IETF Logo Mail Archive

Re: [Curdle] AD Review: draft-ietf-curdle-cms-eddsa-signatures-05.txt

Russ Housley <housley@vigilsec.com> Mon, 08 May 2017 19:39 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E00631296C9 for <curdle@ietfa.amsl.com>; Mon, 8 May 2017 12:39:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dKQEOoSCXM9b for <curdle@ietfa.amsl.com>; Mon, 8 May 2017 12:39:48 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA60712969E for <curdle@ietf.org>; Mon, 8 May 2017 12:39:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 3F8E830050E for <curdle@ietf.org>; Mon, 8 May 2017 15:39:48 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id EiE7sLle_Yzx for <curdle@ietf.org>; Mon, 8 May 2017 15:39:45 -0400 (EDT)
Received: from new-host-6.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 1776B30050D; Mon, 8 May 2017 15:39:45 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CABcZeBMRYwdQnxUuBrCEsM-BeTFfARg3ZFn=tWh+5FMdv2WGYw@mail.gmail.com>
Date: Mon, 08 May 2017 13:32:27 -0400
Cc: Eric Rescorla <ekr@rtfm.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4A227672-E806-4D6E-9E83-714675BF8FE1@vigilsec.com>
References: <CABcZeBMRYwdQnxUuBrCEsM-BeTFfARg3ZFn=tWh+5FMdv2WGYw@mail.gmail.com>
To: curdle <curdle@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/REU2UWjw1FPqmuMalCgNphCnfB8>
Subject: Re: [Curdle] AD Review: draft-ietf-curdle-cms-eddsa-signatures-05.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 19:39:50 -0000

> TECHNICAL
> S 3.1 and 3.2.
> - Is there some reason to not prescribe exactly one form here?
>   I.e., require id-sha512 (etc.) or require it not be there?
> 
> - Also, TLS has converged on talking about an "identity" hash
>   for the PureEd forms. Was this discussed and rejected?

CMS supports signatures with and without signed attributes.  In most cases, signed attributes are present.  When signed attributes are present, the message-digest attribute MUST be one of the attributes.  Eric is suggesting that the “identity” hash could be used with Ed25519 and Ed448 when there are no attributes to hash.  Using ED25519 as an example, we get:

   IF (signed attributes are absent)
   THEN
	signedData.digestAlgorithms includes id-hashIdentity
        signedData.signerInfo.digestAlgorithm = id-hashIdentity
        signedData.signerInfo.signature = Ed25519(content)
   ELSE
	signedData.digestAlgorithms includes id-sha512
        signedData.signerInfo.digestAlgorithm = id-sha512
	signedData.signerInfo.signedAttrs includes message-digest = SHA512(content)
        signedData.signerInfo.signature = Ed25519(DER(signedData.signerInfo.signedAttrs))

Do others think the use of an algorithm identifier for the “identity” hash is better?  The current document include id-sha512 as a warning that Ed25519 uses that hash algorithm internally.

Russ

v2.23.0 | Report a Bug | By Email