opsdir Last Call review of -04 by Joel Jaeggli
Assignment Reviewer Mallory Knodel
State Completed
Request Last Call review on draft-ietf-cose-key-thumbprint by General Area Review Team (Gen-ART) Assigned
Posted at
Reviewed revision 04
Result Ready w/issues
Completed 2024-04-01
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at


Document: draft-ietf-cose-key-thumbprint-??
Reviewer: Mallory Knodel
Review Date: 2024-04-01
IETF LC End Date: 2024-04-02
IESG Telechat date: Not scheduled for a telechat


The assumption that fingerprints are being used as a naming scheme comes up in
the final sentence of the draft. Perhaps there are other uses but if this is
the main one imagined by this draft then perhaps this could be treated gently
in the introduction, along with some other usage ideas.

Also in the Introduction: The summary should be clear that the hash is a
fingerprint, at least such that the reader is clear that the terms are


3. #1 Should reference section 4.0

5.3 The only prerequisites are that the COSE Key representation
   of the key be defined —> should followed versus defined be used?

5.4 COSE Key Thumbprint values are computed on the COSE Key element
   required to represent a key, rather than all members of a COSE Key
   that the key is represented in. — should values versus members be used?

5.5 the section title is multiple methods but the section treats only one? Text
should clarify the use of “Approach” vs “case” for readability

5.5 cnf is not defined anywhere

5.6 I don’t know why we are not simply assuming interoperability and only
specifying this. “To promote interoperability among implementations, the
SHA-256 hash
   algorithm is mandatory to implement.”

Furthermore shouldn’t there be a MUST?

And lastly Section 7 repeats this phrase— should it be put elsewhere, perhaps
in a more prominent place?

7. While thumbprint values are valuable for identifying legitimate keys,
   comparing thumbprint values is not a reliable means of excluding the
   use of particular keys (or transformations thereof) —> useful instead of


Section 3. #1 “what, if necessary, what the unique encoding is” has one too
many whats.

General: expand acronyms on first use