IETF Logo Mail Archive

Re: [CFRG] options == bad?

Manu Sporny <msporny@digitalbazaar.com> Thu, 18 August 2022 14:40 UTC

Return-Path: <msporny@digitalbazaar.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AAACC1522C1 for <cfrg@ietfa.amsl.com>; Thu, 18 Aug 2022 07:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digitalbazaar.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ij0dwCQzLLuk for <cfrg@ietfa.amsl.com>; Thu, 18 Aug 2022 07:40:15 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DC3CC1527A0 for <cfrg@irtf.org>; Thu, 18 Aug 2022 07:40:13 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id h67so701859vsc.11 for <cfrg@irtf.org>; Thu, 18 Aug 2022 07:40:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digitalbazaar.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=yczooIgdMjdlR7Df2saM9Q2km0dTLa2AMQO9CGg0kCk=; b=OjLwAGBeWYRdbTLbrEGfD8ARFi84gZ6Xa43ar4cvGEw0UVSNSpxvldUP3bgcvJKpQK 4S/ZpGefXfQlCChQjBuM/LMjXADlkcWdQT2cEtPVmT2zdj16oD2VGlTbVsmNHMU1MUC3 EqcNzBFbmVfyROiPiNlviSZdeW6MeQlns1Kd9i3vRtuHkve6d+7HrllkY0GwMbJo54r4 iqZDQv/vfqt6cpnfb5G9L7JQpeVOG0jEy+irmIfsg5OxClqw2ALBdtLOLBhN2Ih6+HWp 22PeDZRR24dMSV5A+CCn33e4yjsFgObVDBLzhFHEWlH7eRppJiQ8n+zwthtYX/eMirY+ bv9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=yczooIgdMjdlR7Df2saM9Q2km0dTLa2AMQO9CGg0kCk=; b=YdrmQseG3W98w0xoethkW7VFHfPAk40VxHRx+Z0rKVe2koiH9OhBmeXTWZdKEIn5CB 2k4qPV4X8oWDKK3JFz9tlX57rPPilC8NAjuED16nVFqAhiMXa/iwkw7Uff+4NuYZkfpv LYTFm7Ruccp9bbxSOkHh241aDaFeFoqxBAxffr4H9x1XpUrhgGfqFO0zCiKZVWtA6BrP egzJ7CRwIbFef+XAaTOp7Gewlmq0h5QYeNz03FurIy7xmRTbS5EIAYGh1tlUyToNpk0u +GkKL+E6eV58mQ4oNqoJVe6iE/pz9V7/tHBgZUKVsgJj39TC0ecufHLn3Yi5KSsNosxN U1wA==
X-Gm-Message-State: ACgBeo3PqyCl3oX0N+nyTBBNGv8xASrUHP678Osi/r0YUr2z08cpN8zh xccLYwtwDKLihw++EwtD2MovHbAfNaXFwPuRxFLKy+dw0adTT89f
X-Google-Smtp-Source: AA6agR7m15CH0msD2ae2jMu6gd/g9Rc2DkLgL1GYsed4saR2qnkNmVpNzSzgDjM7iibizb68LbM4IYji3egaCUOo6ME=
X-Received: by 2002:a67:f60a:0:b0:388:6c5d:4579 with SMTP id k10-20020a67f60a000000b003886c5d4579mr1258971vso.19.1660833611952; Thu, 18 Aug 2022 07:40:11 -0700 (PDT)
MIME-Version: 1.0
References: <CH0PR11MB5739393F19DD5282E3D7EF549F6A9@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739557425DD3FDE5812D8479F6A9@CH0PR11MB5739.namprd11.prod.outlook.com> <4a3c52bf-d9b9-4e32-9f7f-f42256479906@beta.fastmail.com> <d9bd996d-0d2f-c313-80d2-3468cd4c956b@cs.tcd.ie>
In-Reply-To: <d9bd996d-0d2f-c313-80d2-3468cd4c956b@cs.tcd.ie>
From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 18 Aug 2022 10:39:36 -0400
Message-ID: <CAMBN2CQ9+ZXAmz=5zRgpEfur9i=REwAOKsuZa5LEJfwvW4zcQQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Martin Thomson <mt@lowentropy.net>, cfrg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ahcgo7RZ7rL7wavG2Z4_LbE2tkk>
Subject: Re: [CFRG] options == bad?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2022 14:40:19 -0000

On Wed, Aug 17, 2022 at 8:57 PM Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
> My own bias is to want as few as possible, but that always
> seems to lose out to a tendency to want to enable whatever
> future uses people can reasonably envisage, which can soon
> lead to a combinatoric explosion.

Stephen, how timely! :).

There is currently work happening[1] at W3C in the Verifiable
Credentials WG that is exploring exactly this topic. As an Editor on a
number of these specifications, I have an action to engage with CFRG
on the topic.

We have a need to define new identifiers for cryptography suites that
combine data transformation (such as canonicalization) with "approved
IETF/NIST/FIPS cryptography". The JOSE/COSE algorithms only help us so
much, and there is concern wrt. the optionality of all of the
algorithms that could be used. You can read some very draft-y language
that we're debating at present, speaking to what Stephen raised, here:

(Don't read too much into the existing text in the draft, it's
pre-FPWD at present and is undergoing many changes)
https://pr-preview.s3.amazonaws.com/w3c/vc-data-integrity/pull/36.html#versioning-cryptography-suites

> So if even 2 options for eddsa (RFC8032) turns out to be a
> problem, I wonder if we're doing all this right and how we
> might maybe do it better. I'd hope if there is a way to do
> it better then CFRG would be the place to do that.

There is a subset of the VC community that feels like just blanket
adopting ALL the Recommended and Optional values in JOSE/COSE
Algorithms registry is going to not only harm adoption (due to interop
difficulty), but also give the developers using this technology a
number of dangerous options (if we provide the ability to pick among a
set of parameters where they have little to no understanding wrt. the
ramifications).

So, the proposal is to aggressively profile what's in the current
JOSE/COSE algorithms registry and provide "cryptographic suites" that
have identifiers like "ecdsa-2022" or "eddsa-v1" instead of the
typical parametric approach: "RSASSA-PKCS1-v1_5-SHA1". What we are
trying to do, in effect, is publish highly focused profiles (every
couple of years) of existing CFRG-approved crypto... and eliminate as
much optionality as possible because the developers in the market
verticals involved (universities, retail, supply chain, HR) often do
not have a deep understanding of cryptography, but use it anyway.

> I don't have much in the way of concrete suggestions for a
> way to improve matters, other than maybe it'd be a plan to
> require a justification for each option when stuff gets to
> RG last call or something.

There are at least two levels to this discussion. The first is how
much optionality to have in the cryptographic primitives. The second
is how much optionality to expose to non-expert developers in
"cryptographic suites" and software libraries.

The VCWG is focused on the second item, presuming that CFRG/NIST/FIPS
is going to continue to pump out algorithms with large amounts of
parametric variability. In effect, we're trying to contain the
parameterization at the first layer (CFRG approved algorithms and
parameters), at the second layer (through the use of highly
constrained cryptographic suites).

So, this raises a number of questions:

Can "we" come to ground on what an appropriate minimal set of
parameters is for, as an example, a particular type of Elliptic Curve
digital signature algorithm (to address 80% of the use cases) for a
given period of time (and publish that as a "cryptography suite")?
That is, can we say "For the year 2022, we believe these fixed
parameters for ECDSA are good enough for 80% of the use cases" and
then revisit the parameters again in 2027 and publish a new
cryptographic suite definition? For example, P-256 seems like it could
meet 80% of the use cases in the market this year? If not, what about
P-384? If not that, what about P-521? If we fail there, perhaps we say
the ECDSA cryptosuite MUST support both P-256 and P-521 and call THAT
the cryptographic suite for ECDSA for 2022?

Do we think we can get to an "asymmetric-signature-2022" cryptography
suite? If so, would that be EdDSA w/ Ed25519? or would we pick ECDSA
since EdDSA has a bit to go to get to NIST/FIPS compliant HSMs? Do we
think we could get to a "recommended-signature-2022"?

I fully realize how heated these sorts of debates could become, but if
we can narrow the parameters for a given year (like safecurves did
from time to time) don't we increase both interoperability and safety?

We would love to see some debate in/guidance from CFRG on the topic. Thoughts?

-- manu

[1]https://www.w3.org/2022/06/verifiable-credentials-wg-charter.html#deliverables

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

v2.18.0 | Report a Bug | By Email