Re: [Dcrup] I do not like the dcrup ECC document

Scott Kitterman <sklist@kitterman.com> Sun, 09 July 2017 21:22 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 383A1127180 for <dcrup@ietfa.amsl.com>; Sun, 9 Jul 2017 14:22:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTrcldZU3ff3 for <dcrup@ietfa.amsl.com>; Sun, 9 Jul 2017 14:22:14 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 232D8126CB6 for <dcrup@ietf.org>; Sun, 9 Jul 2017 14:22:14 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id EB5D4C4005E for <dcrup@ietf.org>; Sun, 9 Jul 2017 16:22:12 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1499635333; bh=jt0IxGC3uYHnpujVBU1E2Yt8mbTJCGkB/3HR9AyoDfg=; h=From:To:Subject:Date:In-Reply-To:References:From; b=mLWEYE7z3iEDlR0VOeMJ441tMLUnChklnuxWPxW/QSkpRQ6ahnXaPFD+SU4vdpKck NmG50vXWrv/nl3waevwI2G6M1FA+okJjz951qvSbTS3dmG6V/B+m+ByJoWqQKwqy2E dvB4mvUQXIMYteXY44g1SgtqSFXlTfswfWWeE5m8=
From: Scott Kitterman <sklist@kitterman.com>
To: dcrup@ietf.org
Date: Sun, 09 Jul 2017 17:22:12 -0400
Message-ID: <2578584.laa3YatE2f@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-121-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <alpine.OSX.2.21.1707091702130.6209@ary.qy>
References: <20170709203414.90415.qmail@ary.lan> <3A2ECF01-E8A0-4E11-9E3F-6A67C5198ACC@vigilsec.com> <alpine.OSX.2.21.1707091702130.6209@ary.qy>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/7pZ0_LL0MBg5LZgmz5mtRyDDpo0>
Subject: Re: [Dcrup] I do not like the dcrup ECC document
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jul 2017 21:22:15 -0000

On Sunday, July 09, 2017 05:14:13 PM John R Levine wrote:
> >> 3.  EdDSA-SHA256 Signing Algorithm
> >> 
> >>   The eddsa-sha256 signing algorithm computes a message hash as defined
> >>   in section 3 of [RFC6376], and signs it with Ed25519, the EdDSA
> >>   algorithm using the edwards25519 curve, as defined in in RFC 8032
> >>   section 5.1 [RFC8032].  The signing algorithm is PureEdDSA as defined
> >>   in RFC 8032 section 4, since the input to the signing algorithm has
> >>   already been hashed.  The DNS record for the verification public key
> >>   MUST have a "k=eddsa" tag to indicate that the key is an EdDSA rather
> >>   than RSA key.
> >> 
> >> If that's not right, please send text.
> > 
> > PureEdDSA does not take a hash as input, it takes the whole to-be-signed
> > content.
> RFC 6376 describes in great detail in section 3.7 how to create the
> material to be signed.  What it ends up with is a sha-256 hash, but that's
> not the signing algorithm's problem.  I say PureEdDSA to emphasize that it
> doesn't get hashed again.
> 
> As it stands now, the RSA and EdDSA signing algorithms sign the same
> thing.  I suppose I could extensively rewrite the signing instructions so
> that stuff to be signed by RSA is hashed while stuff to be signed by EdDSA
> is not because it'll use HashEdDSA, but that seems a lot of work and a lot
> of code changes for no benefit.

The python crypto library I plan to use for this (python-nacl) supports both.  
Given the current structure of the dkimpy code, it would be much simpler to 
support PureEdDSA.  Having looked at how I would implement this (but not 
having done it yet) I agree with your contention about implementation 
complexity.

Scott K