Markdown Version | Transcript | Session Recording | Session Materials

Session Date/Time: 20 Mar 2026 01:00

COSE

IETF 125 - Bangkok, Thailand Tuesday, March 25, 2025

Summary

The COSE Working Group met to discuss progress on Post-Quantum Cryptography (PQC) signatures, the completion of HPKE for COSE, and new proposals for split signing and AES-CMAC. Key milestones include draft-ietf-cose-hpke moving toward publication and draft-ietf-cose-sphincs-plus nearing Working Group Last Call (WGLC). The group also discussed the potential adoption of split signing algorithms and the registration of FIPS-compliant AES-CMAC.

Key Discussion Points

1. Administrative and Document Status

• Chairs: Mike Jones, Ivaylo (Ivo) Petrov.
• Note Takers: Lucas, Karen O'Donoghue.
• draft-ietf-cose-c509-test-vectors: No significant updates. Implementers are encouraged to utilize the existing test vectors.

2. Post-Quantum Cryptography

Presentation: draft-ietf-cose-falcon and draft-ietf-cose-sphincs-plus Presenter: Hannes Tschofenig

• Implementation Status: Examples have been added for the COSE versions using a Pico COSE-based implementation. ML-DSA examples were also included to complete the set.
• Hash-SPHINCS+: Hannes Tschofenig raised the question of whether to register "Hash-SPHINCS+" (pre-hashing) variants.
  • Carsten Bormann argued for registration to avoid "combinatorial explosion" concerns and ensure COSE remains a viable alternative to ASN.1.
  • Scott Fluhrer expressed hesitation regarding future crypto module support for hash variants.
  • Tirumaleswar (Tiru) Reddy noted that while pre-hashing is beneficial for HSM performance, the CA community (LAMPS) has shown mixed interest.
  • Sense of the room: A poll was taken on whether to add Hash-SLH-DSA to the draft. The result indicated a majority (approx. 2:1) preferred to stay with the current scope.
• Security Levels and Variants: The draft currently focuses on the 128-bit security level. Both 'S' (Small signature) and 'F' (Fast signature) variants are included for this level.
• WGLC Readiness: A poll indicated substantial support for taking draft-ietf-cose-sphincs-plus to WGLC. John Gray expressed concern about waiting for smaller NIST parameter sets, but Scott Fluhrer clarified those are too preliminary for inclusion.

3. COSE HPKE

Presentation: COSE HPKE Presenter: Mike Jones

• Recent Changes: The draft (v24) now uses fully specified algorithm identifiers (separating integrated encryption from key encryption modes) in alignment with [RFC 9053].
• Technical Refinements:
  • Clarified AAD and Info parameter handling.
  • Defined a deterministic encoding for the recipient structure.
  • Added test vectors and validated them against three independent implementations.
• Status: Authors believe the document is ready for publication. Ivaylo (Ivo) Petrov is preparing the shepherd write-up.

4. Split Signing Algorithms for COSE

Presentation: Split Signing Algorithms for COSE Presenter: Mike Jones

• Updates: [draft-jones-cose-split-signing-05] incorporates feedback from Lucas and Sophie. Draft 07 recently addressed IANA TBDs and imported text from the related CFRG ARKG draft.
• Use Case: The mechanism is essential for cloud wallets (e.g., Siros Foundation/German Funke wallet) and smart card-like architectures where keys are split between a device and a server.
• Status: The draft is stable with multiple implementations. The chair (Ivaylo (Ivo) Petrov) intends to run a call for adoption on the mailing list.

5. AES-CMAC

Presentation: AES-CMAC Presenter: Brian Campbell

• Proposal: [draft-ietf-cose-aes-cmac-00] aims to register AES-CMAC algorithms for COSE.
• Rationale: Existing CBC-MAC registrations are not FIPS 140 compliant, posing a barrier for certain hardware-accelerated authenticators. AES-CMAC is FIPS-approved.
• Discussion:
  • John Gray and Scott Fluhrer supported the addition, noting CMAC’s superior security properties compared to CBC-MAC.
  • The group discussed potentially marking the old CBC-MAC as "not recommended" in a separate action.
  • Volunteers: Russ Housley, John Gray, and John Preuß Mattsson volunteered to review the draft.

Decisions and Action Items

• Decision: The scope of draft-ietf-cose-sphincs-plus will remain limited to the pure (non-hash) variants for the time being.
• Action: Ivaylo (Ivo) Petrov to complete the shepherd write-up for draft-ietf-cose-hpke and request publication.
• Action: Authors of COSE and JOSE split-signing/post-quantum drafts will coordinate to ensure alignment or justify divergence per AD feedback.
• Action: Reviewers (Russ Housley, John Gray, John Preuß Mattsson) to provide feedback on draft-ietf-cose-aes-cmac-00 on the mailing list.

Next Steps

• WGLC: Chairs will consider initiating Working Group Last Call for draft-ietf-cose-sphincs-plus.
• Adoption Call: A formal call for adoption for [draft-jones-cose-split-signing] will be issued on the mailing list.
• C509: Implementers are encouraged to continue testing with draft-ietf-cose-c509-test-vectors.

Related Documents

draft-ietf-cose-aes-cmac-00, draft-ietf-cose-c509-test-vectors, draft-ietf-cose-falcon, draft-ietf-cose-falcon-and-draft-ietf-cose-sphincs-plus-00, draft-ietf-cose-hpke, draft-ietf-cose-sphincs-plus, draft-jones-cose-split-signing, draft-jones-cose-split-signing-05