Re: [jose] RFC 8037 "alg" quirkiness

Anders Rundgren <anders.rundgren.net@gmail.com> Sat, 19 September 2020 16:12 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEAD53A0B2E for <jose@ietfa.amsl.com>; Sat, 19 Sep 2020 09:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MEmYfImOQcUN for <jose@ietfa.amsl.com>; Sat, 19 Sep 2020 09:12:03 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B830A3A0B29 for <jose@ietf.org>; Sat, 19 Sep 2020 09:12:02 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id d4so8074259wmd.5 for <jose@ietf.org>; Sat, 19 Sep 2020 09:12:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=YLsjaAXDnE5Ykf6pj7n2K+xxena1BdsrSbMidVNNW2o=; b=eWdCNWOAOB2HJVF9jspFDVwm7yv1HR8bjjj8/j2MMWchyMBcpVS78LrUH3bbkm2rzE gPz0oQsd3McetbKvWiJ3fp3mnRw+STML69d99E5/TZ0Dbur3zfl4NAuGKZGOfprcyW0P sOsuKzDWAq2DLmZfjHIaxqYJQMKuLQNLUhr9q43iDIEgxtcxtdLDvmJ2juw/IP9tvojF b04On/T65SdodWLaTxye5vBJHUldo/dz7d5KwpIa+LpHHrTdl5ivqMWppIO5yKpRC35M 2K96vl8Ivbzbd2lPT7INOdBh+wcDILV1BsLl/FJFG95xtEp1EhrJONjOmVjOnCAFMCcR 8f0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=YLsjaAXDnE5Ykf6pj7n2K+xxena1BdsrSbMidVNNW2o=; b=p776UhjcTexlsrn5ep7tjcebtuDAKr4S9ip7lkWtJdQf1lPcILYDiCpIPc5+66r0gk mKPCiJcc4fgbTLr8jIrrpdhygAHm47PLGq/4an3htvBMTsHciLhgCjFz421EbcFk6SpE hsye37M+xxfUcRjhFOIvC0oE7P4T7Q3GGMEYMEG+CtNOD6ORy0bCJXvL7sXaTBydf3IB gjnMhDajJx2IVnMqovwetkYi5Tspt9BlwDWrAM4WLUF1bCijOQe+sPCxPnQenLdDDvmP gXjqhoCPeCr+GnPALtOHFYhYEysu/PQD+xZNbm3ofbeCzt7xFx9pg7umtRDZE2xNk61z 8uOA==
X-Gm-Message-State: AOAM530KmqaqS4V2QPMn8ckIF4zISg3hujAVFDgTwaGXv+kYjrBysQ8Z yo19nHejnNjdax48k91KQ1LjaQIiTEx8XA==
X-Google-Smtp-Source: ABdhPJxRYRvrdbrdu1RRdsFpP6eN3hax0hAHnTKhkW/DdngNWvuWT0js77G7/oh/ccu/MzY7SqvmNw==
X-Received: by 2002:a7b:c1c3:: with SMTP id a3mr22885537wmj.68.1600531920780; Sat, 19 Sep 2020 09:12:00 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id p1sm25526593wma.0.2020.09.19.09.11.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 19 Sep 2020 09:12:00 -0700 (PDT)
To: Jim Schaad <ietf@augustcellars.com>, jose@ietf.org
References: <1a84f81d-c7bd-9961-9f5c-e6c358fc1095@gmail.com> <039801d68e9c$ef7baaf0$ce7300d0$@augustcellars.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <df886b1b-263d-62cf-7772-78c8ce34bf59@gmail.com>
Date: Sat, 19 Sep 2020 18:11:58 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <039801d68e9c$ef7baaf0$ce7300d0$@augustcellars.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/M_c4jcIMwHuxkINEn5Lcl8Ybp00>
Subject: Re: [jose] RFC 8037 "alg" quirkiness
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 16:12:05 -0000

On 2020-09-19 17:52, Jim Schaad wrote:
> Jumping back to the start.
> 
> -----Original Message-----
> From: jose <jose-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Saturday, August 29, 2020 11:58 PM
> To: jose@ietf.org
> Subject: [jose] RFC 8037 "alg" quirkiness
> 
> I have just implemented support for Edwards curves in my JSON library.
> 
> Although it is certainly not a deal-breaker I find the use of "EdDSA" as a
> generic Edwards algorithm identifier rather quirky since it departs from the
> other JWS algorithms:
> https://tools.ietf.org/html/rfc8037#appendix-A.4
> 
> [JLS]  I do not find this at all in consistent with the way that the other
> signature algorithms were handled, but that may just be me.  For the ECDSA
> algorithms, the size of the hash is specified because it could be variable
> across the different curve sizes.  So you can do ECDSA with SHA-512 and
> P-256.  The requirement to specify the hash was needed to bring the number
> of options down to just those that are fixed by the curve.

Hi Jim,

It may be just me but I prefer the algorithm/key identifier solution you selected for PKIX:
https://tools.ietf.org/html/rfc8410#section-3
It is as you say not identical to the JOSE ECDSA solution, but it is (IMO then...) "closer".

Oracle also adopted the PKIX notation for JCE and so did yours truly for JSF.

Anyway, the crypto world seems to be full of quirks like two different ways
of representing ECDSA signatures.

Nobody died.  We can safely drop this thread :)

Anders


> 
> [JLS] For EdDSA, the hash function is fixed by the curve.  This would change
> if different hash functions where allowed for the same curve but I do not
> believe that this where ever be in danger of happening because it was
> strongly argued that a single hash function was the correct approach.  Since
> there was not a need to specify the hash function independent of the key,
> there was no need to specify an EdDSA with SHA-512 and an EdDSA with
> SHAKE-256 it was not done.
> 
> Jim
> 
> 
> For curiosity reasons I took a peek at the initial draft which has (in my
> opinion...) a more logical solution:
> https://tools.ietf.org/html/draft-liusvaara-jose-cfrg-curves-00#appendix-A.4
> 
> May I ask why this change was performed?
> 
> For JSF (JSON Signature Format) I will stick to the "00" scheme which also
> permits use of ed25519ph and friends if needed:
> https://mobilepki.org/jsf-lab/home
> 
> thanx,
> Anders
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>