recommend that the COSE kid be a Subject Key Identifier about x509 HOT 10 CLOSED

I would not be using a kid in this case, I would be more likely to use a thumbprint for the identification purposes. Given that we have consistently said that the structure of kid is not known, making it known in this case seems to be a bad idea to me.

from x509.

Suppose I'm using COSE for code signing and a root has been embedded in the entity that will verify and run the signed code. The cert chain is a leaf, two intermediates and a root. The two intermediates and leaf are put in an x5bag. How does the verifier know which of the three in the x5bag is the leaf?

It seems that it should be Subject Key ID as that is best practice for this identification AFAIK. Thus, there should be some COSE header that contains the Subject Key ID. If that is not the kid, then another header should be formally defined. If it is a thumbprint then how the thumbprint works should be described.

Said another way, I think this draft should give enough info (along with 5280) to accomplish chain formation with an x5bag for the code signing example or other similar uses.

from x509.

Starting at the top, this is a case where a chain makes more sense because it resolves that problem entirely. Using a bag only makes sense if you have certificates that are outside of the chain.

Second, as I said I would put in a bag and a thumbprint. The thumbprint would be used to identify the leaf certificate to use.

from x509.

Understand that a thumbprint can work, but the word "thumbprint" only occurs in the document once in Table 2 which applies only to ECDH. Seems like there is some important text missing.

If x5t is the thumbprint, then it should say something like "x5t identifies the leaf cert in the chain, such as the one with the public key to verify the signature on a COSE_Sign1."

from x509.

That is implied by the bullet items immediately prior to table 1.

from x509.

Is that fixed now (with commit d6ba2d5)

from x509.

I think we can consider it addressed, yes. @laurencelundblade is encouraged to chime in as well, of course.

from x509.

It still doesn't say "the x5t header indicates the end-entity certificate" in any explicit way that I can see. I searched the tip of the repo document for "end-entity" and "leaf" to check. JWS is more clear.

The solution to this one and #29 are probably the same, so maybe it's OK to close this one if #29 stays open.

from x509.

I've made a PR to resolve this: #41

from x509.

Thank you, Laurence!

from x509.