[IPsec] draft-ietf-ipsecme-eddsa-01 pre-hash SHOULD NOT or MUST NOT
Tero Kivinen <kivinen@iki.fi> Wed, 05 April 2017 13:33 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FA7E128DF6; Wed, 5 Apr 2017 06:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOVe_1oqrkwO; Wed, 5 Apr 2017 06:33:43 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2501C1250B8; Wed, 5 Apr 2017 06:27:00 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v35DQw4U024618 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 5 Apr 2017 16:26:58 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v35DQw9x028191; Wed, 5 Apr 2017 16:26:58 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22756.61602.820418.641692@fireball.acr.fi>
Date: Wed, 05 Apr 2017 16:26:58 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: draft-ietf-ipsecme-eddsa.all@ietf.org
CC: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 16 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8-Q3-1MkEE2M7B-IxYx9nygHkNs>
Subject: [IPsec] draft-ietf-ipsecme-eddsa-01 pre-hash SHOULD NOT or MUST NOT
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 13:33:44 -0000
Now the pre-hash algorithms are SHOULD NOT: The pre-hashed versions of Ed25519 and Ed448 (Ed25519ph and Ed448ph respectively) SHOULD NOT be used in IKE. I think we could say MUST NOT be used. I.e, say that pre-hash versions MUST NOT be used, and that Ed25519 and Ed448 MUST be used with "Identity" hash identifier, and none of the other currently defined signature algorithms MUST NOT use "Identity" hash... The following part of the security considerations might also need updating: On the other hand there is no good reason to pre-hash the inputs where the signature algorithm either does not require it or performs a hash internally. This sentence would indicate that if the RSA key is large enough so we can actually sign the full data without pre-hashing, that would be something we would prefer. I do not think we actually want to allow that. We should say that Identity hash identifier MUST only be used when using signature algorithms specifically supporting it. For this reason implementations SHOULD have the "Identity" value in the SIGNATURE_HASH_ALGORITHMS notification when they support EdDSA. Implementations SHOULD NOT have other hash algorithms in the notification if all signature algorithms have this property. If implementation supports EdDSA then it is policy decision whether it wants to use it, and wheter it wants ot include "Identity" as one of the hash algorithms. -- kivinen@iki.fi