* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Cose Status Pages

CBOR Object Signing and Encryption (Concluded WG)
Sec Area: Roman Danyliw, Benjamin Kaduk | 2015-Jun-03 — 2016-Nov-29 

2019-03-27 charter

CBOR Object Signing and Encryption (cose)


 Current Status: Active

     Ivaylo Petrov <ivaylo@ackl.io>
     Matthew A. Miller <linuxwolf+ietf@outer-planes.net>

 Security Area Directors:
     Roman Danyliw <rdd@cert.org>
     Benjamin Kaduk <kaduk@mit.edu>

 Security Area Advisor:
     Benjamin Kaduk <kaduk@mit.edu>

 Mailing Lists:
     General Discussion: cose@ietf.org
     To Subscribe:       https://www.ietf.org/mailman/listinfo/cose
     Archive:            https://mailarchive.ietf.org/arch/browse/cose/

Description of Working Group:

  CBOR Object Signing and Encryption (COSE, RFC 8152) describes how to
  create and process signatures, message authentication codes, and
  encryption using Concise Binary Object Representation (CBOR, RFC 7049)
  for serialization.  COSE additionally describes a representation for
  cryptographic keys.

  COSE has been picked up and is being used both by a number of groups
  within the IETF (i.e. ACE, CORE, ANIMA, 6TiSCH and SUIT) as well as
  outside of the IETF (i.e. W3C and FIDO).  There are a number of
  implementations, both open source and private, now in existence.  The
  specification is now sufficiently mature that it makes sense to try
  and advance it to STD status.

  The standards progression work will focus on:
  1. Should the document be split in two?  The first document would
     contain the definitions of the structures and rules for processing
     them.  The second document would contain the set of original
     algorithms that were defined.
  2. What areas in the document need clarification before the document
     can be progressed?
  3. What implementations exist and do they cover all of the major
     sections of the document?
  4. Resolution of any Errata or ambiguities in the document

  There are a small number of COSE related documents that will also be
  addressed by the working group dealing with additional attributes and
  algorithms that need to be reviewed and published.  The first set
  are listed below in the deliverables.  A re-charter will be required
  to expand this list.

  The SUIT working group has identified a need for the use of hash-based
  signatures in the form of Leighton-Micali Signatures (LMS)
  (draft-mcgrew-hash-sigs).  This signature form is resistant to quantum
  computer attacks and is low-cost for validation.  The SUIT working group
  additionally has identified a need for registering hash functions for
  indirect packaging.

  The W3C Web Authentication working group has identified a need for the
  ability to use algorithms which are currently part of TPMs which are
  widely deployed.

  At the time COSE was developed, there was a sense that X.509
  certificates were not a feature that needed to be transferred from the
  JOSE key document (RFC 7517).  Since that time a better sense of how
  X.509 certificates would be used both in the IoT sphere and with COSE
  outside of the IoT sphere has been developed.  The ability to identify
  or carry X.509 certificates now needs to be provided.  This will require
  the definition of a small number of hash functions for compact references
  to X.509 certificates.

  Key management and binding of keys to identities are out of scope for
  the working group.  The COSE WG will not innovate in terms of
  cryptography.  The specification of algorithms in COSE is limited to
  those in RFCs, active CFRG or IETF WG documents, or algorithms which
  have been positively reviewed by the CFRG.

  The working group will coordinate its progress with the ACE, SUIT and
  CORE working groups to ensure that we are fulfilling the needs of
  these constituencies to the extent relevant to their work.  Other
  groups may be added to this list as the set of use cases is expanded,
  in consultation with the responsible Area Director.

  The WG will have five deliverables:

  1. Republishing a version of RFC 8152 suitable for advancement to Internet
  2. Use of Hash-based Signature algorithms in COSE using
     draft-housley-suit-cose-hash-sig as a starting point (Informational).
  3. Placement of X.509 certificates in COSE messages and keys using
     draft-schaad-cose-x509 as a starting point (Informational).
  4. Define the algorithms needed for W3C Web Authentication for COSE using
     draft-jones-webauthn-cose-algorithms and draft-jones-webauthn-secp256k1
     as a starting point (Informational).
  5. Define a small number of hash functions for X.509 certificate thumbprints
     and for indirect signing (for SUIT) (Informational).

Goals and Milestones:

All charter page changes, including changes to draft-list, rfc-list and milestones:

Generated from PyHt script /wg/cose/charters.pyht Latest update: 24 Oct 2012 16:51 GMT -