Re: [COSE] Review of draft-jones-cose-additional-algorithms-00
Mike Jones <Michael.Jones@microsoft.com> Wed, 13 March 2019 20:11 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF9DD124D68; Wed, 13 Mar 2019 13:11:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29KzPtrXxYmw; Wed, 13 Mar 2019 13:11:02 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650126.outbound.protection.outlook.com [40.107.65.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA75A130E66; Wed, 13 Mar 2019 13:11:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uN6/r5K8FgrIUbMwPp0+XXTNq2KzDDYweTSmeIOkhBU=; b=HxYhbGx19+XWQ7Hpj2X2hSOHVk0Fu1q9U+ZlXLoodxiM/nltuFDTYYgf88p81U7ij9Hv6q+6XmCL6e9/CfWWJzxYizIxmVMTAEZeUL6WmI8OE7CU4BQwNmd+gVsYNS0rZldU0SQ8OTatlb86ghBR9JgcOesUjJ+M/+obyK7yxbE=
Received: from MW2PR00MB0298.namprd00.prod.outlook.com (52.132.148.29) by MW2PR00MB0316.namprd00.prod.outlook.com (52.132.148.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1747.0; Wed, 13 Mar 2019 20:10:59 +0000
Received: from MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::1139:4bca:cb25:30ed]) by MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::1139:4bca:cb25:30ed%8]) with mapi id 15.20.1747.000; Wed, 13 Mar 2019 20:10:59 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "draft-jones-cose-additional-algorithms@ietf.org" <draft-jones-cose-additional-algorithms@ietf.org>
CC: 'cose' <cose@ietf.org>
Thread-Topic: Review of draft-jones-cose-additional-algorithms-00
Thread-Index: AdTZRiLjWoUfKGT9RqWhTMHrblua1AAj4Tfw
Date: Wed, 13 Mar 2019 20:10:59 +0000
Message-ID: <MW2PR00MB02984FB92E4B78D239C97DC4F54A0@MW2PR00MB0298.namprd00.prod.outlook.com>
References: <00ca01d4d951$93f2ac80$bbd80580$@augustcellars.com>
In-Reply-To: <00ca01d4d951$93f2ac80$bbd80580$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=915c8ceb-25c3-45aa-a7f0-000057813ba7; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-03-13T19:47:57-0800; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
x-originating-ip: [2001:4898:80e8:a:b074:2c99:4ff1:2f30]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 39a2f3d5-1854-4a3e-3c61-08d6a7f00264
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:MW2PR00MB0316;
x-ms-traffictypediagnostic: MW2PR00MB0316:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <MW2PR00MB0316027492B0796F2F149451F54A0@MW2PR00MB0316.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 09752BC779
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(396003)(346002)(39860400002)(136003)(189003)(13464003)(199004)(51914003)(14454004)(14444005)(256004)(8990500004)(81166006)(81156014)(33656002)(97736004)(9686003)(55016002)(6436002)(6306002)(10290500003)(10090500001)(478600001)(68736007)(72206003)(76176011)(99286004)(7696005)(53936002)(966005)(8936002)(6506007)(102836004)(53546011)(305945005)(7736002)(6346003)(5660300002)(186003)(6246003)(22452003)(52536013)(4326008)(2501003)(316002)(11346002)(229853002)(476003)(2906002)(446003)(486006)(110136005)(46003)(6116002)(86362001)(105586002)(106356001)(86612001)(8676002)(71190400001)(25786009)(74316002)(71200400001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR00MB0316; H:MW2PR00MB0298.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 5+c/gLCyTc65kMzGvISotYpz1ZdErVmgdtRY1FPhb9Fl7fJmDQ8PB2XJbn3lb4hVbtTe3an3Zs9WRA5UJHR0SGEk0Gnt9DRR89TH3+cS6Y7xpEyu6itltnwJyo4YOtNegrmnceQom0tf7NAnMKw+jfG0/vByvMs/CZIBHO5U/XdQVr5liPODVBwpUqDCN1W4/b4fzn1jIQ4nDkVDmDlco+i01Bi2YAKVPIP12y5CDmIr3wnUTkcPlOa/AcOEvQXD+MZygn01Qsv039XcAGv4r93NUjc+GvVaqqJscWLbec8ZaPXnPCFP6sLZasv50jIHJVtLKHkMOBU4mFb7DAXw+wsBiaI0DKW5iH+vTxNbsXmaIAsryRR+oiSctbXh01MC/GEJINnt4rtBacM726z5qSXdGX6CXXpco9/xx20D//c=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 39a2f3d5-1854-4a3e-3c61-08d6a7f00264
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2019 20:10:59.2467 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR00MB0316
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/XCb6TQuYwDn1KwkldO90Jiqc4Ig>
Subject: Re: [COSE] Review of draft-jones-cose-additional-algorithms-00
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 20:11:05 -0000
Thanks for the detailed review, Jim. See my replies inline... -----Original Message----- From: Jim Schaad <ietf@augustcellars.com> Sent: Tuesday, March 12, 2019 9:02 PM To: draft-jones-cose-additional-algorithms@ietf.org Cc: 'cose' <cose@ietf.org> Subject: Review of draft-jones-cose-additional-algorithms-00 Here is a first pass review: 1. I was surprised that there are two algorithms still in the WebAuthn document that are not included here. Is that intentional and what is the plan forward for them? You're correct that the algorithms ED256 and ED512 in https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-cose-alg-reg aren't yet in the document. This was a matter of time to produce the draft - not a statement that they aren't important to WebAuthn. They will be added in future drafts. 2. The title of the document is not descriptive in terms of a stand alone sentence on what this document is doing. It should be more specific on the algorithms. Fair enough. I'll plan a title change after working group adoption (assuming that happens as a result of the call for adoption). 3. Abstract: A list of the algorithms being processed in this document would be reasonable. Based on the current text, the abstract would need to be re-written as soon as the algorithms are registered because they would then be registered and thus the specification is not necessary. It would also be slightly odd in the event that the CTAP or WebAuthn protocols are updated to add new algorithms as they would not be in this document. (See issue #1.) Thanks. Will revise accordingly after adoption. 4. Section 1: See abstract comment. Agreed. 5. Section 2: The recommended column needs to be added to the table. Will do. 6. Section 2: The discussion on what is and is not recommended and why belongs in this section not in the security considerations. OK 7. Section 2: You are missing some checks that should be done on signing and verification. Look at the standard text at the end of sections in RFC 8152 for a pattern. You might also want to add a check on lengths of keys both for a maximum and a minimum length. Thanks 8. Section 3: This should not be the first use of JOSE and COSE and therefore the expansions here make no sense. That should be in the introduction. OK 9. Section 3.1: I have only rarely seen this curve as P-256K, it is almost always referred to as secp256k1. I would ask that this be changed in the COSE representation. I am agnostic about what should be in the JOSE representation. I'm OK changing the string to "secp256k1" after adoption, assuming others concur. 10. Section 3.1: I don't understand the reason for the last paragraph in the section. It seems to me that this should just refer to all of the items defined for EC2 in COSE. Sure 11. Section 3.1: Is there a recommendation on using compressed vs non-compressed points? Uncompressed should always work. I'd like to try to understand how actual deployments are using this before commenting on whether compressed should be supported as well. I'll plan to ask this in Prague. 12. Section 3.1: You need to talk about if this is going to be IETF recommended or not. (And why) There was a CFRG discussion on this in June. Dan Brown isn't in love with it but wasn't aware of specific problems with it - see https://mailarchive.ietf.org/arch/msg/cfrg/N-XU09enlfMYEbl3L4IWCM5D8WQ. Richard Barnes pointed this study of it https://eprint.iacr.org/2014/161.pdf. This is another thing we should discuss in Prague. 13. Section 3.2: I don't understand what this section is doing. If you are really defining a new signature algorithm, then that should be noted as part of the requirements in section 3.1 on the key. If you are not defining a new signature algorithm then this section makes zero sense. (You are not saying what the hash algorithm is.) Both options are reasonable. It's defining the algorithm identifiers. That needs to be somewhere and this is parallel with how it was done in JWA [RFC 7518]. 14. Section 3.2: If this is a new signature algorithm then it should say what curves it operates with. Else there should be an addition of the algorithms that are legal in section 3.1 It's not a new algorithm. It's a new set of identifiers. I can revise to make this clear. 15. Section 4.1 - The correct term is 'provisional' not 'temporary'. The term "TEMPORARY" is used in https://www.iana.org/assignments/cose/cose.xhtml#algorithms but I agree that "provisional" is the right term. I'll revise accordingly. 16. Section 5.4 - So if somebody changes the crv value, is there any way to tell the difference? If so then that should be described here. OK 17. Section 5.3 - This text seems to be self-contradictory. If you MUST NOT use it, then how can you then use it? How does an implementation know when it is or is not acceptable practice to use this? It's saying that COSE implementations MUST NOT use it. That doesn't mean that we can stop TPMs from using it, and it's in that context that this algorithm identifier is used. 18. CHAIRS: You should run the fact that this document is updating JOSE registries as well and make sure that there are going to be no surprises about this being not in charter. Given that the charter listed draft-jones-webauthn-secp256k1-00 as a starting point and it was already performing JOSE algorithm registrations, I suspect that there's no surprises in us doing so. Jim Thanks again, -- Mike