Re: [Curdle] AD Review: draft-ietf-curdle-cms-eddsa-signatures-05.txt
Russ Housley <housley@vigilsec.com> Wed, 10 May 2017 15:41 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52B5B129C15 for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 08:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jku0SoIZ99Jr for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 08:41:13 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FF13129C1A for <curdle@ietf.org>; Wed, 10 May 2017 08:41:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id C0842300545 for <curdle@ietf.org>; Wed, 10 May 2017 11:41:08 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id IuypDsIZP__u for <curdle@ietf.org>; Wed, 10 May 2017 11:41:07 -0400 (EDT)
Received: from [5.5.33.188] (vpn.snozzages.com [204.42.252.17]) by mail.smeinc.net (Postfix) with ESMTPSA id 581473004D7; Wed, 10 May 2017 11:41:07 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <4A227672-E806-4D6E-9E83-714675BF8FE1@vigilsec.com>
Date: Wed, 10 May 2017 11:41:08 -0400
Cc: Eric Rescorla <ekr@rtfm.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8021D75B-504E-42EA-AA75-42A8F188EF3C@vigilsec.com>
References: <CABcZeBMRYwdQnxUuBrCEsM-BeTFfARg3ZFn=tWh+5FMdv2WGYw@mail.gmail.com> <4A227672-E806-4D6E-9E83-714675BF8FE1@vigilsec.com>
To: curdle <curdle@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/jMRdvHWdp1EfFXIY4-Vxoyns8UU>
Subject: Re: [Curdle] AD Review: draft-ietf-curdle-cms-eddsa-signatures-05.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 15:41:15 -0000
> >> TECHNICAL >> S 3.1 and 3.2. >> - Is there some reason to not prescribe exactly one form here? >> I.e., require id-sha512 (etc.) or require it not be there? >> >> - Also, TLS has converged on talking about an "identity" hash >> for the PureEd forms. Was this discussed and rejected? > > CMS supports signatures with and without signed attributes. In most cases, signed attributes are present. When signed attributes are present, the message-digest attribute MUST be one of the attributes. Eric is suggesting that the “identity” hash could be used with Ed25519 and Ed448 when there are no attributes to hash. Using ED25519 as an example, we get: > > IF (signed attributes are absent) > THEN > signedData.digestAlgorithms includes id-hashIdentity > signedData.signerInfo.digestAlgorithm = id-hashIdentity > signedData.signerInfo.signature = Ed25519(content) > ELSE > signedData.digestAlgorithms includes id-sha512 > signedData.signerInfo.digestAlgorithm = id-sha512 > signedData.signerInfo.signedAttrs includes message-digest = SHA512(content) > signedData.signerInfo.signature = Ed25519(DER(signedData.signerInfo.signedAttrs)) > > Do others think the use of an algorithm identifier for the “identity” hash is better? The current document include id-sha512 as a warning that Ed25519 uses that hash algorithm internally. I would like to hear from others about this suggestion from Eric Rescorla’s review. Jim pointed out one possible downside. Others have been silent. Russ
- [Curdle] AD Review: draft-ietf-curdle-cms-eddsa-s… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-edd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-edd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-edd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-edd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-edd… Salz, Rich
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-edd… Nikos Mavrogiannopoulos
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-edd… Russ Housley