draft-ietf-dtn-bpsec-cose-03.txt   draft-ietf-dtn-bpsec-cose-04.txt 
Delay-Tolerant Networking B. Sipos Delay-Tolerant Networking B. Sipos
Internet-Draft JHU/APL Internet-Draft JHU/APL
Intended status: Standards Track 3 January 2024 Intended status: Standards Track 2 July 2024
Expires: 6 July 2024 Expires: 3 January 2025
DTN Bundle Protocol Security (BPSec) COSE Context DTN Bundle Protocol Security (BPSec) COSE Context
draft-ietf-dtn-bpsec-cose-03 draft-ietf-dtn-bpsec-cose-04
Abstract Abstract
This document defines a security context suitable for using CBOR This document defines a security context suitable for using CBOR
Object Signing and Encryption (COSE) algorithms within Bundle Object Signing and Encryption (COSE) algorithms within Bundle
Protocol Security (BPSec) integrity and confidentiality blocks. A Protocol Security (BPSec) integrity and confidentiality blocks. A
profile for COSE, focused on asymmetric-keyed algorithms, and for profile for COSE, focused on asymmetric-keyed algorithms, and for
PKIX certificates are also defined for BPSec interoperation. PKIX certificates are also defined for BPSec interoperation.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 6 July 2024. This Internet-Draft will expire on 3 January 2025.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 20 skipping to change at page 2, line 20
1.3. Use of CDDL . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Use of CDDL . . . . . . . . . . . . . . . . . . . . . . . 4
1.4. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.4. Requirements Language . . . . . . . . . . . . . . . . . . 4
2. BPSec Security Context . . . . . . . . . . . . . . . . . . . 5 2. BPSec Security Context . . . . . . . . . . . . . . . . . . . 5
2.1. Security Scope . . . . . . . . . . . . . . . . . . . . . 5 2.1. Security Scope . . . . . . . . . . . . . . . . . . . . . 5
2.2. Parameters . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Parameters . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1. Additional Header Maps . . . . . . . . . . . . . . . 7 2.2.1. Additional Header Maps . . . . . . . . . . . . . . . 7
2.2.2. AAD Scope . . . . . . . . . . . . . . . . . . . . . . 8 2.2.2. AAD Scope . . . . . . . . . . . . . . . . . . . . . . 8
2.3. Results . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Results . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1. Integrity Messages . . . . . . . . . . . . . . . . . 10 2.3.1. Integrity Messages . . . . . . . . . . . . . . . . . 10
2.3.2. Confidentiality Messages . . . . . . . . . . . . . . 11 2.3.2. Confidentiality Messages . . . . . . . . . . . . . . 11
2.4. Key Considerations . . . . . . . . . . . . . . . . . . . 11 2.4. Key Considerations . . . . . . . . . . . . . . . . . . . 12
2.5. Canonicalization Algorithms . . . . . . . . . . . . . . . 12 2.5. Canonicalization Algorithms . . . . . . . . . . . . . . . 12
2.5.1. Generating AAD . . . . . . . . . . . . . . . . . . . 12 2.5.1. Generating AAD . . . . . . . . . . . . . . . . . . . 12
2.5.2. Payload Data . . . . . . . . . . . . . . . . . . . . 13 2.5.2. Payload Data . . . . . . . . . . . . . . . . . . . . 13
2.6. Processing . . . . . . . . . . . . . . . . . . . . . . . 13 2.6. Processing . . . . . . . . . . . . . . . . . . . . . . . 13
2.6.1. Node Authentication . . . . . . . . . . . . . . . . . 14 2.6.1. Node Authentication . . . . . . . . . . . . . . . . . 14
2.6.2. Policy Recommendations . . . . . . . . . . . . . . . 15 2.6.2. Policy Recommendations . . . . . . . . . . . . . . . 15
3. COSE Profile . . . . . . . . . . . . . . . . . . . . . . . . 15 3. COSE Profile . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1. COSE Messages . . . . . . . . . . . . . . . . . . . . . . 16 3.1. COSE Messages . . . . . . . . . . . . . . . . . . . . . . 16
3.2. Interoperability Algorithms . . . . . . . . . . . . . . . 16 3.2. Interoperability Algorithms . . . . . . . . . . . . . . . 16
3.3. Asymmetric Key Types and Identifiers . . . . . . . . . . 18 3.3. Asymmetric Key Types and Identifiers . . . . . . . . . . 19
3.3.1. Policy Recommendations . . . . . . . . . . . . . . . 19 3.3.1. Policy Recommendations . . . . . . . . . . . . . . . 20
4. PKIX Certificate Profile . . . . . . . . . . . . . . . . . . 20 4. PKIX Certificate Profile . . . . . . . . . . . . . . . . . . 20
4.1. Multiple-Certificate Uses . . . . . . . . . . . . . . . . 21 4.1. Multiple-Certificate Uses . . . . . . . . . . . . . . . . 21
5. Implementation Status . . . . . . . . . . . . . . . . . . . . 21 5. Implementation Status . . . . . . . . . . . . . . . . . . . . 22
6. Security Considerations . . . . . . . . . . . . . . . . . . . 22 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22
6.1. Threat: BPSec Block Replay . . . . . . . . . . . . . . . 22 6.1. Threat: BPSec Block Replay . . . . . . . . . . . . . . . 23
6.2. Threat: Untrusted End-Entity Certificate . . . . . . . . 23 6.2. Threat: Untrusted End-Entity Certificate . . . . . . . . 23
6.3. Threat: Certificate Validation Vulnerabilities . . . . . 23 6.3. Threat: Certificate Validation Vulnerabilities . . . . . 23
6.4. Threat: BP Node Impersonation . . . . . . . . . . . . . . 23 6.4. Threat: BP Node Impersonation . . . . . . . . . . . . . . 24
6.5. Threat: Unidentifiable Key . . . . . . . . . . . . . . . 23 6.5. Threat: Unidentifiable Key . . . . . . . . . . . . . . . 24
6.6. Threat: Non-Trusted Public Key . . . . . . . . . . . . . 24 6.6. Threat: Non-Trusted Public Key . . . . . . . . . . . . . 24
6.7. Threat: Passive Leak of Key Material . . . . . . . . . . 24 6.7. Threat: Passive Leak of Key Material . . . . . . . . . . 25
6.8. Threat: Algorithm Vulnerabilities . . . . . . . . . . . . 24 6.8. Threat: Algorithm Vulnerabilities . . . . . . . . . . . . 25
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
7.1. BPSec Security Context Identifiers . . . . . . . . . . . 25 7.1. BPSec Security Context Identifiers . . . . . . . . . . . 25
7.2. BPSec COSE AAD Scope Flags . . . . . . . . . . . . . . . 25 7.2. BPSec COSE AAD Scope Flags . . . . . . . . . . . . . . . 25
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
8.1. Normative References . . . . . . . . . . . . . . . . . . 25 8.1. Normative References . . . . . . . . . . . . . . . . . . 26
8.2. Informative References . . . . . . . . . . . . . . . . . 27 8.2. Informative References . . . . . . . . . . . . . . . . . 28
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 28 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 29
A.1. Symmetric Key COSE_Mac0 . . . . . . . . . . . . . . . . . 30 A.1. Symmetric Key COSE_Mac0 . . . . . . . . . . . . . . . . . 31
A.2. EC Keypair COSE_Sign1 . . . . . . . . . . . . . . . . . . 32 A.2. EC Keypair COSE_Sign1 . . . . . . . . . . . . . . . . . . 32
A.3. RSA Keypair COSE_Sign1 . . . . . . . . . . . . . . . . . 34 A.3. RSA Keypair COSE_Sign1 . . . . . . . . . . . . . . . . . 34
A.4. Symmetric KEK COSE_Encrypt . . . . . . . . . . . . . . . 37 A.4. Symmetric KEK COSE_Encrypt . . . . . . . . . . . . . . . 37
A.5. EC Keypair COSE_Encrypt . . . . . . . . . . . . . . . . . 39 A.5. EC Keypair COSE_Encrypt . . . . . . . . . . . . . . . . . 39
A.6. RSA Keypair COSE_Encrypt . . . . . . . . . . . . . . . . 42 A.6. RSA Keypair COSE_Encrypt . . . . . . . . . . . . . . . . 42
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 46 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 46
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 46 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 46
1. Introduction 1. Introduction
skipping to change at page 4, line 15 skipping to change at page 4, line 15
1.2. PKIX Environments and CA Policy 1.2. PKIX Environments and CA Policy
This specification gives requirements about how to use PKIX This specification gives requirements about how to use PKIX
certificates issued by a Certificate Authority (CA), but does not certificates issued by a Certificate Authority (CA), but does not
define any mechanisms for how those certificates come to be. define any mechanisms for how those certificates come to be.
To support the PKIX uses defined in this document, the CA(s) issuing To support the PKIX uses defined in this document, the CA(s) issuing
certificates for BP nodes are aware of the end use of the certificates for BP nodes are aware of the end use of the
certificate, have a mechanism for verifying ownership of a Node ID, certificate, have a mechanism for verifying ownership of a Node ID,
and are issuing certificates directly for that Node ID. BPSec and are issuing certificates directly for that Node ID. BPSec
security acceptors authenticate the Node ID of security sources when security verifiers and acceptors authenticate the Node ID of security
verifying integrity (see Section 2.6.1) using a public key provided sources when verifying integrity (see Section 2.6.1) using a public
by a PKIX certificate (see Section 2.6.1) following the certificate key provided by a PKIX certificate (see Section 2.6.1) following the
profile of Section 4. certificate profile of Section 4.
1.3. Use of CDDL 1.3. Use of CDDL
This document defines CBOR structure using the Concise Data This document defines CBOR structure using the Concise Data
Definition Language (CDDL) of [RFC8610]. The entire CDDL structure Definition Language (CDDL) of [RFC8610]. The entire CDDL structure
can be extracted from the XML version of this document using the can be extracted from the XML version of this document using the
XPath expression: XPath expression:
'//sourcecode[@type="cddl"]' '//sourcecode[@type="cddl"]'
skipping to change at page 5, line 23 skipping to change at page 5, line 23
The COSE security context SHALL have the Security Context ID The COSE security context SHALL have the Security Context ID
specified in Section 7.1. specified in Section 7.1.
Both types of security block can use the same parameters, defined in Both types of security block can use the same parameters, defined in
Section 2.2, to carry public key-related information and each type of Section 2.2, to carry public key-related information and each type of
security block allows specific COSE message results, defined in security block allows specific COSE message results, defined in
Section 2.3. Section 2.3.
; Specialize the ASB for this context ; Specialize the ASB for this context
bpsec-cose-asb = bpsec-context-use< bpsec-cose-asb = bpsec-context-use<
-1, ; Context ID TBD-COSE -1, ; Context ID TBA-COSE
$bpsec-cose-param, $bpsec-cose-param,
$bpsec-cose-result $bpsec-cose-result
> >
$ext-data-asb /= bpsec-cose-asb $ext-data-asb /= bpsec-cose-asb
Figure 1: COSE context declaration CDDL Figure 1: COSE context declaration CDDL
2.1. Security Scope 2.1. Security Scope
The scope here refers to the set of information used by the security The scope here refers to the set of information used by the security
skipping to change at page 6, line 48 skipping to change at page 6, line 48
+--------------+------------------------+------------------+ +--------------+------------------------+------------------+
Table 1: COSE Context Parameters Table 1: COSE Context Parameters
When a parameter is not present and a default value is defined below, When a parameter is not present and a default value is defined below,
the security acceptor SHALL use that default value to process the the security acceptor SHALL use that default value to process the
target: target:
* The default additional-protected is '' (an empty byte string). * The default additional-protected is '' (an empty byte string).
* The default additional-unprotected is {} (an empty map). * The default additional-unprotected is '' (an empty byte string).
* The default AAD-scope is {0:0b1,-1:0b1,-2:0b1} (a map which * The default AAD-scope is {0:0b1,-1:0b1,-2:0b1} (a map which
indicates the AAD contains the metadata of the primary, security, indicates the AAD contains the metadata of the primary, security,
and target blocks). and target blocks).
2.2.1. Additional Header Maps 2.2.1. Additional Header Maps
The two parameters Additional Protected and Additional Unprotected The two parameters Additional Protected and Additional Unprotected
allow de-duplicating header items which are common to all COSE allow de-duplicating header items which are common to all COSE
results. Both additional header values contain a CBOR map which is results. Both additional header values contain a CBOR map which is
to be merged with each of the result's unprotected headers. Although to be merged with each of the result's unprotected headers. Although
the additional header items are all treated as unprotected from the the additional header items are all treated as unprotected from the
perspective of the COSE message, the additional protected map is perspective of the COSE message, the additional protected map is
included within the external_aad (see Section 2.5.1). The expected included within the external_aad (see Section 2.5.1). The expected
use of additional header map is to contain a certificate (chain) or use of additional header map is to contain a certificate (chain) or
identifier (see Section 3.3) which applies to all results in the same identifier (see Section 3.3) which applies to all results in the same
security block. security block.
Following the same pattern as COSE, when both additional header maps Following the same pattern as COSE, when both additional header maps
are present in a single security block they SHALL not contain any are present in a single security block they SHALL not contain any
duplicated labels. Security acceptors SHALL treat a pair of duplicated labels. Security verifiers and acceptors SHALL treat a
additional header maps containing duplicated labels as invalid. pair of additional header maps containing duplicated labels as
invalid.
No more than one of each Additional Protected and Additional No more than one of each Additional Protected and Additional
Unprotected parameter SHALL be present in a single security block. Unprotected parameter SHALL be present in a single security block.
Security acceptors SHALL treat a security block with multiple Security verifiers and acceptors SHALL treat a security block with
instances of either additional header type as invalid. There is no multiple instances of either additional header type as invalid.
well-defined behavior for a security acceptor to handle multiple There is no well-defined behavior for a security acceptor to handle
Additional Protected parameters. multiple Additional Protected parameters.
Security sources SHOULD NOT include an additional header parameter Security sources SHOULD NOT include an additional header parameter
which represents an empty map. Security acceptors SHALL handle empty which represents an empty map. Security verifiers and acceptors
header map parameters, specifically the Additional Protected SHALL handle empty header map parameters, specifically the Additional
parameter because it is part of the external_aad. Protected parameter because it is part of the external_aad.
Security acceptors SHALL treat the aggregate of both additional Security verifiers and acceptors SHALL treat the aggregate of both
header maps as being present in the unprotected header map of the additional header maps as being present in the unprotected header map
highest-layers of the COSE message of each result. For single-layer of the highest-layers of the COSE message of each result. For
messages (i.e., COSE_Encrypt0, COSE_MAC0, and COSE_Sign1) the single-layer messages (i.e., COSE_Encrypt0, COSE_MAC0, and
additional headers apply to the message itself (layer 0) and for COSE_Sign1) the additional headers apply to the message itself (layer
other messages the additional headers apply to the final recipients. 0) and for other messages the additional headers apply to the final
If the same header label is present in a additional header map and a recipients. If the same header label is present in a additional
COSE layer's headers the item in the result header SHALL take header map and a COSE layer's headers the item in the result header
precedence (i.e., the additional header items are added only if they SHALL take precedence (i.e., the additional header items are added
are not already present in a layer's header). only if they are not already present in a layer's header).
Additional header maps SHALL NOT contain any private key material. Additional header maps SHALL NOT contain any private key material.
The security parameters are all stored in the bundle as plaintext and The security parameters are all stored in the bundle as plaintext and
are visible to any bundle handlers. are visible to any bundle handlers.
$bpsec-cose-param /= [3, additional-protected] $bpsec-cose-param /= [3, additional-protected]
additional-protected = empty_or_serialized_map additional-protected = empty_or_serialized_map
$bpsec-cose-param /= [4, additional-unprotected] $bpsec-cose-param /= [4, additional-unprotected]
additional-unprotected = header_map additional-unprotected = empty_or_serialized_map
Figure 2: Additional Headers CDDL Figure 2: Additional Headers CDDL
2.2.2. AAD Scope 2.2.2. AAD Scope
The AAD Scope parameter controls what data is included in the AAD for The AAD Scope parameter controls what data is included in the AAD for
both integrity and confidentiality operations. The AAD Scope both integrity and confidentiality operations. The AAD Scope
parameter SHALL be encoded as a CBOR map containing keys referencing parameter SHALL be encoded as a CBOR map containing keys referencing
bundle blocks (as int items) and values representing a collection of bundle blocks (as int items) and values representing a collection of
bit flags (as uint items) defined in Table 2. bit flags (as uint items) defined in Table 2.
All non-negative AAD Scope keys SHALL correspond with block numbers All non-negative AAD Scope keys SHALL correspond with block numbers
in the bundle containing the AAD Scope parameter. Security acceptors in the bundle containing the AAD Scope parameter. Security verifiers
SHALL treat any AAD Scope with block numbers not actually present in and acceptors SHALL treat any AAD Scope with block numbers not
the containing bundle as invalid. The AAD Scope key -1 SHALL be actually present in the containing bundle as invalid. The AAD Scope
interpreted as corresponding to the target block of the security key -1 SHALL be interpreted as corresponding to the target block of
operation when the AAD is generated from the AAD Scope parameter. the security operation when the AAD is generated from the AAD Scope
The AAD Scope key -2 SHALL be interpreted as corresponding to the parameter. The AAD Scope key -2 SHALL be interpreted as
security block which contains the AAD Scope parameter. corresponding to the security block which contains the AAD Scope
parameter.
+==============+==============+==========================+ +==============+==============+==========================+
| Bit Position | Name | Description | | Bit Position | Name | Description |
| | | |
| (from LSbit) | | | | (from LSbit) | | |
+==============+==============+==========================+ +==============+==============+==========================+
| 0 | AAD-metadata | If bit is set, indicates | | 0 | AAD-metadata | If bit is set, indicates |
| | | that the block metadata | | | | that the block metadata |
| | | is included in the AAD. | | | | is included in the AAD. |
+--------------+--------------+--------------------------+ +--------------+--------------+--------------------------+
| 1 | AAD-btsd | If bit is set, indicates | | 1 | AAD-btsd | If bit is set, indicates |
| | | that the BTSD is | | | | that the BTSD is |
| | | included in the AAD. | | | | included in the AAD. |
+--------------+--------------+--------------------------+ +--------------+--------------+--------------------------+
skipping to change at page 9, line 7 skipping to change at page 9, line 9
represent the lack of presence in the AAD and serves no purpose. represent the lack of presence in the AAD and serves no purpose.
When the map key identifies the primary block (block number zero) the When the map key identifies the primary block (block number zero) the
bits SHALL only have AAD-metadata set, as the primary block has no bits SHALL only have AAD-metadata set, as the primary block has no
BTSD. When the map key identifies the containing security block the BTSD. When the map key identifies the containing security block the
bits SHALL only have AAD-metadata set, as the security block BTSD bits SHALL only have AAD-metadata set, as the security block BTSD
does not yet exist. When the map key identifies the target block the does not yet exist. When the map key identifies the target block the
bits SHALL only have AAD-metadata set, as the target block BTSD is bits SHALL only have AAD-metadata set, as the target block BTSD is
already part of the security operation (integrity or already part of the security operation (integrity or
confidentiality). All reserved bits SHALL be set to zero (which will confidentiality). All reserved bits SHALL be set to zero (which will
be elided by CBOR encoding) by security sources. All reserved bits be elided by CBOR encoding) by security sources. All reserved bits
SHALL be ignored by security acceptors. SHALL be ignored by security verifiers and acceptors.
A CDDL representation of this definition is included in Figure 3 for A CDDL representation of this definition is included in Figure 3 for
reference. reference.
$bpsec-cose-param /= [5, AAD-scope] $bpsec-cose-param /= [5, AAD-scope]
AAD-scope = { AAD-scope = {
*blk-id => (uint .bits AAD-scope-flags) *blk-id => (uint .bits AAD-scope-flags)
} }
blk-id = uint / blk-target / blk-sec blk-id = uint / blk-target / blk-sec
blk-target = -1 blk-target = -1
skipping to change at page 11, line 26 skipping to change at page 11, line 33
+-----------+-----------------------+-----------+ +-----------+-----------------------+-----------+
| 16 | encoded COSE_Encrypt0 | [RFC9052] | | 16 | encoded COSE_Encrypt0 | [RFC9052] |
+-----------+-----------------------+-----------+ +-----------+-----------------------+-----------+
Table 4: COSE Confidentiality Results Table 4: COSE Confidentiality Results
Only algorithms which support Authenticated Encryption with Only algorithms which support Authenticated Encryption with
Authenticated Data (AEAD) SHALL be usable in the first (content) Authenticated Data (AEAD) SHALL be usable in the first (content)
layer of a confidentiality result. Because COSE encryption with AEAD layer of a confidentiality result. Because COSE encryption with AEAD
appends the authentication tag with the ciphertext, the size of the appends the authentication tag with the ciphertext, the size of the
BTSD will grow after an encryption operation. Security acceptors BTSD will grow after an encryption operation. Security verifiers and
MUST NOT assume that the size of the plaintext is the same as the acceptors MUST NOT assume that the size of the plaintext is the same
size of the ciphertext. as the size of the ciphertext.
Each confidentiality result SHALL use the "detached" payload form Each confidentiality result SHALL use the "detached" payload form
with null payload value. The confidentiality result for COSE_Encrypt with null payload value. The confidentiality result for COSE_Encrypt
and COSE_Encrypt0 messages are computed by the procedure in and COSE_Encrypt0 messages are computed by the procedure in
Section 5.3 of [RFC9052]. Section 5.3 of [RFC9052].
The COSE "protected attributes from the application" used for an The COSE "protected attributes from the application" used for an
encryption result SHALL be the encoded data defined in Section 2.5.1. encryption result SHALL be the encoded data defined in Section 2.5.1.
The COSE payload used for an encryption result SHALL be the BTSD of The COSE payload used for an encryption result SHALL be the BTSD of
the target. Because confidentiality of the primary block is the target. Because confidentiality of the primary block is
skipping to change at page 14, line 30 skipping to change at page 14, line 34
which is likely to be discarded is wasteful of bundle size and which is likely to be discarded is wasteful of bundle size and
transport resources. transport resources.
2.6.1.1. Certificate Identification 2.6.1.1. Certificate Identification
Because of the standard policy of using separate certificates for Because of the standard policy of using separate certificates for
transport, signing, and encryption (see Section 4.1) a single Node ID transport, signing, and encryption (see Section 4.1) a single Node ID
is likely to be associated with multiple certificates, and any or all is likely to be associated with multiple certificates, and any or all
of those certificates MAY be present within an "x5bag" in an of those certificates MAY be present within an "x5bag" in an
Additional Protected parameter (see Section 2.2.1). When present, a Additional Protected parameter (see Section 2.2.1). When present, a
security acceptor SHALL use an "x5chain" or "x5t" to identify an end- security verifier or acceptor SHALL use an "x5chain" or "x5t" to
entity certificate to use for result processing. Security acceptors identify an end-entity certificate to use for result processing.
SHALL NOT assume that a validated certificate containing a NODE-ID Security verifiers and acceptors SHALL NOT assume that a validated
matching a security source is enough to associate a certificate with certificate containing a NODE-ID matching a security source is enough
a COSE message or recipient (see Section 3.3). to associate a certificate with a COSE message or recipient (see
Section 3.3).
2.6.1.2. Certificate Validation 2.6.1.2. Certificate Validation
For each end-entity certificate contained in or identified by by a For each end-entity certificate contained in or identified by by a
COSE result, the security acceptor SHALL perform the certification COSE result, the security acceptor SHALL perform the certification
path validation of Section 6 of [RFC5280] up to one of the acceptor's path validation of Section 6 of [RFC5280] up to one of the acceptor's
trusted CA certificates. When evaluating a certificate Validity trusted CA certificates. When evaluating a certificate Validity
period, the security acceptor SHALL use the bundle Creation Timestamp period, the security acceptor SHALL use the bundle Creation Timestamp
time (if not unknown) as the reference instead of the current time. time (if not unknown) as the reference instead of the current time.
If enabled by local policy, the entity SHALL perform an OCSP check of If enabled by local policy, the entity SHALL perform an OCSP check of
skipping to change at page 15, line 47 skipping to change at page 15, line 51
This policy requires that a certificate contain a NODE-ID and allows This policy requires that a certificate contain a NODE-ID and allows
the certificate to also contain network-level identifiers. A the certificate to also contain network-level identifiers. A
tailored policy on a more controlled network could relax the tailored policy on a more controlled network could relax the
requirement on Node ID validation and/or Extended Key Usage presence. requirement on Node ID validation and/or Extended Key Usage presence.
3. COSE Profile 3. COSE Profile
This section contains requirements which apply to the use of COSE This section contains requirements which apply to the use of COSE
within the BPSec security context defined in this document. Other within the BPSec security context defined in this document. Other
variations of COSE within BPSec can be used but are not expected to variations of COSE within BPSec can be used but are not expected to
be interoperable or usable by all security acceptors. be interoperable or usable by all security verifiers and acceptors.
3.1. COSE Messages 3.1. COSE Messages
When generating a BPSec result, security sources SHALL use only COSE When generating a BPSec result, security sources SHALL use only COSE
labels with a uint value. When processing a BPSec result, security labels with a uint value. When processing a BPSec result, security
acceptors MAY handle COSE labels with with a tstr value. verifiers and acceptors MAY handle COSE labels with with a tstr
value.
When used in a BPSec result, each COSE message SHALL contain an When used in a BPSec result, each COSE message SHALL contain an
explicit algorithm identifier in the first (content) layers. When explicit algorithm identifier in the first (content) layers. When
available and not implied by the bundle source, a COSE message SHALL available and not implied by the bundle source, a COSE message SHALL
contain a key identifier in the last (recipient) layer. See contain a key identifier in the last (recipient) layer. See
Section 3.3 for specifics about asymmetric key identifiers. When a Section 3.3 for specifics about asymmetric key identifiers. When a
key identifier is not available, BPSec acceptors SHALL use the key identifier is not available, BPSec acceptors SHALL use the
Security Source (if available) and the Bundle Source to imply which Security Source (if available) and the Bundle Source to imply which
keys can be used for security operations. Using implied keys has an keys can be used for security operations. Using implied keys has an
interoperability risk, see Section 6.5 for details. A BPSec security interoperability risk, see Section 6.5 for details. A BPSec security
skipping to change at page 17, line 22 skipping to change at page 17, line 22
| Integrity | 0 | ES256 | -7 | Recommended | | Integrity | 0 | ES256 | -7 | Recommended |
+-----------------+------------+------------+------+----------------+ +-----------------+------------+------------+------+----------------+
| Integrity | 0 | EdDSA | -8 | Recommended | | Integrity | 0 | EdDSA | -8 | Recommended |
+-----------------+------------+------------+------+----------------+ +-----------------+------------+------------+------+----------------+
| Integrity | 0 | PS256 | -37 | Recommended | | Integrity | 0 | PS256 | -37 | Recommended |
+-----------------+------------+------------+------+----------------+ +-----------------+------------+------------+------+----------------+
| Confidentiality | 0 | A256GCM | 3 | Required | | Confidentiality | 0 | A256GCM | 3 | Required |
+-----------------+------------+------------+------+----------------+ +-----------------+------------+------------+------+----------------+
| Confidentiality | 1 | A256KW | -5 | Required | | Confidentiality | 1 | A256KW | -5 | Required |
+-----------------+------------+------------+------+----------------+ +-----------------+------------+------------+------+----------------+
| Confidentiality | 1 | direct | -6 | Recommended |
| | | | | with caveats |
+-----------------+------------+------------+------+----------------+
| Confidentiality | 1 | ECDH-ES + | -25 | Recommended |
| | | HKDF-256 | | |
+-----------------+------------+------------+------+----------------+
| Confidentiality | 1 | ECDH-SS + | -27 | Recommended |
| | | HKDF-256 | | |
+-----------------+------------+------------+------+----------------+
| Confidentiality | 1 | ECDH-ES + | -31 | Recommended | | Confidentiality | 1 | ECDH-ES + | -31 | Recommended |
| | | A256KW | | | | | | A256KW | | |
+-----------------+------------+------------+------+----------------+ +-----------------+------------+------------+------+----------------+
| Confidentiality | 1 | ECDH-SS + | -34 | Recommended | | Confidentiality | 1 | ECDH-SS + | -34 | Recommended |
| | | A256KW | | | | | | A256KW | | |
+-----------------+------------+------------+------+----------------+ +-----------------+------------+------------+------+----------------+
| Confidentiality | 1 | RSAES-OAEP | -41 | Recommended | | Confidentiality | 1 | RSAES-OAEP | -41 | Recommended |
| | | w/ SHA-256 | | | | | | w/ SHA-256 | | |
+-----------------+------------+------------+------+----------------+ +-----------------+------------+------------+------+----------------+
Table 5: Interoperability Algorithms Table 5: Interoperability Algorithms
The following are recommended key and recipient uses within COSE/ The following are recommended key and recipient uses within COSE/
BPSec: BPSec:
Symmetric Key Integrity: When generating a BIB result from a Symmetric Key Integrity:
symmetric key, implementations SHALL use a COSE_Mac0 using the When generating a BIB result from a symmetric key, implementations
private key directly. When a COSE_Mac0 is used with a direct key, SHALL use a COSE_Mac0 using the private key directly. When a
the headers SHALL include a key identifier ("kid" header and COSE_Mac0 is used with a direct key, the headers SHALL include a
possibly "kid context" header). key identifier ("kid" header and possibly "kid context" header).
EC Keypair Integrity: When generating a BIB result from an EC EC Keypair Integrity:
keypair, implementations SHALL use a COSE_Sign1 using the private When generating a BIB result from an EC keypair, implementations
key directly. When a COSE_Sign1 is used with an EC keypair, the SHALL use a COSE_Sign1 using the private key directly. When a
headers SHALL include a public key identifier (see Section 3.3). COSE_Sign1 is used with an EC keypair, the headers SHALL include a
public key identifier (see Section 3.3).
RSA Keypair Integrity: When generating a BIB result from an RSA RSA Keypair Integrity:
keypair, implementations SHALL use a COSE_Sign1 using the private When generating a BIB result from an RSA keypair, implementations
key directly. When a COSE_Sign1 is used with an RSA keypair, the SHALL use a COSE_Sign1 using the private key directly. When a
headers SHALL include a public key identifier (see Section 3.3). COSE_Sign1 is used with an RSA keypair, the headers SHALL include
When a COSE signature is generated with an RSA keypair, the a public key identifier (see Section 3.3). When a COSE signature
signature uses a PSS salt in accordance with Section 2 of is generated with an RSA keypair, the signature uses a PSS salt in
[RFC8230]. accordance with Section 2 of [RFC8230].
Symmetric Key Confidentiality: When generating a BCB result from an Symmetric Key Confidentiality:
symmetric key, implementations SHALL use a COSE_Encrypt message When generating a BCB result from a symmetric key-encryption key
with a recipient containing an indirect (wrapped or derived) (KEK), implementations SHOULD use a COSE_Encrypt message with a
content encryption key (CEK). When generating a BCB result from a recipient containing an indirect (wrapped or derived) content
symmetric key, implementations SHOULD NOT use COSE_Encrypt0 or encryption key (CEK). When a COSE_Encrypt is used with an overall
COSE_Encrypt with direct CEK. Doing so risks key overuse and the KEK, the recipient layer SHALL include a key identifier for the
vulnerabilities associated with large amount of ciphertext from KEK.
the same key. When a COSE_Encrypt is used with an overall key-
encryption key (KEK), the recipient layer SHALL include a key
identifier for the KEK.
EC Keypair Confidentiality: When generating a BCB result from an EC When generating a BCB result from a symmetric CEK, implementations
public key, implementations SHALL use a COSE_Encrypt message with SHOULD use COSE_Encrypt0 or COSE_Encrypt with direct CEK. Session
a recipient containing an indirect (wrapped or derived) CEK. When CEKs MUST be managed to avoid overuse and the vulnerabilities
a COSE_Encrypt is used with an EC public key, the recipient layer associated with large amount of ciphertext from the same key.
EC Keypair Confidentiality:
When generating a BCB result from an EC public key,
implementations SHALL use a COSE_Encrypt message with a recipient
containing an indirect (wrapped or derived) CEK. When a
COSE_Encrypt is used with an EC public key, the recipient layer
SHALL include a public key identifier (see Section 3.3). When a SHALL include a public key identifier (see Section 3.3). When a
COSE_Encrypt is used with an EC public key, the security source COSE_Encrypt is used with an EC public key, the security source
SHALL either generate an ephemeral EC keypair or choose a unique SHALL either generate an ephemeral EC keypair or choose a unique
"PartyU Nonce" for each security operation. When processing a HKDF "salt" for each security operation. When a COSE_Encrypt is
COSE_Encrypt with an EC public key, the security acceptor SHALL used with an EC public key and a single recipient, the direct HKDF
process all KDF and HMAC context data from the recipient headers algorithms (code -25 and -27) are RECOMMENDED over the key wrapped
in accordance with Section 5.2 of [RFC9053] even though the source algorithms (code -31 and -34) to reduce message size. When
is not required to provide any of those parameters. processing a COSE_Encrypt with an EC public key, the security
acceptor SHALL process all KDF and HMAC context data from the
recipient headers in accordance with Section 5.2 of [RFC9053] even
though the source is not required to provide any of those
parameters.
RSA Keypair Confidentiality: When generating a BCB result from an RSA Keypair Confidentiality:
RSA public key, implementations SHALL use a COSE_Encrypt message When generating a BCB result from an RSA public key,
with a recipient containing a key-wrapped CEK. When a implementations SHALL use a COSE_Encrypt message with a recipient
COSE_Encrypt is used with an RSA public key, the recipient layer containing a key-wrapped CEK. When a COSE_Encrypt is used with an
SHALL include a public key identifier (see Section 3.3). RSA public key, the recipient layer SHALL include a public key
identifier (see Section 3.3).
Implementations conforming to this specification SHALL support the
hash algorithms SHA-256 (code -16) and SHA-256/64 (code -15) for use
with the "x5t" identifier.
3.3. Asymmetric Key Types and Identifiers 3.3. Asymmetric Key Types and Identifiers
This section applies when a BIB uses a public key for verification or This section applies when a BIB uses a public key for verification or
key-wrap, or when a BCB uses a public key for encryption or key-wrap. key-wrap, or when a BCB uses a public key for encryption or key-wrap.
When using asymmetric keyed algorithms, the security source SHALL When using asymmetric keyed algorithms, the security source SHALL
include a public key container or public key identifier as a include a public key container or public key identifier as a
recipient header. The public key identifier SHALL be either an "x5t" recipient header. The public key identifier SHALL be either an "x5t"
or "x5chain" of [RFC9360], or "kid" of [RFC9052] and possibly "kid or "x5chain" of [RFC9360], or "kid" of [RFC9052] and possibly "kid
context" of [RFC8613], or an equivalent identifier. context" of [RFC8613], or an equivalent identifier.
When BIB result contains a "x5t" identifier, the security source MAY When BIB result contains a "x5t" identifier, the security source MAY
include an appropriate PKIX certificate container ("x5chain" or include an appropriate PKIX certificate container ("x5chain" or
"x5bag" of [RFC9360]) in a direct COSE header or an additional header "x5bag" of [RFC9360]) in a direct COSE header or an additional header
security parameter (see Section 2.2.1). When a BIB result contains security parameter (see Section 2.2.1). When a BIB result contains
an "x5chain", the security source SHOULD NOT also include an "x5t" as an "x5chain", the security source SHOULD NOT also include an "x5t" as
the first certificate in the chain is implicitly the applicable end- the first certificate in the chain is implicitly the applicable end-
entity certificate. For a BIB, if all potential security acceptors entity certificate. For a BIB, if all potential security verifiers
are known to possess related public key and/or certificate data then and acceptors are known to possess related public key and/or
the public key or additional header parameters can be omitted. Risks certificate data then the public key or additional header parameters
of not including related data are described in Section 6.5 and can be omitted. Risks of not including related data are described in
Section 6.6. Section 6.5 and Section 6.6.
When present, public keys and certificates SHOULD be included as When present, public keys and certificates SHOULD be included as
additional header parameters rather than within result COSE messages. additional header parameters rather than within result COSE messages.
This provides size efficiency when multiple security results are This provides size efficiency when multiple security results are
present because they will all be from the same security source and present because they will all be from the same security source and
likely share the same public key material. Security acceptors SHALL likely share the same public key material. Security verifiers and
still process public keys or certificates present in a result message acceptors SHALL still process public keys or certificates present in
or recipient as applying to that individual COSE level. a result message or recipient as applying to that individual COSE
level.
Security acceptors SHALL aggregate all COSE_Key objects from all Security verifiers and acceptors SHALL aggregate all COSE_Key objects
parameters within a single BIB or BCB, independent of encoded type or from all parameters within a single BIB or BCB, independent of
order of parameters. Because each context contains a single set of encoded type or order of parameters. Because each context contains a
security parameters which apply to all results in the same context, single set of security parameters which apply to all results in the
security acceptors SHALL treat all public keys as being related to same context, security verifiers and acceptors SHALL treat all public
the security source itself and potentially applying to every result. keys as being related to the security source itself and potentially
applying to every result.
3.3.1. Policy Recommendations 3.3.1. Policy Recommendations
The RECOMMENDED priority policy for including PKIX material for BIB The RECOMMENDED priority policy for including PKIX material for BIB
results is as follows: results is as follows:
1. When receivers are not known to possess certificate chains, a 1. When receivers are not known to possess certificate chains, a
full chain is included (as an "x5chain"). full chain is included (as an "x5chain").
2. When receivers are known to possess root and intermediate CAs, 2. When receivers are known to possess root and intermediate CAs,
skipping to change at page 20, line 5 skipping to change at page 20, line 26
3. When receivers are known to possess associated chains including 3. When receivers are known to possess associated chains including
end-entity certificates, a certificate thumbnail (as an "x5t"). end-entity certificates, a certificate thumbnail (as an "x5t").
4. Some arbitrary identifier is used to correlate to an end-entity 4. Some arbitrary identifier is used to correlate to an end-entity
certificate (as a "kid" with an optional "kid context"). certificate (as a "kid" with an optional "kid context").
5. The BIB Security Source is used to imply an associated end-entity 5. The BIB Security Source is used to imply an associated end-entity
certificate which identifies that Node ID. certificate which identifies that Node ID.
When PKIX certificates are used by security acceptors and the end- When PKIX certificates are used by security verifiers and acceptors
entity certificate is not explicitly trusted (i.e. pinned), the and the end-entity certificate is not explicitly trusted (i.e.
security acceptor SHALL perform the certification path validation of pinned), the security acceptor SHALL perform the certification path
Section 2.6.1.2 up to one or more trusted CA certificates. Leaving validation of Section 2.6.1.2 up to one or more trusted CA
out part of the certification chain can cause the security acceptor certificates. Leaving out part of the certification chain can cause
to fail to validate a BIB if the left-out certificates are unknown to the security acceptor to fail to validate a BIB if the left-out
the acceptor (see Section 6.6). certificates are unknown to the acceptor (see Section 6.6).
Any end-entity certificate associated with a BPSec security source Any end-entity certificate associated with a BPSec security source
SHALL adhere to the profile of Section 4. SHALL adhere to the profile of Section 4.
4. PKIX Certificate Profile 4. PKIX Certificate Profile
This section contains requirements on certificates used for the COSE This section contains requirements on certificates used for the COSE
context, while Section 3.3 contains requirements for how such context, while Section 3.3 contains requirements for how such
certificates are transported or identified. certificates are transported or identified.
All end-entity certificates used for BPSec SHALL conform to All end-entity certificates used for BPSec SHALL conform to
[RFC5280], or any updates or successors to that profile. [RFC5280], or any updates or successors to that profile.
This profile requires Version 3 certificates due to the extensions This profile requires Version 3 certificates due to the extensions
used by this profile. Security acceptors SHALL reject as invalid used by this profile. Security verifiers and acceptors SHALL reject
Version 1 and Version 2 end-entity certificates. as invalid Version 1 and Version 2 end-entity certificates.
Security acceptors SHALL accept certificates that contain an empty Security verifiers and acceptors SHALL accept certificates that
Subject field or contain a Subject without a Common Name. Identity contain an empty Subject field or contain a Subject without a Common
information in end-entity certificates SHALL be contained in the Name. Identity information in end-entity certificates SHALL be
Subject Alternative Name extension in accordance with Section 4.2.1.6 contained in the Subject Alternative Name extension in accordance
of [RFC5280]. with Section 4.2.1.6 of [RFC5280].
A BPSec end-entity certificate SHALL contain a NODE-ID in its Subject A BPSec end-entity certificate SHALL contain a NODE-ID in its Subject
Alternative Name extension which authenticates the Node ID of the Alternative Name extension which authenticates the Node ID of the
security source (for integrity) or the security acceptor (for security source (for integrity) or the security acceptor (for
confidentiality). The identifier type NODE-ID is defined in confidentiality). The identifier type NODE-ID is defined in
Section 4.4.1 of [RFC9174]. Section 4.4.1 of [RFC9174].
All end-entity and CA certificates used for BPSec SHOULD contain both All end-entity and CA certificates used for BPSec SHOULD contain both
a Subject Key Identifier extension in accordance with Section 4.2.1.2 a Subject Key Identifier extension in accordance with Section 4.2.1.2
of [RFC5280] and an Authority Key Identifier extension in accordance of [RFC5280] and an Authority Key Identifier extension in accordance
with Section 4.2.1.1 of [RFC5280]. Security acceptors SHOULD NOT with Section 4.2.1.1 of [RFC5280]. Security verifiers and acceptors
rely on either a Subject Key Identifier and an Authority Key SHOULD NOT rely on either a Subject Key Identifier and an Authority
Identifier being present in any received certificate. Including key Key Identifier being present in any received certificate. Including
identifiers simplifies the work of an entity needing to assemble a key identifiers simplifies the work of an entity needing to assemble
certification chain. a certification chain.
When allowed by CA policy, a BPSec end-entity certificate SHOULD When allowed by CA policy, a BPSec end-entity certificate SHOULD
contain a PKIX Extended Key Usage extension in accordance with contain a PKIX Extended Key Usage extension in accordance with
Section 4.2.1.12 of [RFC5280]. When the PKIX Extended Key Usage Section 4.2.1.12 of [RFC5280]. When the PKIX Extended Key Usage
extension is present, it SHALL contain a key purpose id-kp- extension is present, it SHALL contain a key purpose id-kp-
bundleSecurity of [IANA-SMI]. The id-kp-bundleSecurity purpose MAY bundleSecurity of [IANA-SMI]. The id-kp-bundleSecurity purpose MAY
be combined with other purposes in the same certificate. be combined with other purposes in the same certificate.
When allowed by CA policy, a BPSec end-entity certificate SHALL When allowed by CA policy, a BPSec end-entity certificate SHALL
contain a PKIX Key Usage extension in accordance with Section 4.2.1.3 contain a PKIX Key Usage extension in accordance with Section 4.2.1.3
of [RFC5280]. The PKIX Key Usage bits which are consistent with COSE of [RFC5280]. The PKIX Key Usage bits which are consistent with COSE
security are: digitalSignature, nonRepudiation, keyEncipherment, and security are: digitalSignature, nonRepudiation, keyEncipherment, and
keyAgreement. The specific algorithms used by COSE messages in keyAgreement. The specific algorithms used by COSE messages in
security results determine which of those key uses are exercised. security results determine which of those key uses are exercised.
See Section 4.1 for discussion of key use policies across multiple See Section 4.1 for discussion of key use policies across multiple
certificates. certificates.
A BPSec end-entity certificate MAY contain an Online Certificate A BPSec end-entity certificate MAY contain an Online Certificate
Status Protocol (OCSP) URI within an Authority Information Access Status Protocol (OCSP) URI within an Authority Information Access
extension in accordance with Section 4.2.2.1 of [RFC5280]. Security extension in accordance with Section 4.2.2.1 of [RFC5280]. Security
acceptors are not expected to have continuous internet connectivity verifiers and acceptors are not expected to have continuous internet
sufficient to perform OCSP verification. connectivity sufficient to perform OCSP verification.
4.1. Multiple-Certificate Uses 4.1. Multiple-Certificate Uses
A RECOMMENDED security policy is to limit asymmetric keys (and thus A RECOMMENDED security policy is to limit asymmetric keys (and thus
public key certificates) to single uses among the following: public key certificates) to single uses among the following:
Bundle transport: With key uses as defined in the convergence layer Bundle transport: With key uses as defined in the convergence layer
specification(s). Transports can require additional Extended Key specification(s). Transports can require additional Extended Key
Usage, such as id-kp-serverAuth or id-kp-clientAuth. Usage, such as id-kp-serverAuth or id-kp-clientAuth.
skipping to change at page 23, line 10 skipping to change at page 23, line 30
order to include the context of the encrypted data as AAD. If an order to include the context of the encrypted data as AAD. If an
agent mistakenly allows the use of non-AEAD encryption when agent mistakenly allows the use of non-AEAD encryption when
decrypting and verifying a BCB, the possibility of block replay decrypting and verifying a BCB, the possibility of block replay
attack is present. attack is present.
6.2. Threat: Untrusted End-Entity Certificate 6.2. Threat: Untrusted End-Entity Certificate
The profile in Section 2.6.1 uses end-entity certificates chained up The profile in Section 2.6.1 uses end-entity certificates chained up
to a trusted root CA. A security source can include a certificate to a trusted root CA. A security source can include a certificate
set which does not contain the full chain, possibly excluding set which does not contain the full chain, possibly excluding
intermediate or root CAs. In an environment where security acceptors intermediate or root CAs. In an environment where security verifiers
are known to already contain needed root and intermediate CAs there and acceptors are known to already contain needed root and
is no need to include those CAs, but this has a risk of an acceptor intermediate CAs there is no need to include those CAs, but this has
not actually having one of the needed CAs. a risk of an acceptor not actually having one of the needed CAs.
6.3. Threat: Certificate Validation Vulnerabilities 6.3. Threat: Certificate Validation Vulnerabilities
Even when a security acceptor is operating properly an attacker can Even when a security acceptor is operating properly an attacker can
attempt to exploit vulnerabilities within certificate check attempt to exploit vulnerabilities within certificate check
algorithms or configuration to authenticate using an invalid algorithms or configuration to authenticate using an invalid
certificate. An invalid certificate exploit could lead to higher- certificate. An invalid certificate exploit could lead to higher-
level security issues and/or denial of service to the Node ID being level security issues and/or denial of service to the Node ID being
impersonated. impersonated.
skipping to change at page 24, line 20 skipping to change at page 24, line 40
acceptor to not be able to properly verify a valid signature or not acceptor to not be able to properly verify a valid signature or not
use the correct private key to decrypt valid ciphertext. use the correct private key to decrypt valid ciphertext.
6.6. Threat: Non-Trusted Public Key 6.6. Threat: Non-Trusted Public Key
The profile in Section 3.2 allows the use of PKIX which typically The profile in Section 3.2 allows the use of PKIX which typically
involves end-entity certificates chained up to a trusted root CA. A involves end-entity certificates chained up to a trusted root CA. A
BIB can reference or contain end-entity certificates not previously BIB can reference or contain end-entity certificates not previously
known to a security acceptor but the acceptor can still trust the known to a security acceptor but the acceptor can still trust the
certificate by verifying it up to a trusted CA. In an environment certificate by verifying it up to a trusted CA. In an environment
where security acceptors are known to already contain needed root and where security verifiers and acceptors are known to already contain
intermediate CAs there is no need to include those CAs in a proper needed root and intermediate CAs there is no need to include those
chain within the security parameters, but this has a risk of an CAs in a proper chain within the security parameters, but this has a
acceptor not actually having one of the needed CAs. risk of an acceptor not actually having one of the needed CAs.
Because the security parameters are not included as AAD, there is Because the security parameters are not included as AAD, there is
still the possibility that an active attacker removes or alters still the possibility that an active attacker removes or alters
certification chain data in the parameters. This can cause the certification chain data in the parameters. This can cause the
security acceptor to be able to verify a valid signature but not security acceptor to be able to verify a valid signature but not
trust the public key used to perform the verification. trust the public key used to perform the verification.
6.7. Threat: Passive Leak of Key Material 6.7. Threat: Passive Leak of Key Material
It is important that the key requirements of Section 2.2 apply only It is important that the key requirements of Section 2.2 apply only
skipping to change at page 25, line 14 skipping to change at page 25, line 33
7.1. BPSec Security Context Identifiers 7.1. BPSec Security Context Identifiers
Within the "Bundle Protocol" registry [IANA-BUNDLE], the following Within the "Bundle Protocol" registry [IANA-BUNDLE], the following
entry has been added to the "BPSec Security Context Identifiers" sub- entry has been added to the "BPSec Security Context Identifiers" sub-
registry. registry.
+==========+=============+======================+ +==========+=============+======================+
| Value | Description | Reference | | Value | Description | Reference |
+==========+=============+======================+ +==========+=============+======================+
| TBD-COSE | COSE | [This specification] | | TBA-COSE | COSE | [This specification] |
+----------+-------------+----------------------+ +----------+-------------+----------------------+
Table 6: BPSec Security Context Identifiers Table 6: BPSec Security Context Identifiers
7.2. BPSec COSE AAD Scope Flags 7.2. BPSec COSE AAD Scope Flags
Within the "Bundle Protocol" registry [IANA-BUNDLE], the IANA has Within the "Bundle Protocol" registry [IANA-BUNDLE], the IANA has
created and now maintains a new registry named "BPSec COSE AAD Scope created and now maintains a new registry named "BPSec COSE AAD Scope
Flags" on the "Bundle Protocol" registry page. Table 7 shows the Flags" on the "Bundle Protocol" registry page. Table 7 shows the
initial values for this registry. initial values for this registry.
The registration policy for this registry is Specification Required. The registration policy for this registry is Specification Required.
The value range is unsigned 8-bit integer. The value range is unsigned 8-bit integer.
+===========================+==============+======================+ +==============+==============+================+
| Bit Position (from LSbit) | Name | Reference | | Bit Position | Name | Reference |
+===========================+==============+======================+ | | | |
| 0 | AAD-metadata | [This specification] | | (from LSbit) | | |
+---------------------------+--------------+----------------------+ +==============+==============+================+
| 1 | AAD-btsd | [This specification] | | 0 | AAD-metadata | [This |
+---------------------------+--------------+----------------------+ | | | specification] |
| 2-7 | Reserved | [This specification] | +--------------+--------------+----------------+
+---------------------------+--------------+----------------------+ | 1 | AAD-btsd | [This |
| | | specification] |
+--------------+--------------+----------------+
| 2-7 | Reserved | [This |
| | | specification] |
+--------------+--------------+----------------+
Table 7: BPSec COSE AAD Scope Flags Table 7: BPSec COSE AAD Scope Flags
8. References 8. References
8.1. Normative References 8.1. Normative References
[IANA-BUNDLE] [IANA-BUNDLE]
IANA, "Bundle Protocol", IANA, "Bundle Protocol",
<https://www.iana.org/assignments/bundle/>. <https://www.iana.org/assignments/bundle/>.
[IANA-COSE] [IANA-COSE]
skipping to change at page 31, line 26 skipping to change at page 32, line 4
The external_aad is the encoded data from Figure 10. The payload is The external_aad is the encoded data from Figure 10. The payload is
the encoded target BTSD from Figure 7. the encoded target BTSD from Figure 7.
[ [
"MAC0", / context / "MAC0", / context /
h'a10105', / protected / h'a10105', / protected /
h'a200010101880700008201692f2f6473742f7376638201662f2f7372632f8201 h'a200010101880700008201692f2f6473742f7376638201662f2f7372632f8201
662f2f7372632f820018281a000f424001010040', / external_aad / 662f2f7372632f820018281a000f424001010040', / external_aad /
h'6568656c6c6f' / payload / h'6568656c6c6f' / payload /
] ]
Figure 13: MAC_structure CBOR diagnostic Figure 13: MAC_structure CBOR diagnostic
[1], / targets / [1], / targets /
-1, / security context TBD-COSE / -1, / security context TBA-COSE /
1, / flags: params-present / 1, / flags: params-present /
[1, "//src/"], / security source / [1, "//src/"], / security source /
[ / parameters / [ / parameters /
[ [
5, / AAD-scope / 5, / AAD-scope /
{0: 0b01, 1: 0b01}, / primary metadata, target metadata / {0: 0b01, 1: 0b01}, / primary metadata, target metadata /
] ]
], ],
[ [
[ / target block #1 / [ / target block #1 /
skipping to change at page 34, line 6 skipping to change at page 34, line 6
"Signature1", / context / "Signature1", / context /
h'a10126', / protected / h'a10126', / protected /
h'a200010101880700008201692f2f6473742f7376638201662f2f7372632f8201 h'a200010101880700008201692f2f6473742f7376638201662f2f7372632f8201
662f2f7372632f820018281a000f424001010040', / external_aad / 662f2f7372632f820018281a000f424001010040', / external_aad /
h'6568656c6c6f' / payload / h'6568656c6c6f' / payload /
] ]
Figure 16: Sig_structure CBOR diagnostic Figure 16: Sig_structure CBOR diagnostic
[1], / targets / [1], / targets /
-1, / security context TBD-COSE / -1, / security context TBA-COSE /
1, / flags: params-present / 1, / flags: params-present /
[1, "//src/"], / security source / [1, "//src/"], / security source /
[ / parameters / [ / parameters /
[ [
5, / AAD-scope / 5, / AAD-scope /
{0: 0b01, 1: 0b01}, / primary metadata, target metadata / {0: 0b01, 1: 0b01}, / primary metadata, target metadata /
] ]
], ],
[ [
[ / target block #1 / [ / target block #1 /
skipping to change at page 36, line 16 skipping to change at page 36, line 16
"Signature1", / context / "Signature1", / context /
h'a1013824', / protected / h'a1013824', / protected /
h'a200010101880700008201692f2f6473742f7376638201662f2f7372632f8201 h'a200010101880700008201692f2f6473742f7376638201662f2f7372632f8201
662f2f7372632f820018281a000f424001010040', / external_aad / 662f2f7372632f820018281a000f424001010040', / external_aad /
h'6568656c6c6f' / payload / h'6568656c6c6f' / payload /
] ]
Figure 19: Sig_structure CBOR diagnostic Figure 19: Sig_structure CBOR diagnostic
[1], / targets / [1], / targets /
-1, / security context TBD-COSE / -1, / security context TBA-COSE /
1, / flags: params-present / 1, / flags: params-present /
[1, "//src/"], / security source / [1, "//src/"], / security source /
[ / parameters / [ / parameters /
[ [
5, / AAD-scope / 5, / AAD-scope /
{0: 0b01, 1: 0b01}, / primary metadata, target metadata / {0: 0b01, 1: 0b01}, / primary metadata, target metadata /
] ]
], ],
[ [
[ / target block #1 / [ / target block #1 /
skipping to change at page 38, line 6 skipping to change at page 38, line 6
662f2f7372632f820018281a000f424001010040', / external_aad / 662f2f7372632f820018281a000f424001010040', / external_aad /
] ]
Figure 22: Enc_structure CBOR diagnostic Figure 22: Enc_structure CBOR diagnostic
The ASB item for this encryption operation is shown in Figure 23 and The ASB item for this encryption operation is shown in Figure 23 and
corresponds with the updated target block (containing the ciphertext) corresponds with the updated target block (containing the ciphertext)
of Figure 11. of Figure 11.
[1], / targets / [1], / targets /
-1, / security context TBD-COSE / -1, / security context TBA-COSE /
1, / flags: params-present / 1, / flags: params-present /
[1, "//src/"], / security source / [1, "//src/"], / security source /
[ / parameters / [ / parameters /
[ [
5, / AAD-scope / 5, / AAD-scope /
{0: 0b01, 1: 0b01}, / primary metadata, target metadata / {0: 0b01, 1: 0b01}, / primary metadata, target metadata /
] ]
], ],
[ [
[ / target block #1 / [ / target block #1 /
skipping to change at page 41, line 6 skipping to change at page 41, line 6
662f2f7372632f820018281a000f424001010040', / external_aad / 662f2f7372632f820018281a000f424001010040', / external_aad /
] ]
Figure 25: Enc_structure CBOR diagnostic Figure 25: Enc_structure CBOR diagnostic
The ASB item for this encryption operation is shown in Figure 26 and The ASB item for this encryption operation is shown in Figure 26 and
corresponds with the updated target block (containing the ciphertext) corresponds with the updated target block (containing the ciphertext)
of Figure 11. of Figure 11.
[1], / targets / [1], / targets /
-1, / security context TBD-COSE / -1, / security context TBA-COSE /
1, / flags: params-present / 1, / flags: params-present /
[1, "//src/"], / security source / [1, "//src/"], / security source /
[ / parameters / [ / parameters /
[ [
5, / AAD-scope / 5, / AAD-scope /
{0: 0b01, 1: 0b01}, / primary metadata, target metadata / {0: 0b01, 1: 0b01}, / primary metadata, target metadata /
] ]
], ],
[ [
[ / target block #1 / [ / target block #1 /
skipping to change at page 45, line 6 skipping to change at page 45, line 6
662f2f7372632f820018281a000f424001010040', / external_aad / 662f2f7372632f820018281a000f424001010040', / external_aad /
] ]
Figure 28: Enc_structure CBOR diagnostic Figure 28: Enc_structure CBOR diagnostic
The ASB item for this encryption operation is shown in Figure 29 and The ASB item for this encryption operation is shown in Figure 29 and
corresponds with the updated target block (containing the ciphertext) corresponds with the updated target block (containing the ciphertext)
of Figure 11. of Figure 11.
[1], / targets / [1], / targets /
-1, / security context TBD-COSE / -1, / security context TBA-COSE /
1, / flags: params-present / 1, / flags: params-present /
[1, "//src/"], / security source / [1, "//src/"], / security source /
[ / parameters / [ / parameters /
[ [
5, / AAD-scope / 5, / AAD-scope /
{0: 0b01, 1: 0b01}, / primary metadata, target metadata / {0: 0b01, 1: 0b01}, / primary metadata, target metadata /
] ]
], ],
[ [
[ / target block #1 / [ / target block #1 /
 End of changes. 53 change blocks. 
164 lines changed or deleted 197 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/