Closed thomas-fossati closed 6 days ago
ACTION @henkbirkholz to ask Leonard on the COSE list.
ACTION completed by @thomas-fossati dearest. C2PA's requirement on multiple TSTs in CTT mode of use is rolled back. If there will be no further responses to the contrary to https://mailarchive.ietf.org/arch/msg/cose/KfI7Oo7IIFfpK_b6O35sz7G1_8g this issue will be resolved with no changes.
resolved
C2PA allows multiple timestamps from different TSAs to be added back into the COSE envelope.
Do we want to do the same and use an array (or the
one-or-more
construct from RFC9292)?Note that this may slightly complicate processing (and possibly the trust model too) because there would be many "TSA-time"s that need to be considered rather than just one.
Can that aspect of the processing be punted to "local policy"? In the end, if an application decides to ask for $n$ TSTs, it does so because it supposedly knows what to do with them.
This probably needs some more discussion.