[jose] Modern Algorithms in the Web Cryptography API IETF 122 followup
Filip Skokan <panva.ip@gmail.com> Thu, 27 March 2025 09:47 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: jose@mail2.ietf.org
Delivered-To: jose@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 579DF1319CBB; Thu, 27 Mar 2025 02:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.837
X-Spam-Level:
X-Spam-Status: No, score=-1.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mngVAzhCs09L; Thu, 27 Mar 2025 02:47:05 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 70C101319CB0; Thu, 27 Mar 2025 02:47:05 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-549967c72bcso767334e87.3; Thu, 27 Mar 2025 02:47:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743068824; x=1743673624; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=izF+sLCaseLtLeTP4/XnsmKndUZvzom6aO9rf4lRYV8=; b=NNiPoimbQCot5xNe1sqmRvVRPcFlvqNWk5lFvO9ntiX33TTmZw2fE2k4eoByyz3aBA Uek0QptFg7+2PMdgNPI/HoE+iQFAzTbuztVz4aO8JhkVCmB4XgHeQ3u9vUq33BzREZM+ r1gTjUgEPmn+J6TAw3mgrfsQMkAtx0Il0dC6+Usdtluzj8nTphd8py581iXf5akzf4+b 7zT8/75ifNU6AdosLkOgp8rxQ5DjnXpoVfoYoAvxgJhdda19yPnTruNLi0k0PrnIa2Tl eQZRsHSwPkOcHrLM6IM1WLQghHqNCfxO4FijYOygQ53WP5EPmL1zlCAxsoRqizgBN20m a+Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743068824; x=1743673624; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=izF+sLCaseLtLeTP4/XnsmKndUZvzom6aO9rf4lRYV8=; b=SPUzjcx2jgPDUSKOT1mzyP290gqlYek00X/V/JMpHlbiSO0Q53IZGyKVdGhG93mwIR LFzHoMd+5CV+KFOzmOCqZxa9/MU7w7fD87LxQ9pUTfNG4jazfm8376V/gGTqlT8PnVVy hWYH53HyZmum2Yx6eWr0fBFLCOAzS2+aDpr1HBBm1gSNXJAKhxtfsX5y/xc7dI7kR/pI W3gN5LOLRSxMsWIb5aF66sxUsS+h1F0ldQiWRrh2ED2K5q6HjT2k0VUOc+WAk3ZZ+t3+ qe70CFBaJkGbqW4s9xw7vjG8XQ4GYH8TjIDQzUGXg30QdVToP8gLQEqPXrlDTD8lRPNV QrzA==
X-Forwarded-Encrypted: i=1; AJvYcCV0cmwnMT82d7x2ATEtQ2QhSEojftun80zbjlNN7tXZ0T85r3VtIWL7jwruc4c/DTjDfwCP@ietf.org
X-Gm-Message-State: AOJu0Yzg1wPGErmRHtagKpqvpURAEJM2214zrckGR+BwzHmeDbImdsPg KyRdLn0KIJKFG3S0K4lmdJ4iZa+813AXCBR3re0mX6iIv2dHG0Geuwmb0uQIKv3IHPrviULytCO dlp9huYe5OMi35yVDdFTXVFxUxxLO53k=
X-Gm-Gg: ASbGncvU4uo2OmvhTUxGloJZ4FSQ4t3+ioMvEF0xMlK5ccv0qpbFfA/emzDU2FJJOlb MiVFjMUXL6qABkUF4ubUPc1MmJNeyg46cOXfYnWt6fzUmepWMZvkEEvQi7hh6rjPV3X660ksYJW BLhH0ByraVG4Q6EngetwX10gvRXgI=
X-Google-Smtp-Source: AGHT+IFZHdZv6uFZLh0+CPAQVMmnBBv+M2H33wKAq1pB8hS95Df7YsHHxYob/XHX0Wjb/0dSTMb+AfDJ2Rmook0LBgs=
X-Received: by 2002:a05:6512:114f:b0:545:2a7f:8f79 with SMTP id 2adb3069b0e04-54b011d5aa3mr1128959e87.16.1743068823390; Thu, 27 Mar 2025 02:47:03 -0700 (PDT)
MIME-Version: 1.0
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 27 Mar 2025 10:46:26 +0100
X-Gm-Features: AQ5f1JpyT7X0owb7RXFKWHR7wbDxn-5bPTjtm2iDbLNMCIORbt7WDzi9E62ILx4
Message-ID: <CALAqi_-3Xz7ziyp626Z0KMoZO-gkb7Y25Tduc0ff-e_kg+GuvQ@mail.gmail.com>
To: cose@ietf.org, JOSE WG <jose@ietf.org>, Daniel Huigens <daniel.huigens@proton.ch>
Content-Type: multipart/alternative; boundary="00000000000009924106314fd698"
Message-ID-Hash: CLT6PDBTN2T2B2MXDATERPGO57SP4CK3
X-Message-ID-Hash: CLT6PDBTN2T2B2MXDATERPGO57SP4CK3
X-MailFrom: panva.ip@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [jose] Modern Algorithms in the Web Cryptography API IETF 122 followup
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/DaWEIOC7j3rOkHxR07_Vh9kntVY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
Dear JOSE WG, COSE WG, and Daniel,
(draft-ietf-cose-sphincs-plus
<https://datatracker.ietf.org/doc/draft-ietf-cose-sphincs-plus/> and
draft-ietf-jose-pqc-kem
<https://datatracker.ietf.org/doc/draft-ietf-jose-pqc-kem/> authors, please
note there's feedback towards your drafts in this message as well).
As promised in the IETF 122 JOSE WG meeting where I've presented the topic.
Having digested the discussion that occurred, here's the promised follow up
feedback to the upcoming extension to the Web Cryptography API with my
recommendations to its author/editor, a heads up for the COSE and JOSE
Working Groups, as well as feedback towards some of the WG drafts.
The Web Cryptography API <https://w3c.github.io/webcrypto/> (javascript
cryptography interface available in most javascript runtimes) is about to
have its second extension proposed to the Web Platform Community
Group. This specification defines a number of modern cryptographic
algorithms for the Web Cryptography API, currently that's ML-KEM, ML-DSA,
SLH-DSA, AES-OCB, ChaCha20-Poly1305, SHA-3, cSHAKE, KMAC, and Argon2.
The APIs intersection with the JOSE WG is the JSON Web Key format used for
key import/export operations. This brings the COSE WG draft into the
discussion because for some of the algorithms the new JWK Key Type and
algorithms are being defined in COSE WG drafts.
Here are my suggestions for Daniel, the extension's author and the API's
current editor, regarding the current algorithms in the draft's scope.
*JWK Key Type - AKP - Algorithm Key Pair*
This new key type is being defined in draft-ietf-cose-dilithium
<https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/>. This key
type requires that "alg" be always present and uses the "kty" value "AKP".
All keys must include a "pub" public key parameter. Private keys in
addition also include "priv", or "priv_exp", or both where applicable (see
archive)
<https://mailarchive.ietf.org/arch/msg/cose/-vIaTIvZoSh21_2vqPakAvzzwSw/>.
*ML-DSA*
- uses AKP
- "alg" values are being defined in draft-ietf-cose-dilithium
<https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/>
- "priv" is the seed
- "priv_exp" is the expanded private key
- when both "priv" and "priv_exp" are present during import then "priv"
must expand to "priv_exp"
- @Daniel Huigens <daniel.huigens@proton.ch> the above is fully
supporting the API's JWK import/export operations.
*ML-KEM*
- feedback to draft-ietf-jose-pqc-kem
<https://datatracker.ietf.org/doc/draft-ietf-jose-pqc-kem/> authors: The
draft currently does mention key representations. My assumption is that the
AKP key type is to be used and to support that the draft needs to
explicitly mention doing so and explain how the AKP Key Parameters are to
be used.
- @Daniel Huigens <daniel.huigens@proton.ch> assuming ML-KEM JWK keys
will be represented the same as ML-DSA this is fully supporting the API's
JWK import/export operations.
*SLH-DSA*
- worked on in draft-ietf-cose-sphincs-plus
<https://datatracker.ietf.org/doc/draft-ietf-cose-sphincs-plus/>
- SLH-DSA-SHA2-128s, SLH-DSA-SHAKE-128s, and SLH-DSA-SHA2-128f alg
values are defined in the draft
- @Daniel Huigens <daniel.huigens@proton.ch> for parameter sets not
planned to be registered by the COSE WG draft the API extension
specification may request registration similar to how RSA-OAEP-384 was
registered in the original Web Cryptography API spec, that's with Algorithm
Usage Location(s): "alg" and JOSE Implementation Requirements: Optional
- feedback to draft-ietf-cose-sphincs-plus
<https://datatracker.ietf.org/doc/draft-ietf-cose-sphincs-plus/> authors:
The draft currently mentions key representations to use the AKP type but
does not explicitly mention what "priv" and "priv_exp" parameters
represent, while I think this is very much clear it would be prudent for
your draft to expand on the topic similar to how cose-dilithium does or how
cose-sphincs-plus hopefully will in its future revisions.
*AES-OCB*
- @Daniel Huigens <daniel.huigens@proton.ch> the API extension
specification may request registration similar to how other AES modes were
registered in the original Web Cryptography API spec, that's with Algorithm
Usage Location(s): "JWK" and JOSE Implementation Requirements: Prohibited
- Can anyone familiar with the original registrations chime in on why
the JWK-only Usage Location registrations were done as Prohibited?
- Uses "oct" key type
*ChaCha20-Poly1305*
- @Daniel Huigens <daniel.huigens@proton.ch> same as AES-OCB, note that
the value "C20P" was previously used in an I-D
<https://datatracker.ietf.org/doc/draft-amringer-jose-chacha/> and some
libraries implement it, you may consider registering that value
- Uses "oct" key type
*SHA-3 and cSHAKE*
- These Web Cryptography Algorithms interact with other algorithms that
specify a hash as part of either its CryptoKey algorithm or the operation's
algorithm (HMAC, RSASSA-PKCS1-v1_5, RSASSA-PSS, ECDSA, RSA-OAEP
- In the past JWK registrations were done for HS1, RS1, and PS1
- @Daniel Huigens <daniel.huigens@proton.ch> much like HS1, RS1, and PS1
I believe a registering every combination of the new digest algorithms with
existing hash-based algorithms is impractical (and would not find any use
outside of the API itself similar to its past HS1, RS1 and PS1
registrations). Therefore I recommend that either the API support JWK
import/export of such keys but
- during JWK import the "alg" member must not be present
- during JWK export the "alg" member is omitted;
- - or -
- the API only supports non-JWK export/import key formats when the
new digest algorithms are present on the key algorithm.
*KMAC*
- @Daniel Huigens <daniel.huigens@proton.ch> given the updated guidance
on registrations in the JSON Web Signature and Encryption Algorithms IANA
registry we would not be able to register the algorithms for KMAC128 and
KMAC256 unless they also implied an empty customization (S input parameter)
member and a fixed length (L input parameter) members. As such I recommend
that either the API support JWK import/export of such keys using the "oct"
key type but
- during JWK import the "alg" member must not be present
- during JWK export the "alg" member is omitted;
- - or -
- the API only supports non-JWK export/import key formats for the
KMAC algorithm
*Argon2*
- has no interaction with JWK :check:
S pozdravem,
*Filip Skokan*
- [jose] Modern Algorithms in the Web Cryptography … Filip Skokan
- [jose] Re: Modern Algorithms in the Web Cryptogra… Simo Sorce
- [jose] Re: Modern Algorithms in the Web Cryptogra… Filip Skokan
- [jose] Re: [COSE] Re: Modern Algorithms in the We… Ilari Liusvaara
- [jose] Re: [COSE] Re: Modern Algorithms in the We… Orie Steele
- [jose] Re: [COSE] Re: Modern Algorithms in the We… Simo Sorce
- [jose] Re: [COSE] Re: Modern Algorithms in the We… Orie
- [jose] Re: [COSE] Re: Modern Algorithms in the We… Simo Sorce
- [jose] Re: [COSE] Re: Re: Re: Modern Algorithms i… Ilari Liusvaara
- [jose] Re: [COSE] Re: Modern Algorithms in the We… Orie
- [jose] Re: [COSE] Re: Modern Algorithms in the We… Orie
- [jose] Re: [COSE] Re: Re: Re: Modern Algorithms i… Michael Jones