Our great sponsors
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
pg-cbor
🧬🐘 The Concise Binary Object Representation (CBOR) data format (RFC 7049) implemented in pure SQL.
-
-
In inverse order:
- Some people do not like/use the standards he co-wrote
- Cryptography
- JWT is a standard for giving someone a token for them to later do something on your service (and signing them so you can be sure the token's all right when it comes back to you) -- you get a demo at https://jwt.io/
- JWS is the part of JWT that deals with encryption
- COSE is further complications on top of JOSE to fix some of its footguns
- JOSE is the framework for how to use JWT, JWS and related standards, which has some obvious footguns
- shrug
- Yes
Author of the original medium post here. I had simply never heard of COSE at the time of writing this. There was no conspiracy to bury the spec.
There are a bunch of vague accusations that I'm trying to profit or rent seek off of one of the specs I did write about. I didn't create and I don't maintain any of those. I also wouldn't trust any crypto designed by myself.
The original context for writing this post was discussions around using JOSE in the context of signing container images [1]. I was against it and preferred something simpler.
https://github.com/notaryproject/notaryproject/pull/93
For reference, here is my PostgreSQL extension implementation of CBOR and WebAuthn:
https://github.com/truthly/pg-cbor
FWIW if you don't care about attestation, Webauthn-L2 has client-side helper functions like getPublicKey() that allow you to do the handshake without parsing any CBOR https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy
If you want to check attestation you still need to parse CBOR (and whatever attestation format is inside.)
I used this for a minimal webauthn implementation which is under 300 LoC https://github.com/arianvp/webauthn-minimal (WIP)
However only Chrome seems to implement the L2 spec so far. It feels like Webauthn is basically abandoned on Mozilla side of things as they still haven't finished implementing L1 (It's missing all the CTAP2 stuff) whilst it has been out for more than a year. And there have barely been any Webauthn-related commits in the past years.
But yeh; in general webauthn is a design-by-committee dumpster fire; unfortunately.
Dan's team and Google has worked with our team on implementation of the DSSE spec, see https://github.com/sigstore/rekor/pull/596.
I really don't understand the rent seeking argument. It is made completely without basis.
However, I'd love to see the IETF author contribute a COSE type to rekor and show how it is better than DSSE for attestations.