Re: [CFRG] [saag] OCB does not have an OID specified, that is a general problem

Russ Housley <housley@vigilsec.com> Mon, 07 June 2021 15:01 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 678523A198A for <cfrg@ietfa.amsl.com>; Mon, 7 Jun 2021 08:01:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZbKmp_XjscLN for <cfrg@ietfa.amsl.com>; Mon, 7 Jun 2021 08:00:58 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CABB43A1980 for <cfrg@irtf.org>; Mon, 7 Jun 2021 08:00:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 6147B300BD4 for <cfrg@irtf.org>; Mon, 7 Jun 2021 11:00:57 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id VDZ3bpv2O_SC for <cfrg@irtf.org>; Mon, 7 Jun 2021 11:00:51 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id C43B8300BD6; Mon, 7 Jun 2021 11:00:51 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAMm+Lwizfw6=T28gGOgeGZ=4CEHsQ5BoWcAt5mOWbyJHLVJmuQ@mail.gmail.com>
Date: Mon, 7 Jun 2021 11:00:51 -0400
Cc: IETF SAAG <saag@ietf.org>, IRTF CFRG <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <77C90766-F068-4710-8E03-D8A36FA026A4@vigilsec.com>
References: <CAMm+Lwizfw6=T28gGOgeGZ=4CEHsQ5BoWcAt5mOWbyJHLVJmuQ@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/YUc-RxooHGRWp-hT31__l5heflw>
Subject: Re: [CFRG] [saag] OCB does not have an OID specified, that is a general problem
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 15:01:04 -0000

It would be very easy to write a document like RFC 5084 for AES-OCB.  If you want to do that, I'm sure that LAMPS could adopt and review it.

Russ


> On Jun 7, 2021, at 8:51 AM, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> Raising this in SAAG because this raises a policy issue and CFRG because that is where the policy should be enforced. It is also relevant to LAMPS but trying to avoid cross posting as everyone on the LAMPS list is likely on SAAG.
> 
> 
> rfc7253 specifies OCB mode. But there is no OID specified to use OCB with CMS, nor are there identifiers for use with JOSE.
> 
> This is problematic to say the least. If an algorithm is worth publishing as an RFC, there should be definitive identifiers for general purpose packaging formats specified in that RFC.
> 
> I would like to propose that in future assignment of relevant OIDs and JOSE identifiers be considered a requirement for similar work. If a spec for a symmetric mode isn't sufficiently specified to enable interoperable implementation in CMS and JOSE, it is not sufficiently specified to be an RFC.
> 
> This would not cover TLS, IPSEC etc. since they have rather different considerations. Algorithms are curated and selected as suites for TLS for a start. 
> 
> I am not a fan of having multiple registries for specifying identifiers for algorithms. In fact if I had my way, there would be a single IANA text registry because while we could write a spec for a cryptographic algorithm and call it SMTP, that would be silly. 
> 
> It seems to me that one registry for the ASN.1 identifiers and one for text based identifiers is sufficient for all reasonable purposes. To the extent that XML signature and encryption are still a thing, well why don't we just specify a generic URN scheme for IANA registries and have done.
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag