Re: [Dcrup] I do not like the dcrup ECC document

"John R Levine" <johnl@taugh.com> Sun, 09 July 2017 21:14 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BF9B12EC11 for <dcrup@ietfa.amsl.com>; Sun, 9 Jul 2017 14:14:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=yK/NjRtJ; dkim=pass (1536-bit key) header.d=taugh.com header.b=mRXtqlUV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mzZ5x1cUZNZI for <dcrup@ietfa.amsl.com>; Sun, 9 Jul 2017 14:14:17 -0700 (PDT)
Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BABD1126CB6 for <dcrup@ietf.org>; Sun, 9 Jul 2017 14:14:16 -0700 (PDT)
Received: (qmail 47724 invoked from network); 9 Jul 2017 21:14:14 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=ba6a.59629ca6.k1707; bh=gelu0/G9Cyol2nqd7l+0fPO26J+2BP6J3RTpW1caee8=; b=yK/NjRtJaov5bTPKXU5152PsvYamkaoNwo5EoCJspoGNoEu9wZDTRJY/nxU3gyRBbXfc1MpKkdwHqsmIKKLQjDSj7CaEKdk+e0UXk7gaP5o1XlMWxAX+So2+fMP1Kj+oRbTgZ1v6JZxa2b73dkHJOQ31VYS3RP0jmUp7yiP7fzi7/u9Qn220PEDd7UTdChI4em+1tSZLmlGcxuD5l3OswMoVN2WUY4mG6cWoGDmLuIKo22VLrVCXMNY2Z3bSyF/K
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=ba6a.59629ca6.k1707; bh=gelu0/G9Cyol2nqd7l+0fPO26J+2BP6J3RTpW1caee8=; b=mRXtqlUViD6MzvaCY/5Ixlh3rlN7bfgXe8PlZEUwQTYCLzJUF9X2U8fl+yIXpNJGkvIlxfQxrHWjsKSmk2QApLIEMMyWWIB6JW9+XVu0nocphv57x2VH9tk9pXhdkNwzQ31eYzVV7dNDqkFjAVYY8GkPBgxDbcohUvl6ixf1ixVUweifLFPeAecX9ElUF3YE+doYz5oITPHWYn5Abk/XfA3R6YAUGkO38nCgLwfm8XprL0hyWsIntDUzUVeOmPf3
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 09 Jul 2017 21:14:14 -0000
Date: Sun, 09 Jul 2017 17:14:13 -0400
Message-ID: <alpine.OSX.2.21.1707091702130.6209@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Russ Housley <housley@vigilsec.com>
Cc: dcrup@ietf.org
In-Reply-To: <3A2ECF01-E8A0-4E11-9E3F-6A67C5198ACC@vigilsec.com>
References: <20170709203414.90415.qmail@ary.lan> <3A2ECF01-E8A0-4E11-9E3F-6A67C5198ACC@vigilsec.com>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/_POhvvYbQYm3l2xPZ273OEZHCcs>
Subject: Re: [Dcrup] I do not like the dcrup ECC document
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jul 2017 21:14:18 -0000

>> 3.  EdDSA-SHA256 Signing Algorithm
>>
>>   The eddsa-sha256 signing algorithm computes a message hash as defined
>>   in section 3 of [RFC6376], and signs it with Ed25519, the EdDSA
>>   algorithm using the edwards25519 curve, as defined in in RFC 8032
>>   section 5.1 [RFC8032].  The signing algorithm is PureEdDSA as defined
>>   in RFC 8032 section 4, since the input to the signing algorithm has
>>   already been hashed.  The DNS record for the verification public key
>>   MUST have a "k=eddsa" tag to indicate that the key is an EdDSA rather
>>   than RSA key.
>>
>> If that's not right, please send text.
>
> PureEdDSA does not take a hash as input, it takes the whole to-be-signed content.

RFC 6376 describes in great detail in section 3.7 how to create the 
material to be signed.  What it ends up with is a sha-256 hash, but that's 
not the signing algorithm's problem.  I say PureEdDSA to emphasize that it 
doesn't get hashed again.

As it stands now, the RSA and EdDSA signing algorithms sign the same 
thing.  I suppose I could extensively rewrite the signing instructions so 
that stuff to be signed by RSA is hashed while stuff to be signed by EdDSA 
is not because it'll use HashEdDSA, but that seems a lot of work and a lot 
of code changes for no benefit.

R's,
John