selfissued
commented
1 month ago I suggest changing "The resulting value is the COSE Key Thumbprint with H of the COSE Key." to changing "The resulting value is the COSE Key Thumbprint with the hash function H of the key."
Per the second comment, about uniquely identifying keys - unless a canonical representation is used as the input to the hash function, the value will vary. For allowing the field order to vary in the (otherwise equivalent) key representation would result in non-interoperability. That's what this security consideration text is about.
COMMENT:
I agree with Eric Vyncke's comments. Also, much thanks to Joel Jaeggli for his OpsDir review: https://datatracker.ietf.org/doc/review-ietf-cose-key-thumbprint-04-opsdir-lc-jaeggli-2024-04-14/
In addition, I have some nits: 1: I found "The resulting value is the COSE Key Thumbprint with H of the COSE Key." to be very difficult to parse -- perhaps you can drop "with H of the COSE Key."? Actually, I'm not entirely sure what the sentence is trying to convey, other than that the result is the thumbprint...
I'm also not sure if the first sentence in the security considerations section is strictly true: 7. Security Considerations
A COSE Key Thumbprint will only uniquely identify a particular key if a single unambiguous COSE Key representation for that key is defined and used when computing the COSE Key Thumbprint.
The implication of "only uniquely identify a particular key" makes it sound like if you used some other representation, then you might identify some other key (which, I guess might be true if the other representation didn't include the key :-)). Is "correctly" perhaps a better word than "uniquely"? Or have I completely misunderstood?