Re: [CGA-EXT] SEND checksum issue in current RFC 3791 - update needed

arno@natisbad.org (Arnaud Ebalard) Thu, 17 September 2009 12:08 UTC

Return-Path: <arno@natisbad.org>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FA793A69AE for <cga-ext@core3.amsl.com>; Thu, 17 Sep 2009 05:08:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.579
X-Spam-Level:
X-Spam-Status: No, score=-3.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1ZiktzTfeWK for <cga-ext@core3.amsl.com>; Thu, 17 Sep 2009 05:08:43 -0700 (PDT)
Received: from copper.chdir.org (copper.chdir.org [88.191.97.87]) by core3.amsl.com (Postfix) with ESMTP id D6F1B28B797 for <cga-ext@ietf.org>; Thu, 17 Sep 2009 05:08:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=natisbad.org; s=mail; h=From:To:Cc:Subject:References:Date: In-Reply-To:Message-ID:MIME-Version:Content-Type; bh=SBCXXyXUY9i aFVtM1sg6cLzvfhpKe3UqHiuxPht6jTU=; b=NrLnHaT2hfpU2nhM1v7tcskWCdT xTFmFoBPLaZ00rT6Wl/dKdCnXl0qBuZzSrEMxEg3xH1zuUqjkZKqrpFICOJwVGaL 2Al8MtXbOWiSXA5IwEJ7aWExsnHBuja2Rs2ljXrxaD9ncfKeAihaiZzaVi6Q/lel wUfh78gsbd5vou+o=
Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f79] (helo=small.ssi.corp) by copper.chdir.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <arno@natisbad.org>) id 1MoFnj-0006Aj-Hh; Thu, 17 Sep 2009 14:09:27 +0200
From: arno@natisbad.org
To: Sheng Jiang <shengjiang@huawei.com>
References: <002b01ca3787$57bedfc0$3a0c6f0a@china.huawei.com>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026
X-Hashcash: 1:20:090917:cga-ext@ietf.org::AxAKSp5rWu1DtYYV:0055p
X-Hashcash: 1:20:090917:wdwang@bupt.edu.cn::mVVzzg5lposD67xI:00000000000000000000000000000000000000000001NZt
X-Hashcash: 1:20:090917:elevyabe@cisco.com::mKt2rzHRg+SvWrUJ:00000000000000000000000000000000000000000007nhD
X-Hashcash: 1:20:090917:shengjiang@huawei.com::99Gqmy+xJDTMPUAk:00000000000000000000000000000000000000009uOT
Date: Thu, 17 Sep 2009 14:10:07 +0200
In-Reply-To: <002b01ca3787$57bedfc0$3a0c6f0a@china.huawei.com> (Sheng Jiang's message of "Thu, 17 Sep 2009 19:09:36 +0800")
Message-ID: <87y6odojq8.fsf@small.ssi.corp>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/23.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: 'wdwang' <wdwang@bupt.edu.cn>, cga-ext@ietf.org
Subject: Re: [CGA-EXT] SEND checksum issue in current RFC 3791 - update needed
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2009 12:08:44 -0000

>> >> B, more efficiently, on the sender side, as you said, the input of 
>> >> RSA signature should be a checksum with all 0, and after signature 
>> >> attached, the checksim is computed over the whole packet. However, 
>> >> this makes the signature over checksum totally meaningless. 
>> >> Alternatively, we may take checksum bits out from the RSA 
>> signature input.
>> 
>> Performing the signature over the given layout with the null 
>> checksum prevents useless copies: you zero the field, pass 
>> the whole buffer to your signature function w/o the need to 
>> copy things to create a different layout. But I guess this 
>> does not matter anymore.
>
> Agree. If this is the initial design, it should be more efficient. However,
> if we need to follow what is already in current specification, try to keep
> consistent and compliant, don't break the existing implementations, then A
> is the only choice.

sadly, yes.