Re: [COSE] [jose] Review of draft-ietf-jose-fully-specified-algorithms-02
John Mattsson <john.mattsson@ericsson.com> Tue, 26 March 2024 05:20 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E88C9C14F5EC; Mon, 25 Mar 2024 22:20:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0fz73hhhQJ5; Mon, 25 Mar 2024 22:20:47 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2092.outbound.protection.outlook.com [40.107.8.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EBD9C14F75F; Mon, 25 Mar 2024 22:20:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a2kwLJXcN06kgtcLwOnHvSL4oZP/A4qP8czbg0hV3zTwyaEzkSiQ9Ti+gKnkM9fGNNxrm+sOAyROQTwqjPxYP3Gy3/r5BaZIQTonTJST4SgTSmKT5/IIpOw5Q48yVIK154mf3s1svvRxU1SAiBK32txbP6/g+5Hp44bx9UssHMuLo+1s3F55ArZLV4DnEmZIkAPB/viZwGakfpXw3XgMKjM+goFiaaDn5YJUi+ndg3rbdrtJaGUYqzOZ7EWhsJvAb2H/EuD4vBddsl4Pc7u93iLSesLMfFxCEQgiFdxUyD2Uxp43oe1F/JAfQB6urRrmiLa44UJlElP/+Z59UHs4bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iM9Va/ITqvDc5YeYongl6bOM6HvANdAMxqKUBcIY5AY=; b=GwC7NrQyBouBPED/7XzDQ4oqpKlwhlUA0FLujkx5rjiyqp2W8itU2YYBTyqJu+aeqCeebfocLrvxKOnxFRaprDLZYZSE++0RkXfXsNQ21m6vEOQoI5Jqycnd1W4T3iKFxWxjg7afuD6w7XGuAxNBUoa+gLb9Rvc0AHz0A6pRvFb8zK0VwxqZhSnk8A0wIllh1jvaMR8zEgdQVqwWvnR03B2iAOGNzQMehyygBJKY58ZITymsUUjSCwaCP6gI0A42VJVd/bE0RQKydySVQIvT2UdmaBKIeRS/Q6+xXmQxcytI9CiwoI2eMF3cLStkmXnCDM2XJ+DYYBoP86X3DPTEtg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iM9Va/ITqvDc5YeYongl6bOM6HvANdAMxqKUBcIY5AY=; b=u4f4+fMGgc49wal4mhHFejUWR9eFElcwxoRS+4XyMvSj4zjTdkeOqmwNyKInb7bf81TylFNKFVR1iwM851+z92EitGnhpCQPJvwHcdfy/8Wkz2FweWgc+GHc2tzWe9EEEbXPtiYndk/nTANppzMAUm6p+M/Ocfcw51n+sUvtUlqmm4xcGguROe3IcShs6DSaGZQ4YdIsNiO8VF1eqnFqrJ0c5jgQVkYlVcxCScTTErpPJVTDNeCkJcDAfSFaX78KvYYl415mbu1FMlwTQPk92u+bxmCBWgxw7bqXmqz843YjZcrdPdAB2ed6nRd/FCDCwVqEWc+efvH77GjxYAzF4A==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AS8PR07MB7735.eurprd07.prod.outlook.com (2603:10a6:20b:39a::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.32; Tue, 26 Mar 2024 05:20:43 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::b0d0:9785:585a:9568]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::b0d0:9785:585a:9568%4]) with mapi id 15.20.7409.028; Tue, 26 Mar 2024 05:20:43 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Orie Steele <orie@transmute.industries>
CC: "jose@ietf.org" <jose@ietf.org>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [jose] Review of draft-ietf-jose-fully-specified-algorithms-02
Thread-Index: AQHaeyHQSs5igupH6USwaqNTJ50RtbFBZJoMgAdXhACAAMJ1xQ==
Date: Tue, 26 Mar 2024 05:20:43 +0000
Message-ID: <GVXPR07MB967888AD5E4DB788EAB7C00489352@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB9678C20AE59F6B2251E926C389332@GVXPR07MB9678.eurprd07.prod.outlook.com> <GVXPR07MB9678FF40B08D2AB769DA422B89322@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAN8C-_JZji_Q5GMpoJFt-nwbJaUrg6OqTs3ib2KVFTDDsrPKog@mail.gmail.com>
In-Reply-To: <CAN8C-_JZji_Q5GMpoJFt-nwbJaUrg6OqTs3ib2KVFTDDsrPKog@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AS8PR07MB7735:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ik+kw1Gr0gt1A9eIytyjDyxaQF+nktalQEgalhqvUtfrZtwJopCHp8z7GxwGACnpSMzWuFPOV15exkotOtv6fLSilyZ0Th9/9ZoQH+S1V/ZoIUU0DDGEPuVG/iYb63C6myQfWdmmt/DFpoDK7M+/XSNmJorWaVo89D5RbnFU3V2++HuMI00X+7TlzXDcmpCI5XBNwfSXr2Sdoscq2yuMxaDp1G4+MyRCJdUqNRGokzd9bcjt2tfBIlNV7mMm7vQ1K9+lftjm6Spi8sB4sxILij0ui5LLsJAKj91KTZO3Z9mGQRwB3ocA8jOgC5MNDncTXjKCZ+kXHwZ5n6rgcfmZz4XrseOO7xvBd3MwB/yJ5ZZSv+MR6mNjmD7jXnxIeHeRZWgf1dK9Ud1PQW4NnRNpcPB+MQvTraJM2wjXgHPpXzm48P6oANuOoEbYCSz4sIq0/l/+hlGdxbMvqCTitwF1cSt16A1wvCRO7qQ9+amdnhj+UWkKcl68tAt4L5FVL9mxjNtdXuZzq0iFRBUtmRS7yIYYIlArTwsNrkIqL9GWLUuJanQhcGUSDuS47ch/VM8cMfINiCXVvMNwJeg/SgtQRARadm4BroPg1hZmyRetZJg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: LcpHU7WRC2WhwdPbgAd7Ucmv4gqv6yOUVepVs43L6NVKYQ42XxWTVVLSqauKiz0GG3HdfSFZzP0tNe6EUSk56hkP6CmChXe5qUMkzNoWxIlpKvOQe0RFsZtVl5OO/kofqpQWvPmekvtvpoUXdCERqDo/mvJ8iIMfGifvpY31kd14e6Gb4HVM+fxn2VIRgquJr/p/ImGCekJ9xXHQ+FHdWEIdmhfC3zI2GcydJ8a35WUzRjT0N7ooZq213yij1wrIJ3RtBlbEn4yH5AmOGEobNftRYlnLb4qRmEONWzbQIDW7/OK4bY8wyWpw3FB+4E8BsdIrNh+8OzQmtFuiMYjvCjkw/4gY5LEcMrnPCmVM/Y9Y3PVoSwtmmM1GU2eDBau+dGueYjWdPpyi2eNvP1Dlm1QG3JmS2+wl7QvVkFythNpjnb0e8qCdqqUXIts/u85qIYa6azRlvE9M68b3wQq/zr6CvW4oVbGjMLKdd8rll5tsqoTVcLKByGVzgDV+jOsV3s3lSI8pR7XArAip29cblz++dgQta1QSWOHWGiUPD1eM09dgXwN+LePWxRzqnmYhG1/ugFX9tPktG4pyHrD6cUFOlgTdrAtY1oc2PXjTtGBTFK2oVsHjjOobbhyW8WxXH8aupHq1jyyPOSNzA0JV9vB1dJB4DnCsK453dUDo/xtvgPCElQahkRTm6g4J0A91Aj+ZrlRT280ee607ymqNR+nxr28hYSJTQXYmg/V/ZHlgifGfDwEYYVigX0GeOEkb0lunhzv6FPEdY+W/ffoZtQlVMbgHwzp2wUyrj6d6Z1W0S5hXJYSyvl+inLJ6IaP4LzG8TSTNtViTLGwIIaLRoaZvz1/K1DPvzM+FfChI/JXTlOQAu11rhRt5Hv9A6gs89lXQl+k10XIXMbhDBhCBSbMsYz2szlBjo5pRAWvWnWMTJnSQSrlWImOo8H9Yp6BSMD2QRjP+2JvUpgIm7pt8gFIggIsWFnen06SVh0fVYnNoE6jvpIZpXGaMUfzQtDgmhlZtuvRQzRZNjtJMJy8YVFkA7fTM5wP03hEG7l6PRMEKhah5fzoqwLOoeV22ONK6tu7U+2UtTF/VuT8zWzbE7jeZ8Zn/DSnucwAXCOC0hxxbV842c3M1DMOVfOXJZ4JBeofGZqfBazwPuq1qKNdJAQ3mE87HDgKEJFyIGYVLfOrXyyYMmzxaH3EQtIXjUnx+f/nzf4dtkrYCQ5/SG86v4T0YKK7Qs1royKkKsjPeuZaqKGyr4a4JmYsWJ9cmp3vfio7qw6IGKMPFzHnHRzROGPVkqUSJtGBNZZRuc4njtioiQHUvn3JWkrlG8U7I4dvLqioTBPkux+pHA8puX8SZGdgGFSmyjxgyNNZ9EwyAqT4p2bwy44c2oHRlouUZnvQ4hC/AU+T9swoZmPJjdngNlfZCK59jEcpgmGh74a+fjR12g0J/OuLu3HTf4XDi81WdcTvG1Xiawbsz/CySCHj4fz7lglNz+HLjV09xEAzf+CxQQz8NsTPnhdsWa8zbPHzHP8Zmt6XJuf869yPuxKQ4EQJd0pIFX4VdfjS4+4Y88C6VIQpTvTX+IQGLpviIFLyggJX7aWr190AN/yLdQPHP9rrlQHV9VhJHwnlfRhCRUG4=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967888AD5E4DB788EAB7C00489352GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c450d25b-308f-4995-e80a-08dc4d547bde
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2024 05:20:43.0294 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8Ecl36kO49yFkJTFVxewR7yJiYfUSpNb+XN9HZDPgNHtsCSncqgreQzpk89rAQ//b8srTjOaubiRQwff573gc9c2bUdSfHDww3Q2dVvkql4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7735
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/eXzLjR72_lihF8DcoSJElo0p0yQ>
Subject: Re: [COSE] [jose] Review of draft-ietf-jose-fully-specified-algorithms-02
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2024 05:20:52 -0000
Hi Orie, >I would say there is disagreement on the binding between keys and algorithms, and >positions vary depending on which working group you ask. My understanding talking to people is that there seems to be support to register new Fully-Specified Algorithms also in COSE. >Signatures being not fully specified seem to have less of an impact, but guidance >moving forward should be clear, especially for PQ and Hybrid Algorithms. Yes. I fully agree with the goal of specifying Fully-Specified Algorithms for everything people wants to use and to provide clear guidance for future registrations. >Perhaps a compromise would be to only register new code points for Ed25519EdDSA / >Ed448EdDSA in JOSE and COSE and simply deprecate the other algorithms without >additional allocations? I am very sure a lot of people want to continue to use ECDSA in COSE. My problem was not with registering new ECDSA algs, it was with deprecating the old algorithms that many people are using without problems. I also quite sure that people in COSE/JOSE want to continue to use RSA. Thinking more about RSA, one way to solve the negotiation problem for the RSA algorithms is if draft-ietf-jose-fully-specified-algorithms updates RFC 7518 and RFC 9053 to limit key lenghts to a subset and to specify that this subset must be supported. If we cannot agree on such a subset, then the current algorithms are clearly not fully specified. >Will be marking all the ECDSA / EdDSA / ECDH / DH stuff deprecated when a CRQC arrives >anway. Yes, but but that is likely decades away if it ever happens at all. Cheers, John Preuß Mattsson From: Orie Steele <orie@transmute.industries> Date: Monday, 25 March 2024 at 18:24 To: John Mattsson <john.mattsson@ericsson.com> Cc: jose@ietf.org <jose@ietf.org>, cose@ietf.org <cose@ietf.org> Subject: Re: [jose] Review of draft-ietf-jose-fully-specified-algorithms-02 I wouldn't say there is nothing wrong with those algorithms. I would say there is disagreement on the binding between keys and algorithms, and positions vary depending on which working group you ask. For example: https://mailarchive.ietf.org/arch/msg/tls/4CryTBuFG64IlMhpCEvE2tLjeeg/ Not all the changes COSE made were improvements, some of the differences from JOSE are mistakes, and have gone against security guidance, and leaned into the "a-la-carte" cryptographic suite approach, which I believe we have learned to avoid in protocols. In COSE, algorithms such as ECDH-ES + HKDF-256 and ECDH-ES + A128KW not committing to the algorithm used with the content encryption key, have introduced attacks, which we are still discussing how to clean up: https://www.rfc-editor.org/rfc/rfc9459.html#section-8 As evidenced above ^ deprecation without replacement is possible... when there is no other option. Signatures being not fully specified seem to have less of an impact, but guidance moving forward should be clear, especially for PQ and Hybrid Algorithms. Perhaps a compromise would be to only register new code points for Ed25519EdDSA / Ed448EdDSA in JOSE and COSE and simply deprecate the other algorithms without additional allocations? Will be marking all the ECDSA / EdDSA / ECDH / DH stuff deprecated when a CRQC arrives anway. Regards, OS On Wed, Mar 20, 2024 at 6:17 PM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote: Hi, It would be good with more discussion of the draft in COSE. Some people go to both COSE and JOSE, but many people are strictly interested in one of them. One more comment: I think the deprecations are problematic: - JOSE EdDSA - COSE ES256 (-7) - COSE ES384 (-35) - COSE ES512 (-36) - COSE EdDSA (-8) - There is nothing wrong with these algorithms in systems that do not need to do negotiate capabilities using the algorithm identifiers. A lot of systems are using these algorithms without problem. They are also hardcoded in other RFCs and external specifications. - COSE: Deprecating ES256 (-7) and EdDSA (-8) and registering ESP256 (-9) and Ed25519 (-50) adds one (or more) byte for people using Ed25519 in COSE and uses one more of the rare 1 byte identifiers. Cheers, John Preuß Mattsson From: jose <jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>> on behalf of John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> Date: Thursday, 21 March 2024 at 09:55 To: jose@ietf.org<mailto:jose@ietf.org> <jose@ietf.org<mailto:jose@ietf.org>>, cose@ietf.org<mailto:cose@ietf.org> <cose@ietf.org<mailto:cose@ietf.org>> Subject: [jose] Review of draft-ietf-jose-fully-specified-algorithms-02 Hi, - “6.1. Algorithms for Signing with RSASSA-PKCS1-v1_5” Probably better to call this “6.1 RSA Algorithms” as is applies to RS*, PS*, and RSAES-OAEP. - “The working group has discussed whether the RS256, RS384, and RS512 algorithms should be considered fully-specified or not” I think the groups needs to decide if registrations like this should be allowed in the future. This should be clear if someone want to specify similar algorithms. - “This is not a problem in practice, because RSA libraries accommodate keys of different sizes without having to use different code.” This is not always true. I know of still deployed RSA implementations that only support up to RSA-2048. But this was not COSE/JOSE. I would however not be surprised if COSE implementations on very constrained devices run out of memory if they are given a large RSA key. - HSS-LMS is not fully specified. Maybe that should be mentioned. Cheers, John Preuß Mattsson _______________________________________________ jose mailing list jose@ietf.org<mailto:jose@ietf.org> https://www.ietf.org/mailman/listinfo/jose -- ORIE STEELE Chief Technology Officer www.transmute.industries [Image removed by sender.]<https://transmute.industries/>
- [COSE] Review of draft-ietf-jose-fully-specified-… John Mattsson
- Re: [COSE] Review of draft-ietf-jose-fully-specif… John Mattsson
- Re: [COSE] [jose] Review of draft-ietf-jose-fully… Ilari Liusvaara
- Re: [COSE] [jose] Review of draft-ietf-jose-fully… Orie Steele
- Re: [COSE] [jose] Review of draft-ietf-jose-fully… John Mattsson