**Session Date/Time:** 20 Mar 2026 01:00

# [COSE](https://datatracker.ietf.org/wg/cose/about/)

**IETF 125 - Bangkok, Thailand**
**Tuesday, March 25, 2025**

## Summary
The COSE Working Group met to discuss progress on Post-Quantum Cryptography (PQC) signatures, the completion of HPKE for COSE, and new proposals for split signing and AES-CMAC. Key milestones include `draft-ietf-cose-hpke` moving toward publication and `draft-ietf-cose-sphincs-plus` nearing Working Group Last Call (WGLC). The group also discussed the potential adoption of split signing algorithms and the registration of FIPS-compliant AES-CMAC.

---

## Key Discussion Points

### 1. Administrative and Document Status
*   **Chairs:** Mike Jones, Ivaylo (Ivo) Petrov.
*   **Note Takers:** Lucas, Karen O'Donoghue.
*   **[draft-ietf-cose-c509-test-vectors](https://datatracker.ietf.org/doc/draft-ietf-cose-c509-test-vectors/):** No significant updates. Implementers are encouraged to utilize the existing test vectors.

### 2. Post-Quantum Cryptography
**Presentation:** [draft-ietf-cose-falcon and draft-ietf-cose-sphincs-plus](https://datatracker.ietf.org/meeting/125/materials/slides-125-cose-draft-ietf-cose-falcon-and-draft-ietf-cose-sphincs-plus-00)
**Presenter:** Hannes Tschofenig

*   **Implementation Status:** Examples have been added for the COSE versions using a Pico COSE-based implementation. ML-DSA examples were also included to complete the set.
*   **Hash-SPHINCS+:** Hannes Tschofenig raised the question of whether to register "Hash-SPHINCS+" (pre-hashing) variants. 
    *   Carsten Bormann argued for registration to avoid "combinatorial explosion" concerns and ensure COSE remains a viable alternative to ASN.1.
    *   Scott Fluhrer expressed hesitation regarding future crypto module support for hash variants.
    *   Tirumaleswar (Tiru) Reddy noted that while pre-hashing is beneficial for HSM performance, the CA community (LAMPS) has shown mixed interest.
    *   **Sense of the room:** A poll was taken on whether to add Hash-SLH-DSA to the draft. The result indicated a majority (approx. 2:1) preferred to stay with the current scope.
*   **Security Levels and Variants:** The draft currently focuses on the 128-bit security level. Both 'S' (Small signature) and 'F' (Fast signature) variants are included for this level.
*   **WGLC Readiness:** A poll indicated substantial support for taking [draft-ietf-cose-sphincs-plus](https://datatracker.ietf.org/doc/draft-ietf-cose-sphincs-plus/) to WGLC. John Gray expressed concern about waiting for smaller NIST parameter sets, but Scott Fluhrer clarified those are too preliminary for inclusion.

### 3. COSE HPKE
**Presentation:** [COSE HPKE](https://datatracker.ietf.org/meeting/125/materials/slides-125-cose-cose-hpke-00)
**Presenter:** Mike Jones

*   **Recent Changes:** The draft (v24) now uses fully specified algorithm identifiers (separating integrated encryption from key encryption modes) in alignment with [RFC 9053].
*   **Technical Refinements:**
    *   Clarified AAD and Info parameter handling.
    *   Defined a deterministic encoding for the recipient structure.
    *   Added test vectors and validated them against three independent implementations.
*   **Status:** Authors believe the document is ready for publication. Ivaylo (Ivo) Petrov is preparing the shepherd write-up.

### 4. Split Signing Algorithms for COSE
**Presentation:** [Split Signing Algorithms for COSE](https://datatracker.ietf.org/meeting/125/materials/slides-125-cose-split-signing-algorithms-for-cose-00)
**Presenter:** Mike Jones

*   **Updates:** [draft-jones-cose-split-signing-05] incorporates feedback from Lucas and Sophie. Draft 07 recently addressed IANA TBDs and imported text from the related CFRG ARKG draft.
*   **Use Case:** The mechanism is essential for cloud wallets (e.g., Siros Foundation/German Funke wallet) and smart card-like architectures where keys are split between a device and a server.
*   **Status:** The draft is stable with multiple implementations. The chair (Ivaylo (Ivo) Petrov) intends to run a call for adoption on the mailing list.

### 5. AES-CMAC
**Presentation:** [AES-CMAC](https://datatracker.ietf.org/meeting/125/materials/slides-125-cose-aes-cmac-00)
**Presenter:** Brian Campbell

*   **Proposal:** [draft-ietf-cose-aes-cmac-00] aims to register AES-CMAC algorithms for COSE.
*   **Rationale:** Existing CBC-MAC registrations are not FIPS 140 compliant, posing a barrier for certain hardware-accelerated authenticators. AES-CMAC is FIPS-approved.
*   **Discussion:**
    *   John Gray and Scott Fluhrer supported the addition, noting CMAC’s superior security properties compared to CBC-MAC.
    *   The group discussed potentially marking the old CBC-MAC as "not recommended" in a separate action.
    *   **Volunteers:** Russ Housley, John Gray, and John Preuß Mattsson volunteered to review the draft.

---

## Decisions and Action Items
*   **Decision:** The scope of `draft-ietf-cose-sphincs-plus` will remain limited to the pure (non-hash) variants for the time being.
*   **Action:** Ivaylo (Ivo) Petrov to complete the shepherd write-up for `draft-ietf-cose-hpke` and request publication.
*   **Action:** Authors of COSE and JOSE split-signing/post-quantum drafts will coordinate to ensure alignment or justify divergence per AD feedback.
*   **Action:** Reviewers (Russ Housley, John Gray, John Preuß Mattsson) to provide feedback on `draft-ietf-cose-aes-cmac-00` on the mailing list.

---

## Next Steps
*   **WGLC:** Chairs will consider initiating Working Group Last Call for [draft-ietf-cose-sphincs-plus](https://datatracker.ietf.org/doc/draft-ietf-cose-sphincs-plus/).
*   **Adoption Call:** A formal call for adoption for [draft-jones-cose-split-signing] will be issued on the mailing list.
*   **C509:** Implementers are encouraged to continue testing with [draft-ietf-cose-c509-test-vectors](https://datatracker.ietf.org/doc/draft-ietf-cose-c509-test-vectors/).