Re: Signature Algorithm Identifiers
John Mattsson <john.mattsson@ericsson.com> Tue, 22 June 2021 09:09 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7553A1D00 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 22 Jun 2021 02:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.847
X-Spam-Level:
X-Spam-Status: No, score=-2.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 643eSWw0If7X for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 22 Jun 2021 02:09:14 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 829A43A1CFE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 22 Jun 2021 02:09:13 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lvcLD-0004YP-5v for ietf-http-wg-dist@listhub.w3.org; Tue, 22 Jun 2021 09:05:10 +0000
Resent-Date: Tue, 22 Jun 2021 09:05:07 +0000
Resent-Message-Id: <E1lvcLD-0004YP-5v@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <john.mattsson@ericsson.com>) id 1lvcJl-0004Tj-TN for ietf-http-wg@listhub.w3.org; Tue, 22 Jun 2021 09:03:42 +0000
Received: from mail-eopbgr40063.outbound.protection.outlook.com ([40.107.4.63] helo=EUR03-DB5-obe.outbound.protection.outlook.com) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <john.mattsson@ericsson.com>) id 1lvcJd-0005Da-97 for ietf-http-wg@w3.org; Tue, 22 Jun 2021 09:03:34 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SvVzUQfRlngC+iKy4PghL3rYSettzXSDxa2LGW8hoCH7kclHmrly1EQbjL3kqNz9NwvPDzDo8yc4hs6x29z6pEm2Kp20pxhNQj9RgUlGHBwWN63z+wbiGj8sCQGIPyt5nhlFrkQSRjMQBn8IYM6tUrhKIlgPNiRT8EWlKMluxgsxjwtceT/kAjhizr+Y+okDDAAXuQSONPZzJBx5mRByX7Q0ynw3KMCPAsfc9uwVyV2A4YpuxfIdlSun5AL1ivyH62jsrWxGSDd5wm4CBxRfED2/HPx/0sqdAmEiXZPZY4TiCH+1/IDsCrADHv9DYx+dyyt3MJXYIXqVZ/rrD5QnWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YX64m72TLU5ERDd3dcPJaDtTwOXPBccSLH/n6yLt38I=; b=RMC0kQ60yxkRkT+lgrQ/TRelY6G9LwIWyaxLlifPfsmUVyJgeC04y5w+lZhK9QvTmTyIbpkdQblbmImpjTqn/+2UROflRXmWk1AVwwwmFpPr7PKlEWhkgRfgT56btntu5WAOXESENB7cvhZ55Gat/zM/IO/FzRQHI8Emh2hAIwmMAkK5YFXZ1lVvAPeA85gf/9II6SaNI1JrWTKJRduDgqpkVogdLZPzcyPqAFgwxNmdNmqbDYat9Mc3mrRmNbAH6FKfiQqavKy1Q9wz+Ed1w9yK0+0x9u9g0pxD0XTBnRlP9q3KvGyCjMlXjs2tQUGYcz5OoSwa9/qXlM7n4WIJVQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YX64m72TLU5ERDd3dcPJaDtTwOXPBccSLH/n6yLt38I=; b=otL7F5yVJ8/MnXsJj+hx6ZbvTHYHpup17E7+SvcNWT5HmUKMYqbAT5f1kc6N1moiCx1JI3w2adYsrOq49hw5qkRDtpXlpEU4xXPtmbCumd+8I4BBYZEbZh7M8cnFSUcmHkHbalgCukz6xb33t2oHO0hJJdU2T4ftrn0a+Vc2yMM=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2393.eurprd07.prod.outlook.com (2603:10a6:3:72::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.15; Tue, 22 Jun 2021 09:03:16 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4264.018; Tue, 22 Jun 2021 09:03:16 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Justin Richer <jricher@mit.edu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Thread-Topic: Signature Algorithm Identifiers
Thread-Index: AQHXZIQz4D+U4i9JFkOrBOxSUaftkqsfvyLk
Date: Tue, 22 Jun 2021 09:03:15 +0000
Message-ID: <HE1PR0701MB30501E424645B0869B1CA85E89099@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <BD009D24-5DDB-4BE4-B367-919D1FABB81A@mit.edu>
In-Reply-To: <BD009D24-5DDB-4BE4-B367-919D1FABB81A@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4cf0598d-90ce-43c2-fcaa-08d9355c927d
x-ms-traffictypediagnostic: HE1PR0701MB2393:
x-microsoft-antispam-prvs: <HE1PR0701MB23931A3C22E6CBB45C5F4EBB89099@HE1PR0701MB2393.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ls6zhv+2INmgZT+F/Nk7tmpuZf3VwA03nBLgBAEpn9yoCx+xm6yebO1anMIywrRHtOWexiXE2kj/0d6UhawnUGPAxS7NV7NsslqtE2OhMiMHf4IJcO3grVdU/h+OD5KIf/jpP3GCJldJM8lwM7FapA9FgZw+28zTH+dHdZSoGx02/VmkX7n209LC0l/1Vj1C8zT+46GKVnSS9lIX7n9zLTloV4nxC1xDc/ViFWvmpSjycqqSlNBshhwBEMaSkeYjCMX1/Aqwlq2MbLF5P/SKICCByn40dd/KsR4c8GzrLBZ65V3KWidL48C2Fr9qfnazyFyxTfIzYiBXDm7GhfdXMLS4rELYD84f6aF60+VwPvJOldRrO6n+exO60zj1NbnyX9hEpsjtKUnPcs3k8EGksb32j0uP3DLYSrw8S2MdgJYpHkzy+4utc6xjU2S/a41BM6W5zjIPhB/kAtUcQcE5/AUp3THKrq/gaI0IDsKNbMJZd/VjmB/jmPm0HY37yby95ll5x/kbkyjRs1c9P54k1v/TsTEE3whhuxn8py/rpJWscJe+Iw93/LZKjClzUUqAXvYVOwoFXM0iRyPaStJgWqTNPnyPrWXvbg5UFTxk+yhovYDDayah3zyaMQIPvWUK+eWQf4fWYS8QJ6Wl4RvPbIwCx3/d6uhYBmWBMHWzrz90cTgWGMf48C2m/OEx3eDd2F3pE6fADcf1jTDVdxYjg22anV19AbgfRMSFzWTdIZJaabsp+niCaWGswPMiec/pGvhrx4oLdSoMJ5sONJnPqQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:HE1PR0701MB3050.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(346002)(376002)(39860400002)(366004)(110136005)(186003)(3480700007)(66446008)(5660300002)(316002)(122000001)(38100700002)(2906002)(66476007)(44832011)(55016002)(66556008)(53546011)(64756008)(166002)(7696005)(9686003)(6506007)(26005)(52536014)(8936002)(8676002)(33656002)(76116006)(478600001)(7116003)(66946007)(71200400001)(966005)(83380400001)(91956017)(86362001);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Ntnd+de1tPHAtjGU/kEspZo+YtT2urEMr6XeMWYRmgMBmrL72nzDGQZWJwjHdwOoUQXFv/6SVcd1P0KQ57YckpwG5lYpoU2rUXDbtoriaL0m56VjfhV+bvnk7GvuPfCMBJeMCzIiQTGcqV3zRbyAXUUuHz5BiGiXOm1/ZommW6Euw+qsiPuMzMvga7ITM4ejl+SD8H7lX2qcZqEKgAPPSWDsIC/ulKkbJt0dDQb7eWGtU4G33dK2TbQkz357JY4LP7ZmFd/jEUrQ9ePTp/FVtVOn1Jq5l//UXehS6ZiSA6PXOyRXjkcgwiQtNxVaXItuk6cRMc6VdXsijL3kOCiDDYgnPFoRZ9ZO7RmG+R24yho7dDfu7WS/wZ0xyEGdpF3g06VF7XYW0i1LjAYSTVQ9jWYkZnbY7HpNgTgLWD17rPsz7v2pkah6b2QNh1rMt1Hc2yok+2vshWaDnKh/JwZZ4F4iagq1fY2pUKosJOcoJoQ0iEi0xQLdam0SM1Hia62xPYxKxMwtj3i3LrqpKfjz8frnaoNt73TBh6bO7isMmurKu2F3thK/XRzVkSt1bGbv2onTSeqMCfovpaFpL7E09OK5qRwO0gnkaoZjsoJKW+VEe6GGAfPHceUQwZEnk+6b6zp3ZiI3a0NhAdkhnBukyybhkQK/w1pzmd5NrYVLHuffu5L5uZ54wq6aJihPqmk2WGjKVJCxVGK5ABxM3kb3HZMXatzP5yxednZ/QsM9pGFQDWpgS7nGGwmFeCQDFDWMBwBrD8MhOPhQ2cyHHjHs7ixFfOhrfN928VB/ruUUw1nvqXlmtB52rrUGIKGWVNNGORnNIccimghFLnYQO3KtJDJDwY7jRAiJi6+yLDVJXVT0T6W4pZ/AwwiigE0PeERMsQVajEjkoix9hRBKFiM7SVsMLqvDYpyrAqZy/oiXXGrQxuSmyhA4uKU7LtOf/lLYGsHf8YxHgEjRIUMIxhyjlCmRAYSFOxoPCR+WSjj4dkTWZLTVb5BPeeDlZlRDjfA0lP3jUg639SRB9VzQ+qYPNTnFbB3W2fLME1iks0YtQnGC6rGGUSVQRW2rMrj1xhPtkJiu2ya/vva2A8XDPRzCyRIY2oAwPwTfsCkjtbFRhFt29+WAGv3VFlmVXQjIMaaBt53jwg/jGu4gZcimhRkbdG0auze+gMHoDKlO4F+LdrZZqk76CfKnxBWN8VBahskKQl1aaczfKlH1Xz1f+2IxIZbvM3YuZkLTGI7cD/MbjmxLjki8oyPoFZf4TT3DE5/Crt/9FsIMUr0Df1p2AQsXlXvBDK/3+23N+JanGX0E6nNGgu6aqWGxYd1sAvLPVBvHVxqkCnMh2P6H7haEOEiQuQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30501E424645B0869B1CA85E89099HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4cf0598d-90ce-43c2-fcaa-08d9355c927d
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2021 09:03:15.9869 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: txInJww9Lasz/snzaFIISxGKV0kbOMEjK3s4LYKStYsVPIeLmrEalv4Yor8PAXdGbgUS35eXJu/f+o8N9fy4wthXD5q9OOnTsw0s+7OW6wU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2393
Received-SPF: pass client-ip=40.107.4.63; envelope-from=john.mattsson@ericsson.com; helo=EUR03-DB5-obe.outbound.protection.outlook.com
X-W3C-Hub-DKIM-Status: validation passed: (address=john.mattsson@ericsson.com domain=ericsson.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.223, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1lvcJd-0005Da-97 e4653909073aceec356cd58a88357801
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Signature Algorithm Identifiers
Archived-At: <https://www.w3.org/mid/HE1PR0701MB30501E424645B0869B1CA85E89099@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38928
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> simpler for developers to pick the “latest” date of an algorithm as more secure A common argument in the current NIST PQC standardization is that older is better :) > - rsa-v1_5-sha256 > - rsa-pss-sha512 > - hmac-sha256 > - ecdsa-p256-sha256 This seems to treat the algorithms differently. ecdsa-p256-sha256 always gives 128-bit security. I assume hmac-sha256 will use a 256-bit keys and then it will also give 128-bit security. The two RSA algorithms on the other hand seems to be have variable security levels depending on the key, maybe good to lock them to 3072-bit keys. On the other hand, I find binding a signature algorithm to a specific type of key strange. It is the key usage that should be restricted, not the other way around. A bit strange to see RSASSA-PKCS1-v1_5 (RFC 8017) but not Ed25519 (RFC 8032) in a new standard. Cheers, John From: Justin Richer <jricher@mit.edu> Date: Friday, 18 June 2021 at 22:54 To: ietf-http-wg@w3.org Group <ietf-http-wg@w3.org> Subject: Signature Algorithm Identifiers As discussed on the interim call this week, there’s a proposal for changing the algorithm identifiers used in the message signatures draft. There was spirited discussion on the topic, which I’ll try to summarize here, and it’s been discussed in the following issue: https://github.com/httpwg/http-extensions/issues/1510<https://protect2.fireeye.com/v1/url?k=84cb0821-db50311d-84cb48ba-86b1886cfa64-f3075bc03b2c1031&q=1&e=8ff6f9a3-b0f9-4e44-a984-4608851a30f7&u=https%3A%2F%2Fgithub.com%2Fhttpwg%2Fhttp-extensions%2Fissues%2F1510> First, please note that we are only talking about the algorithm identifiers, not the algorithm definitions. The identifiers are simple strings, not parsed structures. Their job is to convey to an implementor a unique value that can be dereferenced to a fully-defined algorithm definition; the definition would include the parameters, the identifier does not. Also, note that the algorithm identifiers are optional within the protocol. Message signatures explicitly allows ANY signature method to be used if known by both parties, and the algorithm identifiers are there solely for the purpose of identifying a known algorithm at runtime against a set of publicly known fixed values in a registry. The editors have defined the following identifiers in the current draft, to be used with fully-specified cryptographic algorithms: - rsa-v1_5-sha256 - rsa-pss-sha512 - hmac-sha256 - ecdsa-p256-sha256 Additional algorithms can be defined in an IANA registry, and as stated above, applications are free to use their own signature algorithms without registering a code point. The counter-proposal in question (at the issue above) proposes a date-based method for identifiers instead (replacing each identifier in the above list respectively): - rsa-2003 - rsa-2005 - hmac-2006 - ecdsa-2013 Summarizing some of the arguments for and against presented on the call: In favor: - simpler for developers to pick the “latest” date of an algorithm as more secure - developers will pick a higher number without having to understand the differences - can “nudge” the community to using better algorithms through labeling - can register new date identifiers to “refresh” best practice definitions - names are shorter and don’t look like cryptographic primitives In opposition: - date is a poor stand-in for a quality metric - developers will pick a higher number without understanding differences - newer algorithms and profiles aren’t necessarily “better” than older ones - if a community-specific profile is defined later, like rsa-2024 for IoT devices, it could lead to developers choosing poorly-fit security - developers still need to know the difference between RSA, hmac, ecdsa, etc, otherwise “hmac-2006” looks universally better than “rsa-2005” - proposed names are not generally known or meaningful to cryptography experts and developers, while current names are descriptive and recognizable to them - namespace collision if two profiles are published within a single year What stays the same in both cases: - Algorithm parameters are defined in a document paragraph referenced from the identifier (the identifier itself does not define parameters) - Algorithms must be fully defined in a standard to be registered - Applications can still use whatever they want and avoid the named algorithm field entirely The sentiment on the call seemed fairly clear, but the editors are seeking feedback and consensus as to whether the registered draft should switch to the date-based identifier format as proposed or to keep the current labels. Thank you, — Justin
- Signature Algorithm Identifiers Justin Richer
- Re: Signature Algorithm Identifiers Ilari Liusvaara
- Re: Signature Algorithm Identifiers John Mattsson
- RE: Signature Algorithm Identifiers Justin Richer