[CFRG] OCB does not have an OID specified, that is a general problem

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 07 June 2021 12:51 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 381303A14A6 for <cfrg@ietfa.amsl.com>; Mon, 7 Jun 2021 05:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIv5vSkOkf7v for <cfrg@ietfa.amsl.com>; Mon, 7 Jun 2021 05:51:43 -0700 (PDT)
Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 183F63A14A4 for <cfrg@irtf.org>; Mon, 7 Jun 2021 05:51:42 -0700 (PDT)
Received: by mail-yb1-f179.google.com with SMTP id b13so24746368ybk.4 for <cfrg@irtf.org>; Mon, 07 Jun 2021 05:51:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ka/7/+M/iDsu51gto3/eiXlYeFMP8tYa3RQm9tW9ETk=; b=uGzFXoTA2FOJDiHpLYHbQe0lQ0hchz+WsnUNTT4NvIQu+TyfNQwhFSMBtGiWQwhjN9 owB8F2+RTMKyYvEeFbzywvUiKFOJUMGBkAPGT1HS3xU5NrmvMwv07krpP+D8xP5wE79x sWsEDICk246s80qDYpo/dN/9unYpsp9PUS4bhuc/NDuYR2XjBj/I62cuCAFgyxOipnJD yEUWjWhcmgMVWy5McgI0h/Ipes3j21m/a0nQkrm3KTed123yLKeyaoya3v96wFM+sQCP YJ6caDCNuBWvNNa/0ATP0XfRQLITAH8wAHMoDagno2UrvDxgNHrrcNWiVnLmzZcBcehZ gXFg==
X-Gm-Message-State: AOAM531gS9rKMsOQb670y9q6qEq8MfN1b0vZ8ZXH2dr3aDUu9Q1eadaq +jg2w3l6xsY/I53FodMOH8FwsxxnrvJH6M2sXWweHJWpKQj95g==
X-Google-Smtp-Source: ABdhPJxkFPDH7FstnW6s24oETNXEhUcxJI9zSAfmlUKMDGvsBFpMhzvn7J1T4QlHynS4VDxX3h1k2IzFiNNKdMA8xyA=
X-Received: by 2002:a25:850b:: with SMTP id w11mr22834104ybk.518.1623070301754; Mon, 07 Jun 2021 05:51:41 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 7 Jun 2021 08:51:30 -0400
Message-ID: <CAMm+Lwizfw6=T28gGOgeGZ=4CEHsQ5BoWcAt5mOWbyJHLVJmuQ@mail.gmail.com>
To: IETF SAAG <saag@ietf.org>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000c8190305c42c8068"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/e7aQwOBKVApwNxb1SOUggOhaHdc>
Subject: [CFRG] OCB does not have an OID specified, that is a general problem
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 12:51:46 -0000

Raising this in SAAG because this raises a policy issue and CFRG because
that is where the policy should be enforced. It is also relevant to LAMPS
but trying to avoid cross posting as everyone on the LAMPS list is likely
on SAAG.


rfc7253 specifies OCB mode. But there is no OID specified to use OCB with
CMS, nor are there identifiers for use with JOSE.

This is problematic to say the least. If an algorithm is worth publishing
as an RFC, there should be definitive identifiers for general purpose
packaging formats specified in that RFC.

I would like to propose that in future assignment of relevant OIDs and JOSE
identifiers be considered a requirement for similar work. If a spec for a
symmetric mode isn't sufficiently specified to enable interoperable
implementation in CMS and JOSE, it is not sufficiently specified to be an
RFC.

This would not cover TLS, IPSEC etc. since they have rather different
considerations. Algorithms are curated and selected as suites for TLS for a
start.

I am not a fan of having multiple registries for specifying identifiers for
algorithms. In fact if I had my way, there would be a single IANA text
registry because while we could write a spec for a cryptographic algorithm
and call it SMTP, that would be silly.

It seems to me that one registry for the ASN.1 identifiers and one for text
based identifiers is sufficient for all reasonable purposes. To the extent
that XML signature and encryption are still a thing, well why don't we just
specify a generic URN scheme for IANA registries and have done.