IETF Logo Mail Archive

Re: [jose] RSASSA-PSS signature

Brian Campbell <bcampbell@pingidentity.com> Tue, 12 March 2013 22:53 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA7D211E810B for <jose@ietfa.amsl.com>; Tue, 12 Mar 2013 15:53:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.825
X-Spam-Level:
X-Spam-Status: No, score=-5.825 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7J7Eh578BTV for <jose@ietfa.amsl.com>; Tue, 12 Mar 2013 15:53:30 -0700 (PDT)
Received: from na3sys009aog119.obsmtp.com (na3sys009aog119.obsmtp.com [74.125.149.246]) by ietfa.amsl.com (Postfix) with ESMTP id 47B8911E810A for <jose@ietf.org>; Tue, 12 Mar 2013 15:53:30 -0700 (PDT)
Received: from mail-ob0-f199.google.com ([209.85.214.199]) (using TLSv1) by na3sys009aob119.postini.com ([74.125.148.12]) with SMTP ID DSNKUT+x6VC8EMjl9DpGXehYHQeooA0HLJnE@postini.com; Tue, 12 Mar 2013 15:53:30 PDT
Received: by mail-ob0-f199.google.com with SMTP id wd20so1907620obb.6 for <jose@ietf.org>; Tue, 12 Mar 2013 15:53:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=vtSE56YWySwSANEWQU9yGRTVxlmStbde7E8O+e+8xgs=; b=oYwL/M7dmo2I+ODl9aql5V2GAe90EJDqfkdpD6BsgEY/Nv2LGhHS42dDPXj6iYw69X doyix0My7Uikm7W0Gewq2i7F8foZQKbnXa3QMV4Ogfnasge0TDZyIhzix3/Vk3DcssEW lF75JY5jpCc7/d7x/Q0OFvjWf2ZZhgsWRA7QqONwgyySg8ykD7Nhg2x4vB4KyI9silnl sioCkjwh+zHcyEELi5fKK7V3zm9sSFkcyC8so2eY77NX3YPBh22iqfDS7aOjFDLh4hm3 sbVO2wrGnQ2kTXR5ROHh+INXzU31HDJW70k6arrwwlVrJf61jrbrwlPsCyTIJ07gXGlI 98ow==
X-Received: by 10.50.151.179 with SMTP id ur19mr13334062igb.79.1363128809007; Tue, 12 Mar 2013 15:53:29 -0700 (PDT)
X-Received: by 10.50.151.179 with SMTP id ur19mr13334055igb.79.1363128808873; Tue, 12 Mar 2013 15:53:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.32.106 with HTTP; Tue, 12 Mar 2013 15:52:58 -0700 (PDT)
In-Reply-To: <636E709D-6919-4D18-BE76-3FC34BB3CC6C@ve7jtb.com>
References: <8B4C063947CD794BB6FF90C78BAE9B321EFC0A36@IMCMBX04.MITRE.ORG> <9E337D95-53AD-431D-A053-76F1F5EF7FAA@ve7jtb.com> <CAL02cgQS6pRjFJGdnin_hToTNGak2XDmb-6j3vVGUi1eZb_1Cg@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367500130@TK5EX14MBXC283.redmond.corp.microsoft.com> <8B4C063947CD794BB6FF90C78BAE9B321EFC0B9D@IMCMBX04.MITRE.ORG> <636E709D-6919-4D18-BE76-3FC34BB3CC6C@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 12 Mar 2013 18:52:58 -0400
Message-ID: <CA+k3eCTYzF2cGni7oozc=haNVJ5vwiRj1MfKH6kxPH3_syX3fg@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="e89a8f3b9ff56fcf2d04d7c22882"
X-Gm-Message-State: ALoCoQlzEbZ8Y2haPOus0dBekc+qfSvKDRHzJVvJrPdDnmfQ58JcS7/aFTC+uzzcPuH4fsszfyRqdjWyXcZJHOrNR0CrJUlcNeq6C1O3aQcgauV6XpiJqofA1tG3Jsh5qBjNryQvNuM/
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, "Peck, Michael A" <mpeck@mitre.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] RSASSA-PSS signature
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 22:53:31 -0000

RSA-OAEP is already included, no?
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08#section-4.1But
it is OPTIONAL while RSAES-PKCS1-V1_5 is REQUIRED. Wasn't that what
was
behind the statement/question about starting to encourage movement away
from RSAES-PKCS1-v1_5 rather than encouraging its use? Or I did I miss the
point there?





On Tue, Mar 12, 2013 at 6:20 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> RSA PKCS1-v1.5 is used for both signing and encryption as you are aware it
> is an encryption/padding alg that is used with a hash function for
> signature.
>
> The same argument you are making can be used to include RSA-OAEP.
>
> One of the reasons PKCS1 v1.5 padding is so popular is that it can be used
> to wrap both a key and a hash where the alternative needs to padding als
> and to be secure two keys.
> I agree that it would be better in a perfect world.
>
> Nothing stops additional algorithms being defined.   We have people using
> the current padding who had strong opinions on that.
> I have yet to see anyone want PSS/OAEP strongly other than as a matter of
> principal (I have been one of them).
>
> If you feel strongly put forward a use case and propose adding them.
>
> John B.
>
>
> On 2013-03-12, at 5:10 PM, "Peck, Michael A" <mpeck@mitre.org> wrote:
>
> My original message was not about encryption algorithms, it was about the
> RSASSA-PSS signature algorithm, which is not in JWA at all (I also don’t
> see it listed in Mike’s spreadsheet). ****
>
> If you’d like to bring up encryption algorithms too, RFC 3447 states:****
>    Two encryption schemes are specified in this document: RSAES-OAEP and**
> **
>    RSAES-PKCS1-v1_5.  RSAES-OAEP is recommended for new applications;****
>    RSAES-PKCS1-v1_5 is included only for compatibility with existing****
>    applications, and is not recommended for new applications.****
>
> 10 years later, it may be appropriate to start encouraging movement away
> from RSAES-PKCS1-v1_5 rather than further encouraging its use.****
> Should the CFRG be asked for an opinion?****
>
> Mike****
>
>  *From:* Mike Jones [mailto:Michael.Jones@microsoft.com]
> *Sent:* Tuesday, March 12, 2013 4:12 PM
> *To:* Richard Barnes; John Bradley
> *Cc:* Peck, Michael A; jose@ietf.org
> *Subject:* RE: [jose] RSASSA-PSS signature****
> ** **
> Your statement that there are no MTI algorithms is actually incorrect.
> The current JWA draft specifies REQUIRED (and RECOMMENED and OPTIONAL)
> algorithms, and indeed, as currently chartered, we are required to define
> the set of MTI algorithms.****
>
> The spreadsheet characterizing platform support for possible algorithms
> that John referred to is attached.  As you can see, RSA PKCS1-v1_5 is the
> only ubiquitously implemented asymmetric encryption algorithm.****
>
>                                                             -- Mike****
>
> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org<jose-bounces@ietf.org>
> ] *On Behalf Of *Richard Barnes
> *Sent:* Tuesday, March 12, 2013 12:49 PM
> *To:* John Bradley
> *Cc:* Peck, Michael A; jose@ietf.org
> *Subject:* Re: [jose] RSASSA-PSS signature****
> ** **
> Since we are not putting requirements on algorithms (i.e., there is no
> MTI), there's no harm to having PSS in the algorithms list.  Only benefit!
> ****
> --Richard****
> ** **
> ** **
> On Tue, Mar 12, 2013 at 3:24 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:**
> **
> This has had a fair amount of discussion.   While I think almost everyone
> would prefer PSS, many implementations are going to be in scripting
> languages where the underlying libraries only support PKCS1-v1_5.****
> ** **
> We did a survey of platforms to evaluate if we could move to PSS and the
> result lead us not to make PSS as the MTI.  In think that was reported out
> at the Atlanta IETF meeting.****
> Nat may be able to forward that to you, I don't have it handy.****
> ** **
> If we were talking about starting from scratch and not building on
> existing platforms likely the answer would have been different.****
> ** **
> The algorithms are extensible so PSS can be added.   The other
> consideration is that many of the people who care will be using ECESA
> signatures anyway.****
> ** **
> John B.****
> ** **
> On 2013-03-12, at 2:52 PM, "Peck, Michael A" <mpeck@mitre.org> wrote:****
> ** **
>
> draft-ietf-jose-json-web-algorithms-08 includes RSASSA-PKCS1-v1_5
> signatures but not RSASSA-PSS.****
>  ****
> The Security Considerations states:****
>    While Section 8 of RFC 3447 [RFC3447] explicitly calls for people not**
> **
>    to adopt RSASSA-PKCS1 for new applications and instead requests that***
> *
>    people transition to RSASSA-PSS, this specification does include****
>    RSASSA-PKCS1, for interoperability reasons, because it commonly****
>    implemented.****
>  ****
> Shouldn’t RSASSA-PSS at least be included as an option?****
> I’m also not sure if I fully understand the interoperability concerns.
> JWS is a new specification, so it makes sense to me to use whatever
> algorithms are currently considered best practice, without need to worry
> about backwards compatibility?****
>  ****
> Mike****
>  ****
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose****
>
> ** **
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose****
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>

v2.23.0 | Report a Bug | By Email