Move “creation time” value to the payload

[selfissued]

The “creation time” header parameter in Section 3.1 is one of several attributes that are being proposed as a header parameter, whereas it is actually unrelated to the cryptographic operations being performed and should be part of the application-defined payload, if needed. If the working group believes that having common definitions for some payload fields such as “creation time” would be a good idea, they should be defined in a different, related specification.

Note that this payload content specification would fill the same role for CBOR payloads that the JSON Web Token (JWT) [RFC 7519] specification fills for JSON payloads. Cryptographic parameters belong in the COSE spec. Non-cryptographic application-level parameters, such as this one, belong in this companion specification, if anywhere.

[jimsch]

The field name is changed from "creation time" to "operation time". This better reflects what can actually be placed here, i.e. the time that the operation was performed. This field is useful for things like countersignatures when one wants to make a timestamp. This makes it something that should stay in the document. The justification text has been updated to reflect that this is the primary intent of the field.

However, as posited by Hannes, this field can also be used for replay detection as a time point is a reasonable thing to be looking at when determining if the context should be processed. Placing it outside of the cryptographic text allows for checking the field before wasting time on the cryptographic operation.

cose-wg/cose-spec#106

[selfissued]

Changing the name does not address the core issue that this field is solely for use as defined by particular applications and has no associated COSE processing rules. That says that it belongs in the CBOR Web Token draft, which defines application payload fields, rather than COSE messages spec.

This field also duplicates the CWT "issued at" value at https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.6. The "operation time" value should be deleted from this specification to eliminate this unnecessary duplication - not just renamed.

[selfissued]

Per the discussion on the thread "[COSE] [cose-issues] Move “creation time” value to the payload (#13)", it is incorrect to categorize this issue as complete, because the topic of the issue - removing the duplicate and non-general-purpose field, has not been addressed.

It seems that Jim and I could keep disagreeing on this for some time but it would be useful to have others weigh in.

[fpalombini]

I see your point Mike, but I also think it is really useful to have this (optional) parameter defined as a COSE header parameter, mostly for the reason Jim mentioned, about wasting time with the crypto operations before being able to check it. The fact that it is related to the countersignature links it to the crypto operations. The application can still decide not to use it and define its own time-stamp in the payload.