IETF Logo Mail Archive

Re: [COSE] Draft IETF 117 COSE agenda

Orie Steele <orie@transmute.industries> Thu, 20 July 2023 14:27 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED480C14CE2C for <cose@ietfa.amsl.com>; Thu, 20 Jul 2023 07:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oMYks6-PjJBT for <cose@ietfa.amsl.com>; Thu, 20 Jul 2023 07:27:40 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0061CC14F75F for <cose@ietf.org>; Thu, 20 Jul 2023 07:27:39 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2b734aea34aso12815071fa.0 for <cose@ietf.org>; Thu, 20 Jul 2023 07:27:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1689863258; x=1690468058; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jpoY280r4XDZmMJi0N832eraujkZf+DUfiSMLZlA7dI=; b=KS0rf57LwCdPsUGx+DGiXxjVyi53Ado0k181Wq5X3yBuOiX0++1W5nAF+mT5QPpYVv oYewxOx9u7Yc3J/Vy6Ff1M1eNX0hT8B0zFBgJqR/M8RBbJ7wqq1i5l3O+Y4n089t9iWP In63afVSKGGwVh23AuFq1sbh6LIT/OQ6XVJJ1lSdKnRtSxnAhfT2/AR0B779zTS2KmGB RDRKHNlZgvnTWD29QTSjuQHYD7cEyWEbB+1avtrhmmkBKxQl1k+HigonqFoPapFgbq2l KkKHzMi6bLDSD1piciE/biYCJHBq/+pA0+QiQL+REpQoE104v4Mgx8eSkJgECKKeeE74 P1Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689863258; x=1690468058; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jpoY280r4XDZmMJi0N832eraujkZf+DUfiSMLZlA7dI=; b=JsV5DSgTDJYy5xBgmV01fJMrFi/XZNJctnaJKwXd01zUfbSpT6kJ7kI96n8wX2gEX/ 3FPQFC+5+RczWCkQAbQqdsfqmjdsRhVkX678MIoPmXg00jmiESHvHpSu6ipra6aJIirn YbAdRenNdfxQxJ6uYkoXnTPixg1U+RqwUfBFQdmrPvNsTUEHTCJRYKu0JW6eYSB7vtJ3 vcbi2BlxHMkfczg2KO9JaxSQPT8Rg4asyjMa56nKP2aT6EKKDHzv1/skB9twqGNOFC3s qvVWj//FyugpWr9c4anjfF8HmMI/QhSbkim6GPb7jtSxSEe8f7ppn+KZZvCCSkEZ23Pd ascQ==
X-Gm-Message-State: ABy/qLZ8hxlyY/DIKaJOcdFmE7+2HWaUK1Od+4sPluMg15QSvzUHF6pF 8LwkBkT9X4XGr2Raf6vDPyCP/kRJZTAEJObgTI6VhQ==
X-Google-Smtp-Source: APBJJlGfAg1VgYTtWPDwRngJ3zC9FO8Rv1CNsrGhf0Xjz0JcWmXjmpj5oN/x0jGT8KhLUMO+cVboErLfKnhgApXlZSg=
X-Received: by 2002:a19:5f57:0:b0:4fd:d517:fbd8 with SMTP id a23-20020a195f57000000b004fdd517fbd8mr2370033lfj.9.1689863257559; Thu, 20 Jul 2023 07:27:37 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB74394E66F880D4948217ED57B738A@SJ0PR02MB7439.namprd02.prod.outlook.com> <AS8PR10MB7427A0FF328462A6212E2590EE39A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <MW4PR02MB74281BC30C2B395F77E3F1FCB739A@MW4PR02MB7428.namprd02.prod.outlook.com> <798F3FD9-115B-40C6-8F20-CB1DB1FB3648@island-resort.com> <CAFWvErU3mSR5PRk6FaW11-5r6tC1Kx9sMMBtVAqEhhjT5p1P4g@mail.gmail.com> <MW4PR02MB742891C6F229AE71BF1ECC02B73EA@MW4PR02MB7428.namprd02.prod.outlook.com> <CAFWvErV5hb8KoX12WiWn8epJJs4Q1RsCHcv4K4OAqmLQr5urnw@mail.gmail.com> <CAGJKSNSeVS8j6zUf26TxLR5w920gO0w1k3ADpEgCaKJxLQJTKQ@mail.gmail.com> <CAGJKSNTkhZdMz0VCdY7xMHJOdfZss1rvh8dwZg1phARP3Jbstg@mail.gmail.com>
In-Reply-To: <CAGJKSNTkhZdMz0VCdY7xMHJOdfZss1rvh8dwZg1phARP3Jbstg@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 20 Jul 2023 09:27:26 -0500
Message-ID: <CAN8C-_LPcz6p==hVmuO6bZFoiT7fPRuV4hYeGwZi_py_NLpj9w@mail.gmail.com>
To: Michael Prorock <mprorock@mesur.io>
Cc: AJITOMI Daisuke <ajitomi@gmail.com>, Michael Jones <michael_b_jones@hotmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002fb2620600ebf3ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/sBeMJ5xw1qCMpN0rGUBTuVH7AoQ>
Subject: Re: [COSE] Draft IETF 117 COSE agenda
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2023 14:27:45 -0000

Granted, JOSE & COSE kinda broke this with EdDSA...

> Therefore, in COSE, even ES256 has to be defined as follows:
>    -7 (ES256), where kty is 2 (with uncompressed points) and crv is 1
(P-256).

The point here is... If I tell you -7 (ES256), you know 2 (kty EC2) and 1
(crv P-256)

If I tell you -8 (EdDSA) .... You know 1 (kty OKP), but *you don't know if
I meant 6 (crv Ed25519) or 7 (crv Ed448)*

Constrained devices won't ship support for both 6 and 7... so advertising
-8 is therefore ambiguous / not helpful (by itself)

... Now consider advertising "HPKE-Base"... How does this help you know how
to talk to a firmware or relying party?

... why would we go out of our way to add extra information to this
process, when we are supposed to be trying to design for a compact /
constrained environment?

OS



On Thu, Jul 20, 2023 at 9:11 AM Michael Prorock <mprorock@mesur.io> wrote:

> A correction/clarification - basically, while you see both kty and alg
> together, if you have a well defined alg, you always know what kty is for
> that alg - so derivation is from alg alone
>
> Mike Prorock
> CTO - mesur.io
>
> On Thu, Jul 20, 2023, 08:01 Michael Prorock <mprorock@mesur.io> wrote:
>
>> Daisuke,
>> definitely 'combination of "alg" and key information.', especially as
>> things have started to evolve recently.  However, I think the point that
>> Orie is trying to make (please correct me if I am wrong Orie) is that once
>> you have the 'kty' which lets you know what shape and family of keys you
>> are dealing with, then you should have everything you need from 'alg' and
>> nothing else.
>>
>> Mike Prorock
>> CTO, Founder
>> https://mesur.io/
>>
>>
>>
>> On Thu, Jul 20, 2023 at 7:53 AM AJITOMI Daisuke <ajitomi@gmail.com>
>> wrote:
>>
>>> Daisuke asserts “On the other hand, there are no examples like the
>>>> proposal from Hannes/Laurence, where the "alg" value includes information
>>>> about "crv" values and unrelated key operation information (e.g., KDF,
>>>> AEAD)”.  There are actually many such examples.
>>>
>>>
>>> It mainly concerns the latter, which is ”unrelated key operation
>>> information". Anyway, while it is true that JOSE's ES* algs include the
>>> "crv" value implicitly, the COSE's ES* algs don't. The COSE's ES256
>>> algorithm is not limited to P-256 and this crv value and the information
>>> about whether the key is compressed EC point or not ultimately requires
>>> referring to the key info.
>>>
>>> Therefore, in COSE, even ES256 has to be defined as follows:
>>>
>>>    - -7 (ES256), where kty is 2 (with uncompressed points) and crv is 1
>>>    (P-256).
>>>
>>> It is evident that the mainstream approach is to negotiate using a
>>> combination of "alg" and key information.
>>>
>>> --
>>> Daisuke
>>>
>>>
>>> 2023年7月20日(木) 9:55 Michael Jones <michael_b_jones@hotmail.com>:
>>>
>>>> [chair hat off]
>>>>
>>>>
>>>>
>>>> The interoperability problem caused by polymorphic algorithm
>>>> identifiers is that the “alg” and “enc” values are no longer useful for
>>>> algorithm negotiation.
>>>>
>>>>
>>>>
>>>> In protocols such as OpenID Connect, OAuth 2.0, and WebAuthn/FIDO2, lists of supported “alg” and “enc” values are published in metadata.  For instance, here’s an example from RFC 8414:
>>>>
>>>>     "token_endpoint_auth_signing_alg_values_supported":
>>>>
>>>>         ["RS256", "ES256"],
>>>>
>>>>
>>>>
>>>> The problem with polymorphic algorithm identifiers such as “EdDSA” is
>>>> that they don’t actually specify which algorithm is used.  It could mean
>>>> either “Ed25519” or “Ed448”.  You can’t advertise which you support and/or
>>>> which you want.
>>>>
>>>>
>>>>
>>>> This is a problem in practice for WebAuthn, since some COSE alg
>>>> identifiers are polymorphic and WebAuthn and FIDO2 use COSE algorithm
>>>> identifiers for negotiation.  See that WebAuthn specified that EdDSA always
>>>> uses Ed25519 – making it non-polymorphic but precluding its use with
>>>> Ed448.  Here’s the line doing so at
>>>> https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy:
>>>>
>>>>    - -8 (EdDSA), where crv
>>>>    <https://tools.ietf.org/html/rfc8152#section-13.1.1> is 6 (Ed25519).
>>>>
>>>>
>>>>
>>>> Daisuke asserts “On the other hand, there are no examples like the
>>>> proposal from Hannes/Laurence, where the "alg" value includes information
>>>> about "crv" values and unrelated key operation information (e.g., KDF,
>>>> AEAD)”.  There are actually many such examples.
>>>>
>>>>
>>>>
>>>> All the registered JOSE algorithms (for example “ES256”) fully
>>>> specified all parameters until “EdDSA”  was registered.  The COSE
>>>> algorithms from RFC 8812 fully specify all parameters, such as when
>>>> secp256k1 is used and when RSASSA is used.
>>>>
>>>>
>>>>
>>>> Likewise, if we had a single HPKE algorithm identifier, it couldn’t be
>>>> used to distinguish which HPKE algorithms are supported (and not all will
>>>> be by all implementations).  This would cause the same problem for future
>>>> systems that, for instance, WebAuthn/FIDO2, OAuth 2.0, and OpenID Connect
>>>> already encounter when polymorphic algorithm identifiers are used.
>>>>
>>>>
>>>>
>>>>                                                        -- Mike
>>>>
>>>>
>>>>
>>>> *From:* AJITOMI Daisuke <ajitomi@gmail.com>
>>>> *Sent:* Wednesday, July 19, 2023 3:45 PM
>>>> *To:* Michael Jones <michael_b_jones@hotmail.com>; Ilari Liusvaara <
>>>> ilariliusvaara@welho.com>
>>>> *Cc:* cose <cose@ietf.org>
>>>> *Subject:* Re: [COSE] Draft IETF 117 COSE agenda
>>>>
>>>>
>>>>
>>>> > Speaking as an individual contributor, I fully support the first
>>>> > (fully specified) choice.  Whereas the second possibility will cause
>>>> > endless interoperability problems.
>>>>
>>>>
>>>> I disagree.
>>>>
>>>>
>>>> +1
>>>>
>>>> (Below, I comment from the standpoint that the design of alg values
>>>> should be consistent with COSE and JOSE.)
>>>>
>>>> I am convinced that the "fully specified" design, on the contrary,
>>>> includes more interoperability issues.
>>>>
>>>> Originally, in JOSE and COSE, the identification of the specific
>>>> cryptographic algorithm was done by combining the "alg" value ("ECDH-ES,"
>>>> "EdDSA," etc.) with the information held by the key itself ({"kty": "EC",
>>>> "crv": "P-256", ...}, {"kty": "OKP", "crv": "Ed25519", ...}, etc.).
>>>> The current draft follows this approach. On the other hand, there are no
>>>> examples like the proposal from Hannes/Laurence, where the "alg" value
>>>> includes information about "crv" values and unrelated key operation
>>>> information (e.g., KDF, AEAD) to the original key's purpose. In JWK, the
>>>> "alg" value is merely an optional parameter, so packing excessive
>>>> information into the "alg" value will, in fact, lead to interoperability
>>>> issues.
>>>>
>>>> I have repeatedly written about the reasons why the current
>>>> specification is better than the "fully specified" design (*1, *2).
>>>> However, I would like to add one more point from a new perspective.
>>>>
>>>> I am very concerned that JWK, which is a "JSON representation of keys"
>>>> that could be used for a wide range of applications not limited to JOSE and
>>>> COSE, will no longer be available as a means of transmission and
>>>> negotiation of HPKE parameters. I think this is a very big loss.
>>>>
>>>> The following works with no problem with existing JWK implementations,
>>>> and it is also guaranteed to work in the JWK RFC:
>>>>
>>>>   {
>>>>         kty: "EC",
>>>>         crv: "P-256",
>>>>         // alg: "HPKE-v1-Base(-KEM)",   // alg can be omitted as many
>>>> JWKs do
>>>>         hkc: { kem: 0x0010, kdfs: [0x0001], aeads: [0x0001]},
>>>> // Unknown parameters for the JWK implementation MUST be ignored on the JWK
>>>> layer.
>>>>         x: "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc",
>>>>         y: "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI",
>>>>   }
>>>>
>>>> On the other hand, the following does not work with many existing JWK
>>>> implementations. This is because existing JWK implementations often throw
>>>> errors for "alg" values not supported by the bundled JWS/JWE:
>>>>
>>>>   {
>>>>         kty: "EC",
>>>>         crv: "P-256",
>>>>         alg: "
>>>> HPKEv1-Base-DHKEM(P256,HKDFSHA256)-HKDFSHA256-AES128GCM",   // Must be
>>>> specified to specify HPKE parameters if not assuming an offline(implicit)
>>>> agreement.
>>>>         x: "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc",
>>>>         y: "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI",
>>>>   }
>>>>
>>>> I think this example clearly illustrates the harm of putting subsequent
>>>> algorithm information (KDF&AEAD), which is not originally relevant to the
>>>> key itsef, into a key that is originally only used in the KEM step.
>>>>
>>>>
>>>> In any case, I am tired of the situation where even after all these
>>>> repeated discussions, even the obvious design point, which is obvious if
>>>> you read the HPKE standard, that "encapsulated_key should be expressed as a
>>>> sequence of bytes," is being rehashed...
>>>>
>>>> I hope the chairs will make a wise decision.
>>>>
>>>> Best regards,
>>>> Daisuke
>>>>
>>>> P.S.
>>>> ... the design of COSE-HPKE was more difficult than I had thought, as
>>>> it required not only knowledge of both COSE and HPKE, but also knowledge of
>>>> JOSE (primarily JWK) in terms of alg value design, and related
>>>> considerations of consistency with the W3C Web Cryptography API and
>>>> existing implementations. So I do not intend to ask you (the mailing list
>>>> participants) to agree with my suggestion easily, but I'm very glad if you
>>>> could read (*1)(*2) without bias.
>>>>
>>>> (*1)
>>>> https://mailarchive.ietf.org/arch/msg/cose/KTpXbZ3UxUH8BuLT4OmhfaToYTk/
>>>> (*2)
>>>> https://mailarchive.ietf.org/arch/msg/cose/cPqYqCagPbWPKwvQODjqn98U3F4/
>>>>
>>>> 2023年7月20日(木) 2:37 lgl island-resort.com <lgl@island-resort.com>:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Jul 19, 2023, at 9:52 AM, Michael Jones <michael_b_jones@hotmail.com>
>>>> wrote:
>>>>
>>>>
>>>>
>>>> As a chair, I’d like clarity on what you mean by “the single algorithm
>>>> design”.  Do you mean that each algorithm identifier fully specifies all
>>>> the cryptographic parameters being used?  Or do you mean that a single
>>>> algorithm identifier is used for all the HPKE possibilities?
>>>>
>>>>
>>>>
>>>> The proposal that Hannes, Jeremy and a few others favor is roughly
>>>> this. (I picked these three just as an example, the decision we want is not
>>>> whether these three are the ones to register, it is that we will use one
>>>> algorithm ID to indicate the HPKE KEM, KDF and AEAD.
>>>>
>>>>
>>>>
>>>> *Alg ID HPKE-P-256 (equivalent to COSE -29 with NIST key)*
>>>>
>>>> KEM: 0x0010 DHKEM(P-256, HKDF-SHA-256)
>>>>
>>>> KDF: 0x0001 HKDF-SHA256
>>>>
>>>> AEAD: 0x0001  AES-128-GCM
>>>>
>>>>
>>>>
>>>> *Alg ID HPKE-P-384 (equivalent to COSE -30 with NIST key)*
>>>>
>>>> KEM: 0x0011 DHKEM(P-384, HKDF-SHA-384)
>>>>
>>>> KDF: 0x0002 HKDF-SHA384
>>>>
>>>> AEAD: 0x0002  AES-256-GCM
>>>>
>>>>
>>>>
>>>> *Alg ID HPKE-P-521 (equivalent to COSE -31 with NIST key)*
>>>>
>>>> KEM: 0x0012 DHKEM(P-521, HKDF-SHA-512)
>>>>
>>>> KDF: 0x0003 HKDF-SHA512
>>>>
>>>> AEAD: 0x0002  AES-256-GCM
>>>>
>>>>
>>>>
>>>> The one that Ilari and Ajitomi-san favor is what we have now in
>>>> COSE-HPKE:
>>>>
>>>>
>>>>
>>>>    When the alg value is set to 'HPKE-v1-BASE', the HPKE_sender_info
>>>>
>>>>    structure MUST be present in the unprotected header parameter.
>>>>
>>>>
>>>>
>>>>    The CDDL grammar describing the HPKE_sender_info structure is:
>>>>
>>>>
>>>>
>>>>       HPKE_sender_info = [
>>>>
>>>>           kem_id : uint,         ; kem identifier
>>>>
>>>>           kdf_id : uint,         ; kdf identifier
>>>>
>>>>           aead_id : uint,        ; aead identifier
>>>>
>>>>           enc : bstr,            ; encapsulated key
>>>>
>>>>       ]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Speaking as an individual contributor, I fully support the first (fully
>>>> specified) choice.  Whereas the second possibility will cause endless
>>>> interoperability problems.
>>>>
>>>>
>>>>
>>>> We need your efforts primarily has a chair at this point. I think we’ve
>>>> had the discussion.
>>>>
>>>>
>>>>
>>>> LL
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> COSE mailing list
>>>> COSE@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/cose
>>>>
>>>> _______________________________________________
>>> COSE mailing list
>>> COSE@ietf.org
>>> https://www.ietf.org/mailman/listinfo/cose
>>>
>> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email