Re: [jose] RFC 8037 "alg" quirkiness

Jim Schaad <ietf@augustcellars.com> Sun, 20 September 2020 07:07 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73F783A0CB5 for <jose@ietfa.amsl.com>; Sun, 20 Sep 2020 00:07:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kPKh2j12FOx6 for <jose@ietfa.amsl.com>; Sun, 20 Sep 2020 00:07:54 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B3423A0BFD for <jose@ietf.org>; Sun, 20 Sep 2020 00:07:54 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 20 Sep 2020 00:07:29 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: <jose@ietf.org>
References: <1a84f81d-c7bd-9961-9f5c-e6c358fc1095@gmail.com> <039901d68ed6$2ed27ba0$8c7772e0$@augustcellars.com> <83d038c3-f475-6d17-0d57-946a6ce889c5@gmail.com>
In-Reply-To: <83d038c3-f475-6d17-0d57-946a6ce889c5@gmail.com>
Date: Sun, 20 Sep 2020 00:07:27 -0700
Message-ID: <03b701d68f1c$b4266640$1c7332c0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIRfeCT23E7ULVkfNVtfdFMcnJlbAIxEG8fAYgYAyqo3XRFMA==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/9NPaKMPkQPREWOvx9n50Up2clcQ>
Subject: Re: [jose] RFC 8037 "alg" quirkiness
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2020 07:07:56 -0000


-----Original Message-----
From: Anders Rundgren <anders.rundgren.net@gmail.com> 
Sent: Saturday, September 19, 2020 11:25 PM
To: Jim Schaad <ietf@augustcellars.com>om>; jose@ietf.org
Subject: Re: [jose] RFC 8037 "alg" quirkiness

On 2020-09-20 00:42, Jim Schaad wrote:
> Jumping back to the start.

It seems that your mail system generates duplicates.

FWIW, here is how the quirk manifests itself in my JOSE library:


     JSONObjectWriter setSignatureAlgorithm(JSONObjectWriter joseObject,
                                            SignatureAlgorithms signatureAlgorithm) {
         return joseObject.setString("alg",
                                     signatureAlgorithm.isOkp() ?
              "EdDSA" : signatureAlgorithm.getAlgorithmId());
     }

[JLS] This draft will soon render this code incorrect.  https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/


Presumably few cryptographic API's accept "EdDSA" as a signature algorithm.

You could indeed have used "EdDSA" as signature algorithm in RFC 8410 but you did not and IMO you did the right choice.

Anyway, navigating in crypto-land is often a bit challenging:
https://mail.openjdk.java.net/pipermail/security-dev/2020-August/022348.html

I've made my point, nothing more to add on my side :)

Anders


> 
> -----Original Message-----
> From: jose <jose-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Saturday, August 29, 2020 11:58 PM
> To: jose@ietf.org
> Subject: [jose] RFC 8037 "alg" quirkiness
> 
> I have just implemented support for Edwards curves in my JSON library.
> 
> Although it is certainly not a deal-breaker I find the use of "EdDSA" 
> as a generic Edwards algorithm identifier rather quirky since it 
> departs from the other JWS algorithms:
> https://tools.ietf.org/html/rfc8037#appendix-A.4
> 
> [JLS]  I do not find this at all in consistent with the way that the 
> other signature algorithms were handled, but that may just be me.  For 
> the ECDSA algorithms, the size of the hash is specified because it 
> could be variable across the different curve sizes.  So you can do 
> ECDSA with SHA-512 and P-256.  The requirement to specify the hash was 
> needed to bring the number of options down to just those that are fixed by the curve.
> 
> [JLS] For EdDSA, the hash function is fixed by the curve.  This would 
> change if different hash functions where allowed for the same curve 
> but I do not believe that this where ever be in danger of happening 
> because it was strongly argued that a single hash function was the 
> correct approach.  Since there was not a need to specify the hash 
> function independent of the key, there was no need to specify an EdDSA 
> with SHA-512 and an EdDSA with
> SHAKE-256 it was not done.
> 
> Jim
> 
> 
> For curiosity reasons I took a peek at the initial draft which has (in 
> my
> opinion...) a more logical solution:
> https://tools.ietf.org/html/draft-liusvaara-jose-cfrg-curves-00#append
> ix-A.4
> 
> May I ask why this change was performed?
> 
> For JSF (JSON Signature Format) I will stick to the "00" scheme which 
> also permits use of ed25519ph and friends if needed:
> https://mobilepki.org/jsf-lab/home
> 
> thanx,
> Anders
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>