COSE IETF 116
====================

# Connection details

*   Date: March 27, 2023
*   Meeting link: https://datatracker.ietf.org/meeting/116/session/cose
*   Meeting recording: https://www.youtube.com/watch?v=ypC7F4KG5nQ

# Action Items

*   draft-ietf-cose-cwt-claims-in-headers: Ivaylo Petrov to send WG LC soon.
*   draft-ietf-cose-cbor-encoded-cert - anyone - authors requested additional
    reviews
*   draft-ietf-cose-hpke: current version to be reviewed by Tim Hollebeek, L.
    Lundblade, AJITOMI Daisuke, Cartsen Bormann
*   draft-ajitomi-cose-cose-key-jwk-hpke-kem: chairs - call for adoption
*   draft-birkholz-cose-tsa-tst-header-parameter: chairs - call for adoption
*   draft-steele-cose-merkle-tree-proofs: current version to be reviewed by H.
    Tschofenig, C. Bormann, Roy Williams, also call for use cases

# Minutes

*   jabber scribe:
*   Minutes taken by: Russ Housley, and Carsten Bormann (a bit)

## Opening remarks - the chairs [13:00-13:05]

https://datatracker.ietf.org/doc/slides-116-cose-ietf-116-cose-chair-slides/
Mike Jones called to order. Full agenda. All presentations have been uploaded.
RATS group has requested +cwt media type discussion during AOB part of the
agenda. Request for show-of-hands for interest in aSCON for COSE. RFC 9338 and
9360 have been published since IETF 115. cose-aes-ctr-and-cbc has been submitted
for publication.

## Post-Quantum Signatures draft-ietf-cose-{dilithium,sphincs,falcon} - Michael Prorock [13:05-13:30]

https://datatracker.ietf.org/meeting/116/materials/slides-116-cose-cose-jose-post-quantum-signatures-crystals-dilithium-sphincs-falcon-00
Speaker re-introduced motivation to PQC, specifically digital signatures.
SPHINCS+, Dilithium, Falcom are focus for 3 drafts, one for each signature
algorithm. W3C Verifiable Credential and DIDS efforts have dependency on COSE
PQC extensions. PQC - larger keys and longer sigs. Large number of parameters in
some cases. Would like to reduce optionality in target algm.'s. Initial draft
was split into 3 signe IETF 115 (algm. based) All are -00 drafts. 'sphincs-plus'
is used instead of '+' due to compatibility with media types. Authors want
feedback on the 'kty' choices. Also need help with test vectors. Mike Ounsworth
mentioned that PQIP could provide feedback on parameterization. J. Mattson
mentioned that test vectors may not be useful prior to NIST finalization.
Carsten Bormann countered that the drafts have to be written without waiting on
NIST, including test vectors. Russ Housley mentioned that different WG's have
documents on the same PQC algorithms. Recommendation is that there should be a
common split between algorithm identifiers and parameters. We want the same
crypto library to support all of the formats. Speaker agreed and stated that the
editors are coordinating. kty + alg: suggestion by speaker to allow for kty
extensibility. Mike Jones mentioned that different kty's implied that the key
types are semantically different. Mike Dunsworth: asked if encodings are being
accounted for, to which the speaker answered in affirmative.

## draft-ietf-cose-bls-key-representations - Tobias Looker [13:30-13:40]

https://datatracker.ietf.org/meeting/116/materials/slides-116-cose-draft-ietf-cose-bls-key-representations-ietf-116-slides-00
Draft defines necessary parameters for key representation of BLS elliptic curve.
Examples cited that make use of BLS sigs. Updated draft includes HWK and
additional COSE_Key examples. There is only one compressed point encoding
method, so draft defines uncompressed key representation (both x- and
y-coordinate). Will need to define compressed encoding. Orie Steele asked about
whether COSE can lead the way in defining a compressed format. Speaker mentioned
that zCash compression is being used. J. Mattson asked about use of this algn.
in other groups and whether key representation can be commonalized. Mike Jones
gave an example of key representation being IPR encumbered. M. Prorock: kty's
shouldn't be defined alone. J. Mattson stated that key types should be a
bytestream and avoid parameterization.

## draft-ietf-cose-cwt-claims-in-headers - Tobias Looker [13:40-13:50]

https://datatracker.ietf.org/meeting/116/materials/slides-116-cose-draft-ietf-cose-cwt-claims-in-headers-ietf-116-slides-00
Mike Jones recused himself from charing during this presentation, as he is a
co-author. CWT claims carriage in COSE header was introduced. e.g. allows for
conveyance of claims when payload is not a CWT. Similar feature in JWT. Draft
-03 published with CDDL description of new header, and clarified that it can be
in protected or unprotected headers. M. Prorock mentioned all his concerns
addressed in -03.

## draft-ietf-cose-cbor-encoded-cert - Göran Selander [13:50-13:55]

OCSP may be specified or moved to a separate draft - planned for IETF 117.
Request for additional reviews. Editors expecting to progress draft during next
few months.

## draft-ietf-cose-hpke - Hannes Tschofenig [13:55-14:10]

2 new versions since IETF 115. encapsulated_key_array introduced. -04 was
foundation for IETF 116 hackathon. 2 layer COSE_Encrypt was verified. Use of
HPKE for COSE_MAC is being considered. Also considering emtpy string for info
field. O. Steele asked about the need to prioritize authenticated mode at this
stage of the draft. L. Lundblade mentioned that this could be useful, but should
not be a reason to hold up draft. O. Steele mentioned that ECDH-1PU (ECDH-ES
derivative) may provide a potential use case for HPKE auth mode. Mike Jones
mentioned that shepherd write-up would not be able to provide whether HPKE
reflects efforts of the group, or whether it reflects the efforts of a few
individuals within the group. He requested reviewers from the group. Tim
Hollebeek: I will review the discussion. L. Lundblade also volunteered to review
the draft. And so did AJITOMI Daisuke. And Cartsen Bormann.

## draft-ajitomi-cose-cose-key-jwk-hpke-kem - AJITOMI Daisuke [14:10-14:20]

https://datatracker.ietf.org/meeting/116/materials/slides-116-cose-draft-ajitomi-cose-cose-key-jwk-hpke-kem-ietf-116-slides-00
Proposal focuseds on key encapsulation for HPKE. Recommendation is to use
COSE_Key and JWK for representation. Recommendation to define a kty 'HPKE-KEM'
Speaker recommended not to accept existing key types for HPKE. O. Steele spoke
in support of adoption of the draft, and work on resolution of contentious
issues as outlined by speaker. L. Lundblade also spoke in support of adoption,
but recommended that it focus on COSE_Key. He pointed out that COSE_Key is a key
representation, not an algorithmic representation. He also stated that alg use
should be discussed in the draft. M. Prorock was supportive of adoption. 5
persons confirmed having read the draft. (O. Steele, M. Prorock, S. Das, L.
Lundblade, H. Tschofenig) Chairs will post a call-for-adoption on the list.

## draft-birkholz-cose-tsa-tst-header-parameter - Maik Riechert and Henk Birkholz [14:20-14:30]

https://datatracker.ietf.org/meeting/116/materials/slides-116-cose-cose-header-parameter-for-rfc-3161-time-stamp-tokens-00
RFC 3161 describes a protocol to communicate with a timestamp authority that can
provide a trusted timestamp (DER encoded). Request for a COSE header parameter
to carry timestamp token byte string. Carsten Bormann mentioned that CBOR was
designed to convey byte strings to allow for other formats. COSE similarly
included X.509. It is a logical extension. M. Prorock also spoke in support of
adoption, and volunteered to write sec cons section. 5 confirmed to have read
doc (S. Das, O. Stele, C. Bormann, M. Prorock, T. Fossati). Chair will send call
for adoption to mailing list.

## draft-steele-cose-merkle-tree-proofs - Orie Steele [14:30-14:40]

https://datatracker.ietf.org/meeting/116/materials/slides-116-cose-draft-steele-cose-merkle-tree-proofs-00
Draft introduces use of COSE_Sign1 for carriage of Merkle proof. Useful building
block for SCITT and other WG's that use COSE, and key/cert transparency. Initial
draft. 'tree agility' needs to be addressed, with a tree algm. registry to be
established. Therefore draft is not ready for WG call for adoption. C. Bormann
mentioned need for registries to capture variation in algorithms. Russ Housley
recommended need to associate service (e.g. in header) with algorithm. Speaker
agreed. Volunteers to review draft: H. Tschofenig, C. Bormann, Roy Williams
People aware of usecases, please provide those to Orie.

## draft-fossati-cose-profiles - Henk Birkholz and Thomas Fossati [14:40-14:50]

Introduces concept of profiling for COSE, to allow for interop. COSE message
typining primitives don't exist, outside of CBOR tagging. COSE-profile header
parameter is introduced, with different type choices. M. Jones mentioned that
ACE WG has defined a profile parameter. C. Bormann stated that ACE profiles are
RFC-level complexity, and what may be sought with the proposal is a feature set.
Recommended an acid test: if the profile is lost in transit, can the COSE still
be processed by the receiver? Henk responded that lost alg. field will result in
error. L. Lundblade asked about whether COSE profiles included ciphersuite
negotiation. Henk responded no, but it could be revisited. M. Prorock stated
that this is not a unique issue to COSE, but a profile identifier could be
useful. But it would need to be scoped properly. Henk responded that the draft
includes scoping ("the rules").

## AOB [14:50-15:00]

M. Richardson introduced the topic of cwt+ media types. RATS WG is currently
registering the applicatio/eat+cwt media type as a comparison. Question: why
should 'cbor+cose' or 'cose+cbor' be used. C. Bormann stated that the media
types allow for partial processing in case an endpoint cannot process both media
types. O. Steele stated that as of today '+cwt' is not recommended, as JWT best
practices recommend to use specialized media types when possible. T. Looker
mentioned tht +cwt implies that all processing rules for CWT must apply. Mike
Jones stated that a draft should register '+cwt'.