> Overthinking is a result of underspecification in the COSE RFC/bis-draft.
This is not underspecification; this is leaving decisions to the protocol using COSE. I am trying to get you to make those decisions. > Constrained vouchers (application-type/voucher-cose+cbor, TBD3) SHOULD NOT > use the > COSE header "content type” field They CANNOT unless you allocate a media type for an unprotected voucher. Are you also saying that they should/should not use “countersignature”? Maybe a single sentence that explains that there are no header parameters in use expect those that you specify would be enough. > because the encoding is never "ambiguous" > according to RFC8152 Section 3.1. Well, that is actually not true, as far as I know. How do you *know* that the signed payload is a voucher? (Remember that the attacker can repackage anything that is not protected ad nauseam, so a tag/media type *outside* the signature is not such an indication.) Abadi-Needham #1. Grüße, Carsten _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
