Re: [COSE] Draft IETF 117 COSE agenda
Michael Prorock <mprorock@mesur.io> Thu, 20 July 2023 14:10 UTC
Return-Path: <michael.prorock@mesur.io>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8895C151984 for <cose@ietfa.amsl.com>; Thu, 20 Jul 2023 07:10:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mesur-io.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DRj8zGbQBmV for <cose@ietfa.amsl.com>; Thu, 20 Jul 2023 07:10:52 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 485A9C151982 for <cose@ietf.org>; Thu, 20 Jul 2023 07:10:52 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-992b27e1c55so143547866b.2 for <cose@ietf.org>; Thu, 20 Jul 2023 07:10:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mesur-io.20221208.gappssmtp.com; s=20221208; t=1689862250; x=1690467050; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GroovLnw5WRRH0u62GZGnGWB7CBlxnssDNSX5u0+Syo=; b=xZYzCIMmG2SkSR1gUeBr3SJ0TfeAPpUNfEzjaASmx2BbLi+IQB/9SB5EOOmWy8WVyQ aj9+zCA3+BEn5A21BV7U4HcKcvYEGvYf0ySfR7lRnMne1G6YRHenWjLF9Mg3e344Vcmp 02QmCOR0Zs8+vjmZTJvteATJ1TOSnoQNZYAUJbhTVi9wm5ycLaagTOLuMvMSMPAP84Ua S+1QARff6FuADXrfor69Innd6UHf7sY3XbPDZf72I+emx6GTil2gi2XP+RWJwZyZqn7d wEQPO7kmBYvcJk8Fxj0VFfi038CqBGmp6rGvy1DYuwy9B30184uS1zvLXWgAIU25hZqj n16w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689862250; x=1690467050; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GroovLnw5WRRH0u62GZGnGWB7CBlxnssDNSX5u0+Syo=; b=B8B0/aweEVjPkWC9JP2N/5200gRvI9QTv+hd/vDxCQ13gRzmZM3o4tLQASSMxOSnik PUY1oZL9Dd+4kppH9wu522bNVpu9srOjLDCUwWAUJzyRz+MrFYw6jZxW0y4j7lVnhs1W R8+N/0c7dO+QUqxtAbhPBDsbhuU64mWcyDSSpr4iNC5onn9sskcB88VR7L2ruKlF0Zw+ 7mAMju+RwCMillJxSb+sYGSrr0TCDs+FeTq5xBqSwRZVipcLbEL1xHEvkGb00fXEPvV7 QC7kSHVLBRBvTTPqLeSsoH/5yb2NlTZD7tK3RrYA7xwCajYS8vtx5ghHqORX0sYhwtIg /wXQ==
X-Gm-Message-State: ABy/qLYa4sbKNybYBECAIkTiQuD6iJmctYOWjwwA9a29j15cX60tJyQu R3+AVBSzf5kau3B0PVZs7HgwYeHHg6+XYkw3p6rA
X-Google-Smtp-Source: APBJJlHNY9zofENTyhAAayLTjLfjy1wsF6RtlUHvATXia1bjQCyLVAAnTijRgpgV4hw1KShxFXpWkjW8JkUk6rfE7Fg=
X-Received: by 2002:a17:907:2102:b0:987:47b3:6e34 with SMTP id qn2-20020a170907210200b0098747b36e34mr2150856ejb.67.1689862250618; Thu, 20 Jul 2023 07:10:50 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB74394E66F880D4948217ED57B738A@SJ0PR02MB7439.namprd02.prod.outlook.com> <AS8PR10MB7427A0FF328462A6212E2590EE39A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <MW4PR02MB74281BC30C2B395F77E3F1FCB739A@MW4PR02MB7428.namprd02.prod.outlook.com> <798F3FD9-115B-40C6-8F20-CB1DB1FB3648@island-resort.com> <CAFWvErU3mSR5PRk6FaW11-5r6tC1Kx9sMMBtVAqEhhjT5p1P4g@mail.gmail.com> <MW4PR02MB742891C6F229AE71BF1ECC02B73EA@MW4PR02MB7428.namprd02.prod.outlook.com> <CAFWvErV5hb8KoX12WiWn8epJJs4Q1RsCHcv4K4OAqmLQr5urnw@mail.gmail.com> <CAGJKSNSeVS8j6zUf26TxLR5w920gO0w1k3ADpEgCaKJxLQJTKQ@mail.gmail.com>
In-Reply-To: <CAGJKSNSeVS8j6zUf26TxLR5w920gO0w1k3ADpEgCaKJxLQJTKQ@mail.gmail.com>
From: Michael Prorock <mprorock@mesur.io>
Date: Thu, 20 Jul 2023 08:10:40 -0600
Message-ID: <CAGJKSNTkhZdMz0VCdY7xMHJOdfZss1rvh8dwZg1phARP3Jbstg@mail.gmail.com>
To: Michael Prorock <mprorock@mesur.io>
Cc: AJITOMI Daisuke <ajitomi@gmail.com>, Michael Jones <michael_b_jones@hotmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002b06e80600ebb7f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/MChnZrSqVX5ELntLRSMiwou2tdU>
Subject: Re: [COSE] Draft IETF 117 COSE agenda
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2023 14:10:56 -0000
A correction/clarification - basically, while you see both kty and alg together, if you have a well defined alg, you always know what kty is for that alg - so derivation is from alg alone Mike Prorock CTO - mesur.io On Thu, Jul 20, 2023, 08:01 Michael Prorock <mprorock@mesur.io> wrote: > Daisuke, > definitely 'combination of "alg" and key information.', especially as > things have started to evolve recently. However, I think the point that > Orie is trying to make (please correct me if I am wrong Orie) is that once > you have the 'kty' which lets you know what shape and family of keys you > are dealing with, then you should have everything you need from 'alg' and > nothing else. > > Mike Prorock > CTO, Founder > https://mesur.io/ > > > > On Thu, Jul 20, 2023 at 7:53 AM AJITOMI Daisuke <ajitomi@gmail.com> wrote: > >> Daisuke asserts “On the other hand, there are no examples like the >>> proposal from Hannes/Laurence, where the "alg" value includes information >>> about "crv" values and unrelated key operation information (e.g., KDF, >>> AEAD)”. There are actually many such examples. >> >> >> It mainly concerns the latter, which is ”unrelated key operation >> information". Anyway, while it is true that JOSE's ES* algs include the >> "crv" value implicitly, the COSE's ES* algs don't. The COSE's ES256 >> algorithm is not limited to P-256 and this crv value and the information >> about whether the key is compressed EC point or not ultimately requires >> referring to the key info. >> >> Therefore, in COSE, even ES256 has to be defined as follows: >> >> - -7 (ES256), where kty is 2 (with uncompressed points) and crv is 1 >> (P-256). >> >> It is evident that the mainstream approach is to negotiate using a >> combination of "alg" and key information. >> >> -- >> Daisuke >> >> >> 2023年7月20日(木) 9:55 Michael Jones <michael_b_jones@hotmail.com>: >> >>> [chair hat off] >>> >>> >>> >>> The interoperability problem caused by polymorphic algorithm identifiers >>> is that the “alg” and “enc” values are no longer useful for algorithm >>> negotiation. >>> >>> >>> >>> In protocols such as OpenID Connect, OAuth 2.0, and WebAuthn/FIDO2, lists of supported “alg” and “enc” values are published in metadata. For instance, here’s an example from RFC 8414: >>> >>> "token_endpoint_auth_signing_alg_values_supported": >>> >>> ["RS256", "ES256"], >>> >>> >>> >>> The problem with polymorphic algorithm identifiers such as “EdDSA” is >>> that they don’t actually specify which algorithm is used. It could mean >>> either “Ed25519” or “Ed448”. You can’t advertise which you support and/or >>> which you want. >>> >>> >>> >>> This is a problem in practice for WebAuthn, since some COSE alg >>> identifiers are polymorphic and WebAuthn and FIDO2 use COSE algorithm >>> identifiers for negotiation. See that WebAuthn specified that EdDSA always >>> uses Ed25519 – making it non-polymorphic but precluding its use with >>> Ed448. Here’s the line doing so at >>> https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy: >>> >>> - -8 (EdDSA), where crv >>> <https://tools.ietf.org/html/rfc8152#section-13.1.1> is 6 (Ed25519). >>> >>> >>> >>> Daisuke asserts “On the other hand, there are no examples like the >>> proposal from Hannes/Laurence, where the "alg" value includes information >>> about "crv" values and unrelated key operation information (e.g., KDF, >>> AEAD)”. There are actually many such examples. >>> >>> >>> >>> All the registered JOSE algorithms (for example “ES256”) fully >>> specified all parameters until “EdDSA” was registered. The COSE >>> algorithms from RFC 8812 fully specify all parameters, such as when >>> secp256k1 is used and when RSASSA is used. >>> >>> >>> >>> Likewise, if we had a single HPKE algorithm identifier, it couldn’t be >>> used to distinguish which HPKE algorithms are supported (and not all will >>> be by all implementations). This would cause the same problem for future >>> systems that, for instance, WebAuthn/FIDO2, OAuth 2.0, and OpenID Connect >>> already encounter when polymorphic algorithm identifiers are used. >>> >>> >>> >>> -- Mike >>> >>> >>> >>> *From:* AJITOMI Daisuke <ajitomi@gmail.com> >>> *Sent:* Wednesday, July 19, 2023 3:45 PM >>> *To:* Michael Jones <michael_b_jones@hotmail.com>; Ilari Liusvaara < >>> ilariliusvaara@welho.com> >>> *Cc:* cose <cose@ietf.org> >>> *Subject:* Re: [COSE] Draft IETF 117 COSE agenda >>> >>> >>> >>> > Speaking as an individual contributor, I fully support the first >>> > (fully specified) choice. Whereas the second possibility will cause >>> > endless interoperability problems. >>> >>> >>> I disagree. >>> >>> >>> +1 >>> >>> (Below, I comment from the standpoint that the design of alg values >>> should be consistent with COSE and JOSE.) >>> >>> I am convinced that the "fully specified" design, on the contrary, >>> includes more interoperability issues. >>> >>> Originally, in JOSE and COSE, the identification of the specific >>> cryptographic algorithm was done by combining the "alg" value ("ECDH-ES," >>> "EdDSA," etc.) with the information held by the key itself ({"kty": "EC", >>> "crv": "P-256", ...}, {"kty": "OKP", "crv": "Ed25519", ...}, etc.). >>> The current draft follows this approach. On the other hand, there are no >>> examples like the proposal from Hannes/Laurence, where the "alg" value >>> includes information about "crv" values and unrelated key operation >>> information (e.g., KDF, AEAD) to the original key's purpose. In JWK, the >>> "alg" value is merely an optional parameter, so packing excessive >>> information into the "alg" value will, in fact, lead to interoperability >>> issues. >>> >>> I have repeatedly written about the reasons why the current >>> specification is better than the "fully specified" design (*1, *2). >>> However, I would like to add one more point from a new perspective. >>> >>> I am very concerned that JWK, which is a "JSON representation of keys" >>> that could be used for a wide range of applications not limited to JOSE and >>> COSE, will no longer be available as a means of transmission and >>> negotiation of HPKE parameters. I think this is a very big loss. >>> >>> The following works with no problem with existing JWK implementations, >>> and it is also guaranteed to work in the JWK RFC: >>> >>> { >>> kty: "EC", >>> crv: "P-256", >>> // alg: "HPKE-v1-Base(-KEM)", // alg can be omitted as many >>> JWKs do >>> hkc: { kem: 0x0010, kdfs: [0x0001], aeads: [0x0001]}, // Unknown >>> parameters for the JWK implementation MUST be ignored on the JWK layer. >>> x: "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc", >>> y: "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI", >>> } >>> >>> On the other hand, the following does not work with many existing JWK >>> implementations. This is because existing JWK implementations often throw >>> errors for "alg" values not supported by the bundled JWS/JWE: >>> >>> { >>> kty: "EC", >>> crv: "P-256", >>> alg: " HPKEv1-Base-DHKEM(P256,HKDFSHA256)-HKDFSHA256-AES128GCM", >>> // Must be specified to specify HPKE parameters if not assuming an >>> offline(implicit) agreement. >>> x: "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc", >>> y: "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI", >>> } >>> >>> I think this example clearly illustrates the harm of putting subsequent >>> algorithm information (KDF&AEAD), which is not originally relevant to the >>> key itsef, into a key that is originally only used in the KEM step. >>> >>> >>> In any case, I am tired of the situation where even after all these >>> repeated discussions, even the obvious design point, which is obvious if >>> you read the HPKE standard, that "encapsulated_key should be expressed as a >>> sequence of bytes," is being rehashed... >>> >>> I hope the chairs will make a wise decision. >>> >>> Best regards, >>> Daisuke >>> >>> P.S. >>> ... the design of COSE-HPKE was more difficult than I had thought, as it >>> required not only knowledge of both COSE and HPKE, but also knowledge of >>> JOSE (primarily JWK) in terms of alg value design, and related >>> considerations of consistency with the W3C Web Cryptography API and >>> existing implementations. So I do not intend to ask you (the mailing list >>> participants) to agree with my suggestion easily, but I'm very glad if you >>> could read (*1)(*2) without bias. >>> >>> (*1) >>> https://mailarchive.ietf.org/arch/msg/cose/KTpXbZ3UxUH8BuLT4OmhfaToYTk/ >>> (*2) >>> https://mailarchive.ietf.org/arch/msg/cose/cPqYqCagPbWPKwvQODjqn98U3F4/ >>> >>> 2023年7月20日(木) 2:37 lgl island-resort.com <lgl@island-resort.com>: >>> >>> >>> >>> >>> >>> On Jul 19, 2023, at 9:52 AM, Michael Jones <michael_b_jones@hotmail.com> >>> wrote: >>> >>> >>> >>> As a chair, I’d like clarity on what you mean by “the single algorithm >>> design”. Do you mean that each algorithm identifier fully specifies all >>> the cryptographic parameters being used? Or do you mean that a single >>> algorithm identifier is used for all the HPKE possibilities? >>> >>> >>> >>> The proposal that Hannes, Jeremy and a few others favor is roughly this. >>> (I picked these three just as an example, the decision we want is not >>> whether these three are the ones to register, it is that we will use one >>> algorithm ID to indicate the HPKE KEM, KDF and AEAD. >>> >>> >>> >>> *Alg ID HPKE-P-256 (equivalent to COSE -29 with NIST key)* >>> >>> KEM: 0x0010 DHKEM(P-256, HKDF-SHA-256) >>> >>> KDF: 0x0001 HKDF-SHA256 >>> >>> AEAD: 0x0001 AES-128-GCM >>> >>> >>> >>> *Alg ID HPKE-P-384 (equivalent to COSE -30 with NIST key)* >>> >>> KEM: 0x0011 DHKEM(P-384, HKDF-SHA-384) >>> >>> KDF: 0x0002 HKDF-SHA384 >>> >>> AEAD: 0x0002 AES-256-GCM >>> >>> >>> >>> *Alg ID HPKE-P-521 (equivalent to COSE -31 with NIST key)* >>> >>> KEM: 0x0012 DHKEM(P-521, HKDF-SHA-512) >>> >>> KDF: 0x0003 HKDF-SHA512 >>> >>> AEAD: 0x0002 AES-256-GCM >>> >>> >>> >>> The one that Ilari and Ajitomi-san favor is what we have now in >>> COSE-HPKE: >>> >>> >>> >>> When the alg value is set to 'HPKE-v1-BASE', the HPKE_sender_info >>> >>> structure MUST be present in the unprotected header parameter. >>> >>> >>> >>> The CDDL grammar describing the HPKE_sender_info structure is: >>> >>> >>> >>> HPKE_sender_info = [ >>> >>> kem_id : uint, ; kem identifier >>> >>> kdf_id : uint, ; kdf identifier >>> >>> aead_id : uint, ; aead identifier >>> >>> enc : bstr, ; encapsulated key >>> >>> ] >>> >>> >>> >>> >>> >>> >>> >>> Speaking as an individual contributor, I fully support the first (fully >>> specified) choice. Whereas the second possibility will cause endless >>> interoperability problems. >>> >>> >>> >>> We need your efforts primarily has a chair at this point. I think we’ve >>> had the discussion. >>> >>> >>> >>> LL >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> COSE mailing list >>> COSE@ietf.org >>> https://www.ietf.org/mailman/listinfo/cose >>> >>> _______________________________________________ >> COSE mailing list >> COSE@ietf.org >> https://www.ietf.org/mailman/listinfo/cose >> >
- [COSE] Draft IETF 117 COSE agenda Michael Jones
- Re: [COSE] Draft IETF 117 COSE agenda Tschofenig, Hannes
- Re: [COSE] Draft IETF 117 COSE agenda Henk Birkholz
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda Michael Prorock
- Re: [COSE] Draft IETF 117 COSE agenda Jeremy O'Donoghue
- Re: [COSE] Draft IETF 117 COSE agenda Michael Jones
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda lgl island-resort.com
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Michael Jones
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Tschofenig, Hannes
- Re: [COSE] Draft IETF 117 COSE agenda Carsten Bormann
- Re: [COSE] Draft IETF 117 COSE agenda Hannes Tschofenig
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda Hannes Tschofenig
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Michael Prorock
- Re: [COSE] Draft IETF 117 COSE agenda Michael Prorock
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda lgl island-resort.com
- Re: [COSE] Draft IETF 117 COSE agenda Michael Richardson
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Stephen Farrell
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Stephen Farrell
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Carsten Bormann
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- [COSE] Opaque enc (was Re: Draft IETF 117 COSE ag… lgl island-resort.com
- Re: [COSE] Opaque enc (was Re: Draft IETF 117 COS… Orie Steele
- Re: [COSE] Opaque enc (was Re: Draft IETF 117 COS… Ilari Liusvaara
- Re: [COSE] Opaque enc (was Re: Draft IETF 117 COS… lgl island-resort.com
- Re: [COSE] Opaque enc (was Re: Draft IETF 117 COS… lgl island-resort.com