Skip to content

draft-hash-envelope-update#5

Merged
OR13 merged 1 commit into
mainfrom
draft-hash-envelope-update
Jul 7, 2026
Merged

draft-hash-envelope-update#5
OR13 merged 1 commit into
mainfrom
draft-hash-envelope-update

Conversation

@OR13

@OR13 OR13 commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Rewrites the architecture draft to match the running demo, and makes explicit the two properties requested.

  • Emblem = COSE hash envelope (draft-ietf-cose-hash-envelope): payload = hash of an external Resource; protected header carries 258/259/260, minimal CWT claims (RFC 9597, label 15) = sub + cnf, and a cnf key (RFC 8747). Media type application/digital-emblem+cose.
  • Delivery moved from a dedicated emblem.<fqdn> SVCB name to the asset's own HTTPS record (RRTYPE 65), key65280.
  • § Delivering the Entire Emblem over DNS — the whole emblem is in the DNS answer, so the protection decision needs no second, revealing fetch.
  • § Generic Discovery and Unobservability — the query that returns the emblem is the ordinary connection-setup query, so scanning for emblems does not reveal emblem-seeking intent to the infrastructure provider or an on-path observer; residual signals called out.
  • § Proof of Possession — challenge/response against the cnf key.

Builds clean locally: kramdown-rfc + xml2rfc (txt & html), all references resolved, no line >72 cols.

🤖 Generated with Claude Code

…y, cnf)

Why: align the architecture draft with the running demonstration and explain
the two load-bearing properties.

- Emblem is now a COSE hash envelope (draft-ietf-cose-hash-envelope): payload =
  hash of an external Resource; protected header carries 258/259/260, minimal
  CWT claims (RFC 9597, label 15) = sub + cnf, and a cnf key (RFC 8747).
  Media type application/digital-emblem+cose.
- Delivery moved from a dedicated emblem.<fqdn> SVCB name to the asset's own
  HTTPS resource record (RRTYPE 65), key65280, beside ordinary params.
- New section "Delivering the Entire Emblem over DNS": the whole emblem is in
  the DNS answer, so the protection decision needs no second, revealing fetch.
- New section "Generic Discovery and Unobservability": the query that returns
  the emblem is the ordinary connection-setup query, so scanning for emblems
  does not reveal emblem-seeking intent to the infrastructure provider or an
  on-path observer; residual signals are called out.
- New section "Proof of Possession": challenge/response against the cnf key.
- Validation, marking/unmarking, requirements mapping, security, and IANA
  updated accordingly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 7, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
emblem-red Ready Ready Preview, Comment Jul 7, 2026 8:00pm

Request Review

@OR13 OR13 merged commit 2a4c66e into main Jul 7, 2026
4 checks passed
@OR13 OR13 deleted the draft-hash-envelope-update branch July 7, 2026 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant