Re: [jose] RFC 8037 "alg" quirkiness

Jim Schaad <ietf@augustcellars.com> Sat, 19 September 2020 15:53 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BCCC3A0AB0 for <jose@ietfa.amsl.com>; Sat, 19 Sep 2020 08:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gozmuppzT137 for <jose@ietfa.amsl.com>; Sat, 19 Sep 2020 08:53:18 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 701B03A0AAE for <jose@ietf.org>; Sat, 19 Sep 2020 08:53:18 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 19 Sep 2020 08:52:52 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Anders Rundgren' <anders.rundgren.net@gmail.com>, <jose@ietf.org>
References: <1a84f81d-c7bd-9961-9f5c-e6c358fc1095@gmail.com>
In-Reply-To: <1a84f81d-c7bd-9961-9f5c-e6c358fc1095@gmail.com>
Date: Sat, 19 Sep 2020 08:52:51 -0700
Message-ID: <039801d68e9c$ef7baaf0$ce7300d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIRfeCT23E7ULVkfNVtfdFMcnJlbKj6PJ6A
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/M_suTfo2K-EBBZfkJo4i1loBwUw>
Subject: Re: [jose] RFC 8037 "alg" quirkiness
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 15:53:20 -0000

Jumping back to the start.

-----Original Message-----
From: jose <jose-bounces@ietf.org> On Behalf Of Anders Rundgren
Sent: Saturday, August 29, 2020 11:58 PM
To: jose@ietf.org
Subject: [jose] RFC 8037 "alg" quirkiness

I have just implemented support for Edwards curves in my JSON library.

Although it is certainly not a deal-breaker I find the use of "EdDSA" as a
generic Edwards algorithm identifier rather quirky since it departs from the
other JWS algorithms:
https://tools.ietf.org/html/rfc8037#appendix-A.4

[JLS]  I do not find this at all in consistent with the way that the other
signature algorithms were handled, but that may just be me.  For the ECDSA
algorithms, the size of the hash is specified because it could be variable
across the different curve sizes.  So you can do ECDSA with SHA-512 and
P-256.  The requirement to specify the hash was needed to bring the number
of options down to just those that are fixed by the curve.

[JLS] For EdDSA, the hash function is fixed by the curve.  This would change
if different hash functions where allowed for the same curve but I do not
believe that this where ever be in danger of happening because it was
strongly argued that a single hash function was the correct approach.  Since
there was not a need to specify the hash function independent of the key,
there was no need to specify an EdDSA with SHA-512 and an EdDSA with
SHAKE-256 it was not done.

Jim


For curiosity reasons I took a peek at the initial draft which has (in my
opinion...) a more logical solution:
https://tools.ietf.org/html/draft-liusvaara-jose-cfrg-curves-00#appendix-A.4

May I ask why this change was performed?

For JSF (JSON Signature Format) I will stick to the "00" scheme which also
permits use of ed25519ph and friends if needed:
https://mobilepki.org/jsf-lab/home

thanx,
Anders

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose