Be specific about tagging of Cose_Sign1 and CWT

[martin-lindstrom]

During interop-testing we have run into a few possible interop-problems.

Section 4.2 of RFC8152 states the following:

The structure can be encoded as either tagged or untagged depending on the context it will be used in.

In my meaning our context is clear, and there is no need for a tag. However, other implementations even require the tag. We should be specific in the spec. about this.

Next, section 6 in RFC8392 states:

How to determine that a CBOR data structure is a CWT is application dependent. In some cases, this information is known from the application context, such as from the position of the CWT in a data structure at which the value must be a CWT. One method of indicating that a CBOR object is a CWT is the use of the "application/cwt" content type by a transport protocol.

This section defines the CWT CBOR tag as another means for applications to declare that a CBOR data structure is a CWT. Its use is optional and is intended for use in cases in which this information would not otherwise be known.

I read this that our spec. should explicitly point out that no CWT CBOR tag should be used.

[vitorpamplona]

Any updates on this one? I am having some issues as well.

We should have a verifier service (similar to the JSON Schema verifier) to make sure the CBOR content is correctly assembled with CWT + Payload between all the different implementations since most of them are assembling and unassembling the CWT by hand.

[asitplus-pteufl]

@vitorpamplona would be perfect if you could add any edge cases, ideas on test cases in the following document, we are just creating the JSONs for those test cases. https://github.com/eu-digital-green-certificates/dgc-testdata/pull/16

the idea is the creation of a common test set for validators, so that valid/invalid cases can be unit tested by such apps

[martin-lindstrom]

I'll add some QR-codes with and without tagging asap.

[vitorpamplona]

@asitplus-pteufl great effort! This helps to build a test data set for new verifiers and a debug server for issuers.

[asitplus-pteufl]

perfect, we already have some test cases of those in the table here https://github.com/ehn-digital-green-development/hcert-kotlin/tree/feature/testgen/src/test/resources but they are still being created. i hope that we can check them in tomorrow and provide the links in the table. your input on the test cases and additions is very appreciated, I suppose we are still missing many edge cases.

[ryanbnl]

The test repository is now horribly outdated. Test cases are provided by all onboarded countries in https://github.com/eu-digital-green-certificates/dcc-quality-assurance