IETF Logo Mail Archive

Re: [COSE] draft-jones-cose-rsa

Jim Schaad <ietf@augustcellars.com> Sat, 14 January 2017 05:46 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1167C129880 for <cose@ietfa.amsl.com>; Fri, 13 Jan 2017 21:46:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7W2ZgLpNUYin for <cose@ietfa.amsl.com>; Fri, 13 Jan 2017 21:46:42 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74069129446 for <cose@ietf.org>; Fri, 13 Jan 2017 21:46:41 -0800 (PST)
Received: from hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 13 Jan 2017 22:09:42 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, cose@ietf.org
References: <BN3PR03MB235550B5FC35228818245197F5780@BN3PR03MB2355.namprd03.prod.outlook.com>
In-Reply-To: <BN3PR03MB235550B5FC35228818245197F5780@BN3PR03MB2355.namprd03.prod.outlook.com>
Date: Fri, 13 Jan 2017 21:46:32 -0800
Message-ID: <047c01d26e29$90adf600$b209e200$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_047D_01D26DE6.828CB1D0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIZXa8Af/bdJgJiEwjsTavUjIGzsaCplM5A
Content-Language: en-us
X-Originating-IP: [24.21.96.37]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/RgY1AW2UjmTRcs204w1NSXXXoLI>
Cc: draft-jones-cose-rsa@tools.ietf.org
Subject: Re: [COSE] draft-jones-cose-rsa
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2017 05:46:45 -0000

 

 

From: Mike Jones [mailto:Michael.Jones@microsoft.com] 
Sent: Friday, January 13, 2017 2:55 PM
To: Jim Schaad <ietf@augustcellars.com>; cose@ietf.org
Cc: draft-jones-cose-rsa@tools.ietf.org
Subject: RE: draft-jones-cose-rsa

 

Thanks for taking the time to write this up, Jim.  Responses are inline
below.

 

-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad
Sent: Sunday, January 01, 2017 3:34 PM
To: draft-jones-cose-rsa@tools.ietf.org
<mailto:draft-jones-cose-rsa@tools.ietf.org> 
Cc: jose@ietf.org <mailto:jose@ietf.org> 
Subject: [jose] draft-jones-cose-rsa

 

Comments:

 

0.  Should this be done in curdle rather than as AD sponsored?

 

I had requested AD sponsorship because of how simple the draft is.  It
registers a few numbers in registries being created by the COSE Messages
draft and defines the layout of RSA keys (in a way that's completely
parallel to the JOSE layout, but using CBOR rather than JSON).  It uses no
new algorithms.  It didn't seem to rise to the occasion of needing a working
group - especially when there remain COSE WG members such as Jim willing to
take the time to give constructive feedback.

 

[JLS] Getting people to from this old WG list can still be done even if it
is done in a different working group.  That is what the idea of cross
posting is all about.  Both individuals who have made substantive comments
are on both mailing lists anyway so doing in a different group does not
close out either of them.  The amount of time a draft takes to finish
depends as much on you as a chair for most steps.  It is possible that the
Curdle group would not want the draft, but asking is still reasonable.

 

1.  As per previous mail, remove values assignments in tables 1, 2, and 3
unless you have cleared them with the appropriate registry experts.  I am
less worried about table 4 but you should clear that as well.

 

I looked for the designated experts to consult with but the IANA COSE
registries don't seem to have been created yet, nor have the experts been
publicly named.  Once they are, I will certainly consult with them.  I don't
plan to remove the values since having proposed assignments is more useful
to implementers than having none.

 

[JLS] For interop testing - that is what the private values are for. 

 

2.  Kill RSAES-OAP w/ SHA-1.  We are not doing SHA-1 currently with any of
the CBOR algorithms.  In section 3.1.1.1 - what are the properties that are
needed here for SHA-1 so we can ensure that the statement is true.  Also,
rename this to be s/ SHA-1 not w/ Default.  There are no defaults for COSE.

 

RSAES-OAEP with the default parameters defined in Section A.2.1 of RFC 3447
is included for the same reason that it is in RFC 7518 - because it's the
mostly widely implemented set of OAEP parameter choices, facilitating
interoperation of implementations.  Particularly given that RSAES-PKCS1-v1_5
is not included, RSA interop considerations lead to the decision to retain
this algorithm.

 

In the next revision, I will be clear that the defaults come from RFC 3447.

 

[JLS] There is absolutely no reason to even say that default values exist
here.  COSE does not have the concept of defaults.  Not having SHA-1 does
not seem to be a problem for PSS, why would it be a problem here?

 

3.  Text in 3.1.1.1 and 2.1.1 should be more consistent in how it is
written.

 

Suggestions for specific textual additions and/or changes would be helpful
here.

 

4. in the abstract be more specific about which RSA algorithms are being
supported.  For example, you are not doing 1.5 or KEM.

 

OK - will do

 

5.  Why does 3.1.1.1 have a size and 2.1.1 not have one.  This should be
consistent.

 

I agree with this suggestion.  I'll make sure that the minimum size applies
to all uses of RSA algorithms.

 

6.  section 3.1.1.1 should be encryption operation not decryption operation.

 

OK

 

7.  Section 3.1.1.1 - this text does not make sense "One potential denial of
service

   operation is to provide encrypted objects using either abnormally

   long or oddly sized RSA modulus values."   Should probably refer to keys

not encrypted objects.

 

OK

 

8.  There is a requirement of minimum encoding lengths - what purpose does
this serve?  Is there a security problem here or is it just a nice to have
because of message size?

 

This is there for the same reason that it is present for JWKs - to
facilitate interoperation of implementations by having a standard
representation for each key, rather enabling a multiplicity of different
representations to be used - which could cause interop problems.

 

[JLS] Not sold.

 

9. Missing some security considerations.

 

Specific suggested text would be appreciated, as always.

 

10 Section 2.1.1 s/hash functions are not truncated/hash function outputs
are not truncated/

 

Agreed

 

                                                                Thanks
again,

                                                                -- Mike

v2.23.0 | Report a Bug | By Email