Re: [jose] RSASSA-PSS signature
Brian Campbell <bcampbell@pingidentity.com> Tue, 12 March 2013 22:53 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA7D211E810B for <jose@ietfa.amsl.com>; Tue, 12 Mar 2013 15:53:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.825
X-Spam-Level:
X-Spam-Status: No, score=-5.825 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7J7Eh578BTV for <jose@ietfa.amsl.com>; Tue, 12 Mar 2013 15:53:30 -0700 (PDT)
Received: from na3sys009aog119.obsmtp.com (na3sys009aog119.obsmtp.com [74.125.149.246]) by ietfa.amsl.com (Postfix) with ESMTP id 47B8911E810A for <jose@ietf.org>; Tue, 12 Mar 2013 15:53:30 -0700 (PDT)
Received: from mail-ob0-f199.google.com ([209.85.214.199]) (using TLSv1) by na3sys009aob119.postini.com ([74.125.148.12]) with SMTP ID DSNKUT+x6VC8EMjl9DpGXehYHQeooA0HLJnE@postini.com; Tue, 12 Mar 2013 15:53:30 PDT
Received: by mail-ob0-f199.google.com with SMTP id wd20so1907620obb.6 for <jose@ietf.org>; Tue, 12 Mar 2013 15:53:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=vtSE56YWySwSANEWQU9yGRTVxlmStbde7E8O+e+8xgs=; b=oYwL/M7dmo2I+ODl9aql5V2GAe90EJDqfkdpD6BsgEY/Nv2LGhHS42dDPXj6iYw69X doyix0My7Uikm7W0Gewq2i7F8foZQKbnXa3QMV4Ogfnasge0TDZyIhzix3/Vk3DcssEW lF75JY5jpCc7/d7x/Q0OFvjWf2ZZhgsWRA7QqONwgyySg8ykD7Nhg2x4vB4KyI9silnl sioCkjwh+zHcyEELi5fKK7V3zm9sSFkcyC8so2eY77NX3YPBh22iqfDS7aOjFDLh4hm3 sbVO2wrGnQ2kTXR5ROHh+INXzU31HDJW70k6arrwwlVrJf61jrbrwlPsCyTIJ07gXGlI 98ow==
X-Received: by 10.50.151.179 with SMTP id ur19mr13334062igb.79.1363128809007; Tue, 12 Mar 2013 15:53:29 -0700 (PDT)
X-Received: by 10.50.151.179 with SMTP id ur19mr13334055igb.79.1363128808873; Tue, 12 Mar 2013 15:53:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.32.106 with HTTP; Tue, 12 Mar 2013 15:52:58 -0700 (PDT)
In-Reply-To: <636E709D-6919-4D18-BE76-3FC34BB3CC6C@ve7jtb.com>
References: <8B4C063947CD794BB6FF90C78BAE9B321EFC0A36@IMCMBX04.MITRE.ORG> <9E337D95-53AD-431D-A053-76F1F5EF7FAA@ve7jtb.com> <CAL02cgQS6pRjFJGdnin_hToTNGak2XDmb-6j3vVGUi1eZb_1Cg@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367500130@TK5EX14MBXC283.redmond.corp.microsoft.com> <8B4C063947CD794BB6FF90C78BAE9B321EFC0B9D@IMCMBX04.MITRE.ORG> <636E709D-6919-4D18-BE76-3FC34BB3CC6C@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 12 Mar 2013 18:52:58 -0400
Message-ID: <CA+k3eCTYzF2cGni7oozc=haNVJ5vwiRj1MfKH6kxPH3_syX3fg@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="e89a8f3b9ff56fcf2d04d7c22882"
X-Gm-Message-State: ALoCoQlzEbZ8Y2haPOus0dBekc+qfSvKDRHzJVvJrPdDnmfQ58JcS7/aFTC+uzzcPuH4fsszfyRqdjWyXcZJHOrNR0CrJUlcNeq6C1O3aQcgauV6XpiJqofA1tG3Jsh5qBjNryQvNuM/
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, "Peck, Michael A" <mpeck@mitre.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] RSASSA-PSS signature
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 22:53:31 -0000
RSA-OAEP is already included, no? http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08#section-4.1But it is OPTIONAL while RSAES-PKCS1-V1_5 is REQUIRED. Wasn't that what was behind the statement/question about starting to encourage movement away from RSAES-PKCS1-v1_5 rather than encouraging its use? Or I did I miss the point there? On Tue, Mar 12, 2013 at 6:20 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > RSA PKCS1-v1.5 is used for both signing and encryption as you are aware it > is an encryption/padding alg that is used with a hash function for > signature. > > The same argument you are making can be used to include RSA-OAEP. > > One of the reasons PKCS1 v1.5 padding is so popular is that it can be used > to wrap both a key and a hash where the alternative needs to padding als > and to be secure two keys. > I agree that it would be better in a perfect world. > > Nothing stops additional algorithms being defined. We have people using > the current padding who had strong opinions on that. > I have yet to see anyone want PSS/OAEP strongly other than as a matter of > principal (I have been one of them). > > If you feel strongly put forward a use case and propose adding them. > > John B. > > > On 2013-03-12, at 5:10 PM, "Peck, Michael A" <mpeck@mitre.org> wrote: > > My original message was not about encryption algorithms, it was about the > RSASSA-PSS signature algorithm, which is not in JWA at all (I also don’t > see it listed in Mike’s spreadsheet). **** > > If you’d like to bring up encryption algorithms too, RFC 3447 states:**** > Two encryption schemes are specified in this document: RSAES-OAEP and** > ** > RSAES-PKCS1-v1_5. RSAES-OAEP is recommended for new applications;**** > RSAES-PKCS1-v1_5 is included only for compatibility with existing**** > applications, and is not recommended for new applications.**** > > 10 years later, it may be appropriate to start encouraging movement away > from RSAES-PKCS1-v1_5 rather than further encouraging its use.**** > Should the CFRG be asked for an opinion?**** > > Mike**** > > *From:* Mike Jones [mailto:Michael.Jones@microsoft.com] > *Sent:* Tuesday, March 12, 2013 4:12 PM > *To:* Richard Barnes; John Bradley > *Cc:* Peck, Michael A; jose@ietf.org > *Subject:* RE: [jose] RSASSA-PSS signature**** > ** ** > Your statement that there are no MTI algorithms is actually incorrect. > The current JWA draft specifies REQUIRED (and RECOMMENED and OPTIONAL) > algorithms, and indeed, as currently chartered, we are required to define > the set of MTI algorithms.**** > > The spreadsheet characterizing platform support for possible algorithms > that John referred to is attached. As you can see, RSA PKCS1-v1_5 is the > only ubiquitously implemented asymmetric encryption algorithm.**** > > -- Mike**** > > *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org<jose-bounces@ietf.org> > ] *On Behalf Of *Richard Barnes > *Sent:* Tuesday, March 12, 2013 12:49 PM > *To:* John Bradley > *Cc:* Peck, Michael A; jose@ietf.org > *Subject:* Re: [jose] RSASSA-PSS signature**** > ** ** > Since we are not putting requirements on algorithms (i.e., there is no > MTI), there's no harm to having PSS in the algorithms list. Only benefit! > **** > --Richard**** > ** ** > ** ** > On Tue, Mar 12, 2013 at 3:24 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:** > ** > This has had a fair amount of discussion. While I think almost everyone > would prefer PSS, many implementations are going to be in scripting > languages where the underlying libraries only support PKCS1-v1_5.**** > ** ** > We did a survey of platforms to evaluate if we could move to PSS and the > result lead us not to make PSS as the MTI. In think that was reported out > at the Atlanta IETF meeting.**** > Nat may be able to forward that to you, I don't have it handy.**** > ** ** > If we were talking about starting from scratch and not building on > existing platforms likely the answer would have been different.**** > ** ** > The algorithms are extensible so PSS can be added. The other > consideration is that many of the people who care will be using ECESA > signatures anyway.**** > ** ** > John B.**** > ** ** > On 2013-03-12, at 2:52 PM, "Peck, Michael A" <mpeck@mitre.org> wrote:**** > ** ** > > draft-ietf-jose-json-web-algorithms-08 includes RSASSA-PKCS1-v1_5 > signatures but not RSASSA-PSS.**** > **** > The Security Considerations states:**** > While Section 8 of RFC 3447 [RFC3447] explicitly calls for people not** > ** > to adopt RSASSA-PKCS1 for new applications and instead requests that*** > * > people transition to RSASSA-PSS, this specification does include**** > RSASSA-PKCS1, for interoperability reasons, because it commonly**** > implemented.**** > **** > Shouldn’t RSASSA-PSS at least be included as an option?**** > I’m also not sure if I fully understand the interoperability concerns. > JWS is a new specification, so it makes sense to me to use whatever > algorithms are currently considered best practice, without need to worry > about backwards compatibility?**** > **** > Mike**** > **** > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose**** > > ** ** > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose**** > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] RSASSA-PSS signature Peck, Michael A
- Re: [jose] RSASSA-PSS signature John Bradley
- Re: [jose] RSASSA-PSS signature Richard Barnes
- Re: [jose] RSASSA-PSS signature Mike Jones
- Re: [jose] RSASSA-PSS signature Richard Barnes
- Re: [jose] RSASSA-PSS signature Mike Jones
- Re: [jose] RSASSA-PSS signature John Bradley
- Re: [jose] RSASSA-PSS signature Peck, Michael A
- Re: [jose] RSASSA-PSS signature John Bradley
- Re: [jose] RSASSA-PSS signature Richard Barnes
- Re: [jose] RSASSA-PSS signature John Bradley
- Re: [jose] RSASSA-PSS signature Brian Campbell