Warren Kumari's No Objection on draft-ietf-cose-key-thumbprint-05: (with COMMENT)

[OR13]

---

COMMENT:

I agree with Eric Vyncke's comments. Also, much thanks to Joel Jaeggli for his
OpsDir review:
https://datatracker.ietf.org/doc/review-ietf-cose-key-thumbprint-04-opsdir-lc-jaeggli-2024-04-14/

In addition, I have some nits:
1: I found "The resulting value is the COSE Key Thumbprint with H of the COSE
Key." to be very difficult to parse -- perhaps you can drop "with H of the COSE
Key."? Actually, I'm not entirely sure what the sentence is trying to convey,
other than that the result is the thumbprint...

I'm also not sure if the first sentence in the security considerations section
is strictly true: 7. Security Considerations

A COSE Key Thumbprint will only uniquely identify a particular key if
a single unambiguous COSE Key representation for that key is defined
and used when computing the COSE Key Thumbprint.

The implication of "only uniquely identify a particular key" makes it sound
like if you used some other representation, then you might identify some other
key (which, I guess might be true if the other representation didn't include
the key :-)). Is "correctly" perhaps a better word than "uniquely"? Or have I
completely misunderstood?

[selfissued]

I suggest changing "The resulting value is the COSE Key Thumbprint with H of the COSE Key." to changing "The resulting value is the COSE Key Thumbprint with the hash function H of the key."

Per the second comment, about uniquely identifying keys - unless a canonical representation is used as the input to the hash function, the value will vary. For allowing the field order to vary in the (otherwise equivalent) key representation would result in non-interoperability. That's what this security consideration text is about.