rfc9921v2.txt   rfc9921.txt 
skipping to change at line 159 skipping to change at line 159
The diagrams in this section illustrate the processing flow of the The diagrams in this section illustrate the processing flow of the
specified modes. For simplicity, only the COSE_Sign1 processing is specified modes. For simplicity, only the COSE_Sign1 processing is
shown. Similar diagrams for COSE_Sign can be derived by allowing shown. Similar diagrams for COSE_Sign can be derived by allowing
multiple private-key parallelogram boxes and replacing the label multiple private-key parallelogram boxes and replacing the label
[signature] with [signatures]. [signature] with [signatures].
2.1. COSE, Then Timestamp (CTT) 2.1. COSE, Then Timestamp (CTT)
Figure 1 shows the case where the signature(s) field of the COSE Figure 1 shows the case where the signature(s) field of the COSE
signed object is digested and submitted to a TSA to be timestamped. Signed Message is digested and submitted to a TSA to be timestamped.
The obtained timestamp token is then added back as an unprotected The obtained timestamp token is then added back as an unprotected
header into the same COSE object. header into the same COSE object.
This mode is utilized when a record of the timing of the signature This mode is utilized when a record of the timing of the signature
operation is desired. operation is desired.
.--------. .-----. .--------. .-----.
| Signer | | TSA | | Signer | | TSA |
+--------+----------------------------------. +-----+-------------. +--------+----------------------------------. +-----+-------------.
| .-------------. .-----------. .-------. | | .-------------. | | .-------------. .-----------. .-------. | | .-------------. |
skipping to change at line 206 skipping to change at line 206
made by the TSA. made by the TSA.
2.2. Timestamp, Then COSE (TTC) 2.2. Timestamp, Then COSE (TTC)
Figure 2 shows the case where a datum is first digested and submitted Figure 2 shows the case where a datum is first digested and submitted
to a TSA to be timestamped. to a TSA to be timestamped.
This mode is used to wrap the signed document and its timestamp This mode is used to wrap the signed document and its timestamp
together in an immutable payload. together in an immutable payload.
A signed COSE message is then built as follows: A COSE Signed Message is then built as follows:
* The obtained timestamp token is added to the protected headers. * The obtained timestamp token is added to the protected headers.
* The original datum becomes the payload of the signed COSE message. * The original datum becomes the payload of the COSE Signed Message.
.--------. .-----. .--------. .-----.
| Signer | | TSA | | Signer | | TSA |
+--------+----------------------------------. +-----+-------------. +--------+----------------------------------. +-----+-------------.
| .-------------. .-------. | | .-------------. | | .-------------. .-------. | | .-------------. |
| / private-key / | nonce +-------->+ / private-key / | | / private-key / | nonce +-------->+ / private-key / |
| '-+-----------' '-------' | | '------+------' | | '-+-----------' '-------' | | '------+------' |
| | .---------. | | | | | | .---------. | | | |
| | .-------. .----. | Message | | | | | | | .-------. .----. | Message | | | | |
| | + datum +->+ hash +->+ Imprint +------->+ .+. | | | + datum +->+ hash +->+ Imprint +------->+ .+. |
skipping to change at line 386 skipping to change at line 386
3.2. 3161-ttc 3.2. 3161-ttc
The 3161-ttc COSE _protected_ header parameter MUST be used for the The 3161-ttc COSE _protected_ header parameter MUST be used for the
mode described in Section 2.2. mode described in Section 2.2.
The 3161-ttc protected header parameter contains a DER-encoded TST The 3161-ttc protected header parameter contains a DER-encoded TST
[RFC3161] wrapped in a CBOR byte string (Major type 2). [RFC3161] wrapped in a CBOR byte string (Major type 2).
The MessageImprint sent to the TSA (Section 2.4 of [RFC3161]) MUST be The MessageImprint sent to the TSA (Section 2.4 of [RFC3161]) MUST be
the hash of the payload of the COSE signed object. This does not the hash of the payload of the COSE Signed Message. This does not
include the bstr wrapping -- only the payload bytes. (For an include the bstr wrapping -- only the payload bytes. (For an
example, see Appendix A.1.) example, see Appendix A.1.)
To minimize dependencies, the hash algorithm used for signing the To minimize dependencies, the hash algorithm used for signing the
COSE message SHOULD be the same as the algorithm used in the COSE message SHOULD be the same as the algorithm used in the
MessageImprint [RFC3161]. However, this may not be possible if the MessageImprint [RFC3161]. However, this may not be possible if the
timestamp requester and the COSE message signer are different timestamp requester and the COSE message signer are different
entities. entities.
4. Timestamp Processing 4. Timestamp Processing
skipping to change at line 440 skipping to change at line 440
It is also assumed that the TSA is a trusted third party, so the It is also assumed that the TSA is a trusted third party, so the
attacker cannot impersonate the TSA and create valid timestamp attacker cannot impersonate the TSA and create valid timestamp
tokens. In such a setting, any tampering with the COSE signer's tokens. In such a setting, any tampering with the COSE signer's
clock does not have an impact, because once the timestamp is obtained clock does not have an impact, because once the timestamp is obtained
from the TSA, it becomes the only reliable source of time. However, from the TSA, it becomes the only reliable source of time. However,
in both CTT mode and TTC mode, a denial of service can occur if the in both CTT mode and TTC mode, a denial of service can occur if the
attacker can adjust the relying party's clock so that the CMS attacker can adjust the relying party's clock so that the CMS
validation fails. This could disrupt the timestamp validation. validation fails. This could disrupt the timestamp validation.
In CTT mode, an attacker could manipulate the unprotected header by In CTT mode, an attacker could manipulate the unprotected header by
removing or replacing the timestamp. To avoid that, the COSE signed removing or replacing the timestamp. To avoid that, the COSE Signed
object should be integrity protected during transit and at rest. Message should be integrity protected during transit and at rest.
In TTC mode, the TSA is given an opaque identifier (a cryptographic In TTC mode, the TSA is given an opaque identifier (a cryptographic
hash value) for the payload. While this means that the content of hash value) for the payload. While this means that the content of
the payload is not directly revealed, to prevent comparison with the payload is not directly revealed, to prevent comparison with
known payloads or disclosure of identical payloads being used over known payloads or disclosure of identical payloads being used over
time, the payload would need to be armored, e.g., with a nonce that time, the payload would need to be armored, e.g., with a nonce that
is shared with the recipient of the header parameter but not the TSA. is shared with the recipient of the header parameter but not the TSA.
Such a mechanism is out of scope for this document. Such a mechanism is out of scope for this document.
The resolution, accuracy, and precision of the TSA clock, as well as The resolution, accuracy, and precision of the TSA clock, as well as
 End of changes. 5 change blocks. 
6 lines changed or deleted 6 lines changed or added

This html diff was produced by rfcdiff 1.48.