COSE Virtual Interim
====================

## Connection details

* Date: May 12, 2021
* Time: 08:30-09:30 Pacific, 17:30 CEST:
  https://www.worldtimebuddy.com/?qm=1&lid=8,12,100&h=8&date=2021-04-14&sln=8.5-9.5&hf=0
* Meeting recording link:
  https://youtu.be/qDOGhcuJN-o?t=14
* Slides link:
  https://datatracker.ietf.org/meeting/interim-2021-cose-03/session/cose
  

# Attendees

* Ivaylo Petrov, Google
* Mike Jones, Microsoft
* Peter Yee, AKAYLA
* Göran Selander, Ericsson
* John Preuß Mattsson, Ericsson
* Carsten Bormann, TZI
* Michael Richardson, Sandelman Software Works
* Rikard Höglund, RISE
* Uri Blumementhal
* Christian Amsüss
* Marco Tiloca, RISE
* Jonathan Hammell, Canadian Centre for Cyber Security
* Russ Housley, Vigil Security

# Action Items

* [Ivaylo]: Check discussion what x509 protects you from (contact MCR, Laurence or John if more details are needed).
* [John]: Look at RFC8747
* [John/Goran]: Provide usecases for transporting keys in COSE.
* [Ivaylo]: Start a discussion on ML for the transporting of keys in COSE.
* [MCR]: Push people for sending github summaries every week. 

# Minutes
## 0. Administrivia (Chairs)
  * NOTE WELL
  * Bluesheets
  * Jabber + Minutes
  * Agenda Bartering

## 1. Document Status (Chairs)

  * https://datatracker.ietf.org/doc/draft-ietf-cose-rfc8152bis-struct/

In RFC Editor queue

  * https://datatracker.ietf.org/doc/draft-ietf-cose-rfc8152bis-algs/

In RFC Editor queue

  * https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/

In RFC Editor queue

  * https://datatracker.ietf.org/doc/draft-ietf-cose-countersign/
 
  * https://datatracker.ietf.org/doc/draft-ietf-cose-x509/

## 2. Certificates CBOR encoding

MCR: "C509" seems okay.  
Carsten: It might be useful while there are systems that read only one of the types of the certificate and other systems in the same communication that read only the other.
MCR: I understood this as being able to send post quantum algorithm (in LAMPS meeting).
John: Isn't this just a new algorithm and we can use it as such?
MCR: People want to be able to issue PQ algorithm, while there might be devices that are still not capable of reading those PQ signatures.

Christian:
Something broken on audio, but:
The use case I see is using EDHOC for unilaterally authenticated operations ("Get page from weather service and be sure it's from the weather service, which is open to everyone")
That's similar but not identical to the TOFU (trust on first use?) case of SSH-style deployments.

## 3. AOB

- COSE Java implementation

MCR: This should not be responsiblility of the WG, but we probably should mark the code in our repository as archived and provide a link to a fork should work well.
Mike: I agree, this is not a WG project, but it would make sense to send a note on the ML if you fork it and continue to develop it.

- COSE Examples

Jonathan: How are PR accepted, who verifies them, etc.
Carsten: This is probably slightly different than the Java implementation
MCR: Probably the WG should 
Mike: I agree that the WG should be responsible for that one.
MCR: Probably it would be useful to send github summary