[COSE] Proposal for multiple keys / signatures in CBOR Certificates
Derek Atkins <derek@ihtfp.com> Mon, 26 September 2022 14:19 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78A2EC1524D9 for <cose@ietfa.amsl.com>; Mon, 26 Sep 2022 07:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7_ZIiG5v76P for <cose@ietfa.amsl.com>; Mon, 26 Sep 2022 07:19:18 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D3B0C14CE46 for <cose@ietf.org>; Mon, 26 Sep 2022 07:19:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 4DE40E2042 for <cose@ietf.org>; Mon, 26 Sep 2022 10:19:15 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 03331-08 for <cose@ietf.org>; Mon, 26 Sep 2022 10:19:14 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id 325B4E2040; Mon, 26 Sep 2022 10:19:14 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1664201954; bh=Hks1gNRHQKrCm2JGrRq2PMK40o9/1C+SbKSjsHxkHbU=; h=Date:Subject:From:To; b=GVSpDKYXX5Pk0mnKcPlCZXF0ANCDdKfki5IY/fp0P8IubrWQW98IEoYhESUTi8wqL FCEk2G/aTO1WSajoFv75EGS74mY6MZYzl4gByuAa/J5U6dnSUaIYxpHqsAmTAFCV+r mzpYiTznXKYHqEtMeHU6rqTjgy5mSEA0IPn15DAo=
Received: from 192.168.248.239 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Mon, 26 Sep 2022 10:19:14 -0400
Message-ID: <cd7203f430896369ac39a6d435604447.squirrel@mail2.ihtfp.org>
Date: Mon, 26 Sep 2022 10:19:14 -0400
From: Derek Atkins <derek@ihtfp.com>
To: cose@ietf.org
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Xi6eYQ3EF6quOdpSr1mtYsRdVGc>
Subject: [COSE] Proposal for multiple keys / signatures in CBOR Certificates
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 14:19:23 -0000
Hi all,
We are happily using the (currently draft) CBOR Certificates object in our
code, but we're getting closer to having a requirement where a device
needs to support multiple PK Methods (think PQC). To that end, we are
looking at a way to extend CBOR Certificates to allow for multiple
subjectPublicKey and multiple signature entries.
As a reminder, the current C509 structure is:
C509Certificate = [
TBSCertificate,
issuerSignatureValue : any,
]
TBSCertificate = (
c509CertificateType: int,
certificateSerialNumber: CertificateSerialNumber,
issuer: Name,
validityNotBefore: Time,
validityNotAfter: Time,
subject: Name,
subjectPublicKeyAlgorithm: AlgorithmIdentifier,
subjectPublicKey: any,
extensions: Extensions,
issuerSignatureAlgorithm: AlgorithmIdentifier,
)
My straightforward proposal, which keeps some amount of backwards
compatibility (in the sense that the TBSCertificate still has the same
number of top-level entries), would be to modify this to allow either a
singleton or an array for subjectPublicKeyAlgorithm, subjectPublicKey,
issuerSignatureAlgorithm, and issuerSignatureValue. At a higher level,
the restriction that both subjectPublicKeyAlgoritihm and subjectPublicKey
must contain the same number of items and in the same order, and both
issuerSignatureAlgorithm and issuerSignatureValue must contain the same
number of items and in the same order.
In CDDL this would boil down to:
C509Certificate = [
TBSCertificate,
issuerSignatureValue : any / [ any, +any ],
]
TBSCertificate = (
c509CertificateType: int,
certificateSerialNumber: CertificateSerialNumber,
issuer: Name,
validityNotBefore: Time,
validityNotAfter: Time,
subject: Name,
subjectPublicKeyAlgorithm: AlgorithmIdentifier / [
AlgorithmIdentier, +AlgorithmIdentifier ],
subjectPublicKey: any / [ any, +any ],
extensions: Extensions,
issuerSignatureAlgorithm: AlgorithmIdentifier / [
AlgorithmIdentier, +AlgorithmIdentifier ],
)
I'm not a CDDL expert, so I do acknowledge that this specification does
not restrict the validation requirements of equivalent array lengths. But
I'm not sure how one would actually encode that into CDDL.
The benefit of this approach is that all signatures cover all keys and all
SignatureAlgorithm identifiers, so you cannot go back and add a new
signature method (downgrade attack).
Another benefit of this approach is that it requires only minimal updates
to existing parsers. While it is true that a parser that expects a single
entry would fail with the array with multiple Ids/Keys/Signatures, I don't
see this as a bad thing because, most likely, the recipient would want to
be able to validate both signatures.
The only alternate approach would be an extension, but I'm not sure how
you could have multiple signatures using that approach.
Any comments/suggestions?
Oh... Having thrown this out there, I am offering to write it up if there
is interest, either as a modification to the existing CBOR-Certs draft, or
a companion draft.
Thanks,
-derek
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
- [COSE] Proposal for multiple keys / signatures in… Derek Atkins
- Re: [COSE] Proposal for multiple keys / signature… Michael Richardson
- Re: [COSE] Proposal for multiple keys / signature… Russ Housley
- Re: [COSE] Proposal for multiple keys / signature… Derek Atkins
- Re: [COSE] Proposal for multiple keys / signature… Derek Atkins
- Re: [COSE] Proposal for multiple keys / signature… Derek Atkins
- Re: [COSE] Proposal for multiple keys / signature… Michael Richardson
- Re: [COSE] Proposal for multiple keys / signature… Derek Atkins
- Re: [COSE] Proposal for multiple keys / signature… Russ Housley