Skip to content

Add kid header to protected headers #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
msftsettiy wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add kid header to protected headers #122

msftsettiy wants to merge 3 commits into from

Conversation

@msftsettiy
Copy link
Member

@msftsettiy msftsettiy commented Dec 8, 2024

This PR contains code and test changes to add key identifier (KID) header to the protected headers. KID is a common COSE header parameter that identifies the cryptographic key used for signing.

lemccomb
lemccomb previously approved these changes Dec 9, 2024
View reviewed changes
@lemccomb lemccomb dismissed their stale review December 9, 2024 19:05

missing context

@achamayou
Copy link
Member

achamayou commented Nov 24, 2025

@lemccomb kid is a common COSE header parameter described in Section 3.1 of RFC9052.

The RFC specifies allows it to be placed in either header:

This is not a security-critical field. For this reason, it can be placed in the unprotected-header-parameters bucket.

Applications that make use of transparency services probably want to use the protected header for kid, since the unprotected header is typically stripped by implementations, as per Section 6.3. of the SCITT Architecture Draft:

However, the unprotected header of a Signed Statement MUST be set to an empty map before the Signed Statement can be included in a Statement Sequence.

It is of course possible for the client to re-attach it post-TS, and so this is not strictly speaking necessary, but it is quite convenient and make key usage transparent as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@lemccomb lemccomb lemccomb left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

@msftsettiy msftsettiy

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@msftsettiy @achamayou @lemccomb @settiy-ms @actions-user