IETF Logo Mail Archive

Re: [jose] I-D Action: draft-ietf-jose-fully-specified-algorithms-01.txt

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 02 March 2024 10:17 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56ABDC15108D for <jose@ietfa.amsl.com>; Sat, 2 Mar 2024 02:17:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.909
X-Spam-Level:
X-Spam-Status: No, score=-5.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BITCOIN_OBFU_SUBJ=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfPmM3cpoxp7 for <jose@ietfa.amsl.com>; Sat, 2 Mar 2024 02:17:18 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC673C151087 for <jose@ietf.org>; Sat, 2 Mar 2024 02:17:16 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 8EFCF13B53 for <jose@ietf.org>; Sat, 2 Mar 2024 12:17:13 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id dlbd-oucZDRe for <jose@ietf.org>; Sat, 2 Mar 2024 12:17:13 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 5CC6672 for <jose@ietf.org>; Sat, 2 Mar 2024 12:17:12 +0200 (EET)
Date: Sat, 02 Mar 2024 12:17:12 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "jose@ietf.org" <jose@ietf.org>
Message-ID: <ZeL8qMU__s_S2vli@LK-Perkele-VII2.locald>
References: <170914224026.56455.15183346032212380498@ietfa.amsl.com> <Zd-VJUMiAt4I8nBx@LK-Perkele-VII2.locald> <PH0PR02MB74304D9DFD11894C957AAB3EB7582@PH0PR02MB7430.namprd02.prod.outlook.com> <ZeCc0TVTMmHPCe9u@LK-Perkele-VII2.locald> <SJ0PR02MB74399E80DC38388CD56695BFB75E2@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCS6CCvEKDQc6ZmQWnBfRn0tDxtjbjtReHLkTyUrp5SkDw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CA+k3eCS6CCvEKDQc6ZmQWnBfRn0tDxtjbjtReHLkTyUrp5SkDw@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/RtVbKuckiq6OCPwfYI5iCOLvlBU>
Subject: Re: [jose] I-D Action: draft-ietf-jose-fully-specified-algorithms-01.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2024 10:17:22 -0000

On Fri, Mar 01, 2024 at 02:41:20PM -0700, Brian Campbell wrote:
> For JOSE encryption, I think the 4 deprecated algorithms would be ECDH-ES,
> ECDH-ES+A128KW, ECDH-ES+A192K, and ECDH-ES+A256KW.

And for COSE, there is additionally SHA512 variant of ECDH-ES, plus SS
versions of all those, making 10 total.


> But it seems like there could be as many as 20 new algorithms - one of each
> of the above combined with each of EC/P-256, EC/P-384, EC/P-521,
> OKP/X25519, and OKP/X448.  Although that list could probably be trimmed
> down to only include combinations that "make sense" together based on bit
> strength. Maybe that's where Ilari's 12 comes from? Though I get 10 when I
> try to make such a list:
> 
> ECDH-ES w/ EC/P-256, EC/P-384, EC/P-521, OKP/X25519, and OKP/X448 (5)
> ECDH-ES+A128KW w/ EC/P-256 and OKP/X25519 (2)
> ECDH-ES+A192KW w/ EC/P-384 (1)
> ECDH-ES+A256KW w/ EC/P-521 and OKP/X448 (2)
> 
> (5+2+1+2 = 10)

There is the 6th curve (secp256k1, a.k.a. the Bitcoin curve), but it is
in a bit of limbo if it is allowed in ECDH or not. 

But if that is left out, the list is as above.

And might make sense to use matching hash function. So SHA-384 for
P-384 and SHA-512 for P-521 and X448.

For COSE, the number is doubled because of the SS variants.

Oh and for extra fun, there is the question if one should use AES-192
or AES-256 with P-384. The support for AES-192 is much poorer than
support for AES-256. Previously this did not matter because one could
use either with P-384, but now one has to use the chosen one in JOSE
(in COSE, the Key Agreement with Key Wrap algorithms are just
shortcuts, as it is possible to compose those from primitive component
algorithms).


> Regardless, I'm not sure how I feel about the combinatorial expansion
> there. Especially in the context of adding and deprecating algs into specs
> and code with existing widespread usage.

There's also the issue what if some algorithms do something subtly
different. Very mild example is someone adding curves with h != 1,
which then use cofactor ECDH instead of normal ECDH. But the new
algorithms could also have other differences which turn out to be a
major PITA to support in implementations.

Which is also something to consider in context of COSE-HPKE/JOSE-HPKE.
There already have been proposals there to do things that are not even
possible to support without breaking changes in some libraries.




-Ilari

v2.23.0 | Report a Bug | By Email