typ in cose headers is a different draft, it's common in JOSE, and it's recommended in the JWT BCP... I suggest we assume it's not possible to specify the typ (media type) of the envelop in COSE, since that's true today.
My point is that security assumptions are the same for both the protected header and the protected payload, as are the semantics for "claims", in the context of CWT... At least that's what the current draft says.
I don't think this draft should say anything more.
OS
On Thu, Nov 2, 2023, 5:11 PM Carsten Bormann <cabo@xxxxxxx> wrote:
On Nov 2, 2023, at 23:02, Orie Steele <orie@transmute.industries> wrote:
>
> I suggest we tackle these issues in a separate document.
I’m fine with that, as long as that document can make retroactive BCP14 statements :-) (*)
The CCS in the payload is entirely different from one in the header:
The CCS in the payload is the focus of the signed/encrypted/mac'ed statement.
The CCS/CWT in the header can only be supplementary information to what is in the payload.
How does that supplementing affect the entire construct?
Mike proposed using typ to supply this information. But then it really needs to.
Grüße, Carsten
(*) OK, there is precedence in RFC 8725
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
