IETF Logo Mail Archive

[CFRG] Re: 回复: I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt

Simon Josefsson <simon@josefsson.org> Tue, 10 September 2024 07:32 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02379C1DA1E5; Tue, 10 Sep 2024 00:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="m8Fwp4AM"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="H/v95l3x"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DDS9xwOPi8P6; Tue, 10 Sep 2024 00:32:34 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAD2AC1D874C; Tue, 10 Sep 2024 00:32:30 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=V4YVBhll3JzExkPwTg9ugqJHjpKe387pJPefj/5b6Zw=; t=1725953544; x=1727163144; b=m8Fwp4AMYBxfL2FQI1codOO7zGQZDrUe38z4u/JNEsMsQPrlIahE0NGFd99Anji4DpqnPIYfrQ8 jwfiDwBr/Dw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=V4YVBhll3JzExkPwTg9ugqJHjpKe387pJPefj/5b6Zw=; t=1725953544; x=1727163144; b=H/v95l3xvArjvpBcgNHu61FQIMQsRmzE1j0sysxNl0rG0JgGg1y7611In5ywCplZBopS73wDf8d EynKUqp/E+D4O/d069bjOZHIwnB6I8NBSbrhxtBujuRj8YDuGCoCk3WOyn2XIVAYDx037zr/ZHv1U 3Rr70noT5QHQ3lhcuuasNN7wynwSI3Nm7YdhlGGo/Erk/kzksUuYNFSa7qdV0nzSehcM9GPNbKE77 iV58oo7E587Fv0e0d8SFxI5ehazx2JbgZGCYiGTeDARyS3Ta87LYqqBiHPjmtyXN0PfqW5cE5fD4m ybQeyWKhw0TzsnC9B+ltJ8MDnN9zt9bFAW7wMVGrMqm/uN3wGHCMJJMtq3XZGDEcyE5FGZvEyjcAo 4IFsLRM2SX3uwvOTlbKIVHdUZkHV+kPxRhIp9ojGcmIWsBpaVwOjRXb0edtzW7QZwuvB4Av9f;
Received: from [2001:9b1:41ac:ff00:823f:5dff:fe09:16ac] (port=52038 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1snvMN-001boJ-Mh; Tue, 10 Sep 2024 07:32:23 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Daniel Huigens <daniel.huigens=40proton.ch@dmarc.ietf.org>
References: <GVXPR07MB9678799A86599695B7B31F41892F2@GVXPR07MB9678.eurprd07.prod.outlook.com> <20240322070827.738849.qmail@cr.yp.to> <TYAPR01MB4992039FC820D0425D2C6BE4C1982@TYAPR01MB4992.jpnprd01.prod.outlook.com> <gxv1hzo2clc_DYYNrKi-yGA5PoEH6v_UZcW7I8R7XttivBTZLNBXPlO3jM3nhZnB86HnGlCdKHmQpznBynplCeapP7jkJYj-XYLvfGPDSQQ=@proton.ch>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240910:cfrg@irtf.org::3k3KLSJo3z5EHHTR:5hXm
X-Hashcash: 1:23:240910:daniel.huigens=40proton.ch@dmarc.ietf.org::TS0KPrLU0rUrwcGi:La54
Date: Tue, 10 Sep 2024 09:28:07 +0200
In-Reply-To: <gxv1hzo2clc_DYYNrKi-yGA5PoEH6v_UZcW7I8R7XttivBTZLNBXPlO3jM3nhZnB86HnGlCdKHmQpznBynplCeapP7jkJYj-XYLvfGPDSQQ=@proton.ch> (Daniel Huigens's message of "Mon, 09 Sep 2024 15:16:53 +0000")
Message-ID: <87v7z40xyw.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID-Hash: AQ4TUSLY2URF45P7BLF2F5VEY3HJWAQI
X-Message-ID-Hash: AQ4TUSLY2URF45P7BLF2F5VEY3HJWAQI
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: 回复: I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/FyyPUjDjDH7JDYgR7K3zlHClumE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

If people strongly desire a randomized version of Ed25519, I believe it
would be better to update RFC 8032 to describe a new randomized variant
and give it a name (rEdDSA/rEd25519/rEd448?) instead of altering the old
EdDSA algorithm that is already well described and established.  If we
do this, then Web Crypto can refer to either algorithm by name (or
permit both -- since the decision is opaque from the consumer's point of
view), and it will be clear which algorithm is intended.  Rather than
having the algorithm be implied depending on whether the implementer
chosed to implement a separate RFC document or not, making things
unclear to application and protocol designers.

/Simon

Daniel Huigens <daniel.huigens=40proton.ch@dmarc.ietf.org> writes:

> Hi folks,
>
> Speaking in the capacity of Web Cryptography API editor here.
>
> WebKit has shipped an implementation of Ed25519 that on macOS produces
> randomized signatures, presumably because its CryptoKit has implemented
> this draft.
>
> The current draft specifying Ed25519 in Web Crypto [1] only refers to
> RFC 8032, but Apple has requested that we explicitly allow generating
> randomized signatures as well, e.g. by referring to this draft.
> Therefore I'd like to ask:
>
> 1. Is it expected that this draft will become an RFC, such that
>    it's reasonable to refer to the draft already (at least from
>    the Editor's draft of Web Crypto, for example)?
>
> 2. If the draft does become an RFC, is it necessary to refer to it
>    explicitly at that point? Or, will all references to RFC 8032 also
>    allow randomized signatures automatically, given that this draft
>    updates that RFC? (I imagine this is also relevant for IETF specs
>    like RFC 9580 (OpenPGP) which refers to RFC 8032 as well, though
>    e.g. RFC 8446 (TLS 1.3) refers to "[RFC8032] or its successors".)
>
> Best,
> Daniel
>
> [1]: https://wicg.github.io/webcrypto-secure-curves/
>
>
> ---
>
> Daniel Huigens
> Cryptography Team Lead
> Proton AG
>
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org

v2.40.4 | Report a Bug | By Email | System Status