[Curdle] questions on draft-ietf-curdle-cms-eddsa-signatures-03.txt
Daniel Migault <daniel.migault@ericsson.com> Thu, 09 March 2017 21:56 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14007129420 for <curdle@ietfa.amsl.com>; Thu, 9 Mar 2017 13:56:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.369
X-Spam-Level:
X-Spam-Status: No, score=-2.369 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9xbUtKyiol0X for <curdle@ietfa.amsl.com>; Thu, 9 Mar 2017 13:56:16 -0800 (PST)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B95E127735 for <curdle@ietf.org>; Thu, 9 Mar 2017 13:56:16 -0800 (PST)
Received: by mail-it0-x22e.google.com with SMTP id h10so136820550ith.1 for <curdle@ietf.org>; Thu, 09 Mar 2017 13:56:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=DIZgzWuvg5fc2eq8DNIF5+O9HuqDs60FihCsySKKbG0=; b=XSZX+B3fERgAZRfbKi4f6Eqc0qSvGMGE2b9mV0D7DHyeM44jEdwxZkgMKGruqQMFxv cbZtqHkqS/QqnX8kY759BXanE10VVZcpn/fMPVhEVHl0qDjj7zrcaUcyTeGtGqqtJBRr iXAIkEmKZcWX3WihcAtjpCaEewH3eVWNeeWQ/Q3fMLYKL1jMMU5Fl09xOd8sL31ZE42Q YefPdujv14nDCpR1jje0gkzmHdyt96m52buwaHi6T7YdB+aAoVfGN4XTt7EEv2aDCxYp BCvepIJ2qzTC2RSpT4eFzeebeYZ+ZW4z7/dTRkROZt7x87jIXollhp4yB3yIt3TPW2mI 8odw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=DIZgzWuvg5fc2eq8DNIF5+O9HuqDs60FihCsySKKbG0=; b=Nek/c5rUs7yr9vuylBhhJhYhCECQN5islAvY4ggiQJTh2PG7t+izCOFB+Wsxian/bE 8oV9Z1S+6aCyWi2m0QJ1EOo3umHVUZfXelJoHrq5qx6hM4gM39P+BCbYG05qHafWm/9k Yhg16Gb7QfOa74Uas3fn7Mnx48KMQwE/C+8d9LaZfNtYG3jacnM7avvRNFpHo1xA/lHd NcwaYR/3dEe19eReEDRWI/qllNZENcJla6LKFJc+ZctEeTwBLYtvohtbCTkDuW31IG9b jkRWVbfPFXUZKMhy+8bh7E0LyVtul2DW4olbuw1Nk/dJq6E5n05lvkl04lwP7CtVgLWU 17iA==
X-Gm-Message-State: AMke39k53R8KLmuCPSnfuXD+iu2/qHC5XkoMJVpZ21msdOpJLfB37X4AGXdnNgKR9E6X1rKBz9m2aTYtwyz+Ng==
X-Received: by 10.36.164.75 with SMTP id v11mr14254354iti.101.1489096575195; Thu, 09 Mar 2017 13:56:15 -0800 (PST)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Thu, 9 Mar 2017 13:56:14 -0800 (PST)
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 09 Mar 2017 16:56:14 -0500
X-Google-Sender-Auth: 8rtvpI_FMIKgz6eb8l2CI_fR6Ag
Message-ID: <CADZyTk=GYO-PpBk3v+6Se_ZTygiwwKDfvTbFKC+j9+4Rt7K-FA@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="f403045fbba866a059054a53501d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/2VEIIlafvFhtba_57UXL3cZuqtg>
Subject: [Curdle] questions on draft-ietf-curdle-cms-eddsa-signatures-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 21:56:18 -0000
Hi, I read draft-ietf-curdle-cms-eddsa-signatures-03.txt and have a few questions. Please find my questions/comments inline. Yours, Daniel Use of EdDSA Signatures in the Cryptographic Message Syntax (CMS) <draft-ietf-curdle-cms-eddsa-signatures-03.txt> 2. EdDSA Signature Algorithm One of the parameters of the EdDSA algorithm is the "prehash" function. This may be the identity function, resulting in an algorithm called PureEdDSA, or a collision-resistant hash function, resulting in an algorithm called HashEdDSA. In most situations the CMS SignedData includes signed attributes, including the message digest of the content. Since HashEdDSA offers no benefit when signed attributes are present, only PureEdDSA is used with the CMS. MGLT: My understanding of the two latest sentences is that, in most cases the CMS when used with signed attributes may specify the hash of the content. As prehashing is performed by CMS, there is no need to have a pre hash variant version. >From the two sentences it may appear that without signed attributes, they might be some advantages of having HashEdDSA over PureEdDSA. If that is the case, maybe we should provide them and then motivate our choice. What is unclear to me is why signed attributed make it different ? My understanding is that in any case digestAlgorithm is used to compute the digest of the eContent and when defined additional signed attributes. I am also wondering if we were using the prehash variant a combination of digestAlgorithm with the prehash function would not be problematic. At least, the signing operation would not be performed on the same content this might add unnecessary overhead. If that is the case, it would provide a generic motivation to only consider PureHash with CMS. My understanding of EdDSA is that when PureEdDSA is possible, it is always recommended over HashEdDSA. I assume this is also recommended for CMS. 2.3. Message Digest Algorithm Identifiers When the signer includes signed attributes, a message digest algorithm is used to compute the message digest on the eContent value. When signing with Ed25519, the message digest algorithm MUST be SHA-512 [RFC4634]. When signing with Ed448, the message digest algorithm MUST be SHAKE256 [FIPS202] with a 512-bit output value. MGLT: I am wondering why the digestAlgorithm cannot be the identity. Signing with Ed25519 uses SHA-512 as part of the signing operation, and signing with Ed448 uses SHAKE256 as part of the signing operation. MGLT: I am wondering if the text above wants to specify that the digest algorithm specified are already part of the signature and as such no additional hash functions really need to be added or if there is another motivation for this text. For convenience, the object identifiers and parameter syntax for these algorithms are repeated here: MGLT: IOD are repeated, maybe we could add a reference where these have been defined. -- Note that the ref becomes clearer on the next page. 2.4. EdDSA Signatures The id-Ed25519 and id-Ed448 object identifiers are also used for signature values. When used to identify signature algorithms, the AlgorithmIdentifier parameters field MUST be absent. MGLT: I do not understand why id-Ed25519 and id-Ed448 are used for the signature value. My understanding is that the Signer Info carries the signature algorithm, which defines the signature. 3. Signed-data Conventions The processing depends on whether the signer includes signed attributes. The inclusion of signed attributes is preferred, but the conventions for signed-data without signed attributes are provided for completeness. MGLT: Maybe we could briefly explain or provide a reference why signed attributes are preferred. 3.1. Signed-data Conventions With Signed Attributes The SignedData digestAlgorithms field includes the identifiers of the message digest algorithms used by one or more signer. There MAY be any number of elements in the collection, including zero. When signing with Ed25519, the digestAlgorithm SHOULD include id-sha512, and if present, the algorithm parameters field MUST be absent. When signing with Ed448, the digestAlgorithm SHOULD include id-shake256-len, and if present, the algorithm parameters field MUST also be present, and the parameter MUST contain 512, encoded as a positive integer value. MGLT: For which reason do we have a SHOULD and not a MUST, as the hash function specified have a MUST status in te message digest identifier. 3.2. Signed-data Conventions Without Signed Attributes
- Re: [Curdle] questions on draft-ietf-curdle-cms-e… Russ Housley
- Re: [Curdle] questions on draft-ietf-curdle-cms-e… Russ Housley
- [Curdle] questions on draft-ietf-curdle-cms-eddsa… Daniel Migault
- Re: [Curdle] questions on draft-ietf-curdle-cms-e… Russ Housley
- Re: [Curdle] questions on draft-ietf-curdle-cms-e… Daniel Migault
- Re: [Curdle] questions on draft-ietf-curdle-cms-e… Daniel Migault