- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 14 Feb 2022 04:54:19 +0100
- To: Kyle Den Hartog <kyle.denhartog@mattr.global>, Christopher Allen <ChristopherA@lifewithalacrity.com>, Leonard Rosenthol <lrosenth@adobe.com>
- Cc: Julien Fraichot <Julien.Fraichot@hyland.com>, Manu Sporny <msporny@digitalbazaar.com>, Mike Prorock <mprorock@mesur.io>, Nikos Fotiou <fotiou@aueb.gr>, Orie Steele <orie@transmute.industries>, W3C Credentials CG <public-credentials@w3.org>
CBOR is great but I would avoid COSE signatures because COSE was created with the same idea as JOSE: "canonicalization doesn't work". This makes signed data become signatures with embedded data. However, unlike JSON, CBOR offer deterministic serialization working at the *binary* level. The only part that requires some thinking are floating point data: https://github.com/cyberphone/openkeystore/blob/ed852d33fc43ed09ce149b3dea4de2edef86cf07/library/src/org/webpki/cbor/CBORFloatingPoint.java#L46 If you have one minute to spend(?), you may test this on-line CBOR signature tool: https://test.webpki.org/csf-lab/home Anders On 2022-02-14 0:24, Kyle Den Hartog wrote: > secp256k1 with COSE is now registered in the IANA COSE registries [1]. The RFC you're looking for would be under RFC8812 [2]. > > [1]: https://www.iana.org/assignments/cose/cose.xhtml <https://www.iana.org/assignments/cose/cose.xhtml> > > [2]: https://www.rfc-editor.org/rfc/rfc8812.html <https://www.rfc-editor.org/rfc/rfc8812.html> > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > *From:* Christopher Allen <ChristopherA@lifewithalacrity.com> > *Sent:* Monday, February 14, 2022 11:22 AM > *To:* Leonard Rosenthol <lrosenth@adobe.com> > *Cc:* Julien Fraichot <Julien.Fraichot@hyland.com>; Manu Sporny <msporny@digitalbazaar.com>; Mike Prorock <mprorock@mesur.io>; Nikos Fotiou <fotiou@aueb.gr>; Orie Steele <orie@transmute.industries>; W3C Credentials CG <public-credentials@w3.org> > *Subject:* Re: [EXTERNAL] [jfraichot@learningmachine.com] Re: VC API: handling large documents client to server > EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. > > On Sun, Feb 13, 2022 at 8:07 AM Leonard Rosenthol <lrosenth@adobe.com <mailto:lrosenth@adobe.com>> wrote: > > So why not move to CBOR and COSE instead of JWT? > > Leonard, > > Any news on using secp256k1 with COSE? We are increasingly using CBOR for all of our cryptocurrency related wallet interoperability standards, but everything I’ve seen for COSE with secp has expired. > > FYI, our CBOR list is at > https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-006-urtypes.md <https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-006-urtypes.md>, those that are unique to our work start at 300. > > — Christopher Allen [via iPhone] > >
Received on Monday, 14 February 2022 03:55:38 UTC