Session Date/Time: 08 Nov 2022 15:00

cose

Summary

This meeting covered several important topics including non-authenticated encryption algorithms, updates to HPKey, seabor encoded X.509 certificates, BLS key representation, claims in cose headers, post quantum signatures, and transparency logs. The group discussed proposals, received updates, and sought direction on key decisions.

Key Discussion Points

Non-Authenticated Encryption Algorithms: The group discussed whether to register code points for non-authenticated encryption algorithms (CTR and CBC). Options included adopting security considerations text, dropping CBC, or declining to register. Concerns about padding attacks with CBC and potential misuse were raised.
HPKey Updates: Discussion focused on how to encode fields in HPKey and whether to diverge from the current working group document proposal. Concerns included the proliferation of HPKey algorithms and diverging from the structure used within COSE.
Seabor Encoded X.509 Certificates: The group discussed various issues, including minor optimizations, encoding of SHA-1 signatures, revocation lists, and certificate chain optimizations. Input was solicited on complex structure proposals.
BLS Key Representation: An update was presented on the draft defining and registering parameters for BLS curves in coseki and jwk. The working group was requested to help review the draft, especially examples being added.
Claims in COSE Headers: Discussion covered a draft to represent claims in cose headers. The chair decided that additional work needed to be done including: adding an example; addressing cddl; and figuring out if fields also apply to unprotected headers.
Post Quantum Signatures: The group discussed a draft covering three post-quantum signature algorithms (Sphinx, Falcon, Dilithium). A key decision point was whether to split the draft into three separate drafts. Concerns included a lag between the drafts and the standardization of each of the algorithms.
Supply Chain Transparency Receipts The Skid working group is creating a 'reciept' construct around COSE and Transparency Logs. Discussion involved requesting feedback on overall architecture and registries that will require parameters around different ledger algorithms.
Timestamp Token Embedded COSE Headers Request to standardize a code point to embed timestamp tokens in unprotected headers. Timestamping is seen as a migration path to cooler timestamp techniques

Decisions and Action Items

Non-Authenticated Encryption Algorithms: Further discussion on the mailing list to decide between registering with security considerations, dropping CBC, or not registering.
HPKey Updates: Continue discussion on the mailing list to find a solution on encoding the different fields.
Claims in COSE Headers: Revise draft to add an example and consider whether header parameters should appear unprotected. The chair will revisit the issue to see if the draft can proceed to working group last call.
Post Quantum Signatures: The group decided to split the existing document into three distinct drafts corresponding to each algorithm due to concerns with the lag in algorithm standardization.

Next Steps

Continue discussions on mailing lists for non-authenticated encryption algorithms and HPKey.
Update Claims in COSE Headers draft and revisit the working group last call decision.
Split the Post Quantum Signatures draft into three separate drafts.
SKID to come up with stable COSE Reciept proposal for adoption.