thomas-fossati
commented
3 years ago I am not sure I understand where is the interop problem. We say that when an application needs to transport a PSA Token it needs to wrap it into either a media type (application/psa-attestation-token) or a the CoAP content format (TBD). If the outer type indicator is missing, CBOR 61 would not provide higher precision in terms of media identification than the COSE_Sign1 or COSE_Mac0 tags. So it looks like it's redundant in all cases and I am not sure why a protocol would want to use it?
To lock down tighter for guaranteed interoperability, I'd say that tag 61 MUST not be used when the carrying protocol between the Attester and Verify is CoAP, that the CoAP content format must be used.
It is implied, but I think you might also say that in CoAP the COSE tags MUST be used so the Verifier can tell a Mac0 from a Sign1.
I assume PSA token can be carried in other protocols than CoAP. Those protocols might want to use tag 61 so the MUST should only be for CoAP.