Re: [jose] [COSE] Call for Adoption: draft-jones-jose-fully-specified-algorithms
Orie Steele <orie@transmute.industries> Mon, 08 January 2024 17:34 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04202C151542 for <jose@ietfa.amsl.com>; Mon, 8 Jan 2024 09:34:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pT_Idsn-rsY2 for <jose@ietfa.amsl.com>; Mon, 8 Jan 2024 09:34:08 -0800 (PST)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B92DC16A128 for <jose@ietf.org>; Mon, 8 Jan 2024 09:33:32 -0800 (PST)
Received: by mail-pj1-x102a.google.com with SMTP id 98e67ed59e1d1-28c7c9b19f1so850177a91.1 for <jose@ietf.org>; Mon, 08 Jan 2024 09:33:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1704735211; x=1705340011; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=s7fUW6EK+C/CWGHrHccls/DIFZI5w0qJCb4ZFAJddXw=; b=Z3muGKwZCH3xNmDCCbfL/zzC5VMJ4YpLkDoJLUBHkaUMZgd+tUj1A61RWlwlwQhoDm ea1JdIANJOkHmDtJ9vE+6MThDLzziRlfteiqLOXqw+RmrDXwhJENcbKdjow9bcQHEkig YyBa6H2+hRS2lOvLmweA94y7G5KyCHGcEwmE1GUGcU7tca2nhfz1gCtOB7IcNcqGSYf9 Ki5KntFOzJGSSpeQmLfsMUYF9tJ8VJ40QBDAVrz0kleFQn3qTS8Y8oxgqRs+sgRkNQAv ehv9mDfw9ztPiBuB1KODRE3uA04nFvMDZTEkwQQ/FfGwyzUodaUroFpgOcc/v1sJPCYY nUFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704735211; x=1705340011; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=s7fUW6EK+C/CWGHrHccls/DIFZI5w0qJCb4ZFAJddXw=; b=mvpxUAWdXoyDML9oj0JWauZa/Wm2vjzQA9F3ceW12YHE5VDsy+dQAeUneKOXht3d+I jkoWg2Tk9ufHcfqXRBTW9lAiqg2nIThOwKfiLXhrhiDFozeeZzuhhlvuKEjN8VD5tFMT m8JpxW1HCAjC+zmC6LA8mp9Y2qMmumu0WkIeKBGQf2ZBqwL2s5+WevUKCIfyrUuqmlxb yscGowta53mcFie7JH5ypNKtFAftWYWqEIV3bzl59PUB04XOVlwBxBMPHhqGL5X7/OJ+ hyxRHBeF92KCtV9x9E2HjWCwhwtdwFQNqwYtNiwgszJq7Dq9CS2kYpUVgs7YUiQdIF9X XMxw==
X-Gm-Message-State: AOJu0YzJBa82SjP6dTp5r/WVquDoc6mBOn9gWJmo48D688VBrh3J8N5p sAupHup9mYc5JAZPS1AxQvYaAmlij5EzNqvX/6sKEe2Y4O0XJw==
X-Google-Smtp-Source: AGHT+IGLfiJzr3H7pp9Kraf00WR9girb+oa4WCuxuT38XC/9O+Ym1pGkWsE0z1cmQlwZJQHJ706g1C44h6DwwB1XFY4=
X-Received: by 2002:a17:90a:578a:b0:28d:44bf:851d with SMTP id g10-20020a17090a578a00b0028d44bf851dmr986207pji.39.1704735211248; Mon, 08 Jan 2024 09:33:31 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_+jskd04A+owwf=P7xKwDDdmB2qOf37o+teDfx8TVzZHQ@mail.gmail.com> <EF57B98F-FE41-488B-B85E-7F9585790B93@gmail.com> <CAMBN2CRJ5o6AMgPY+pxtOD3a=SG2dG3-AJZ7oz7xo1i-otd3wg@mail.gmail.com> <CAN8C-_LqoCjpiy=RC78QKTGhdAR3BnVfypcqdYPoU_T7UVatVw@mail.gmail.com> <CAMBN2CTL39W8AhqMUFSbORjSR9h1=0MkeOXC6U=wGHW=MuGr1A@mail.gmail.com> <CAN8C-_+SLJik2qypnoxH5GZeAs9MDbga7hDhTd-FDPnR1Y9AMg@mail.gmail.com> <ZZwq8xUNl-5PVd6e@LK-Perkele-VII2.locald>
In-Reply-To: <ZZwq8xUNl-5PVd6e@LK-Perkele-VII2.locald>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 08 Jan 2024 11:33:20 -0600
Message-ID: <CAN8C-_J=OUvyqyfw8Y+kf3n1Lor7fZRkSSeKVYUsj+ic4J7OLg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: jose@ietf.org, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b3f473060e72986c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/lywXOydtd-Oe9dmyK5AW426g9zk>
Subject: Re: [jose] [COSE] Call for Adoption: draft-jones-jose-fully-specified-algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2024 17:34:12 -0000
David, also commented on EdDSA & ECDSA design in a follow up post: > Since I suspect this is where some of the confusion comes from, let me point something out from RFC 8032: Ed25519 is *not* an elliptic curve in the way that P-256 is. RFC 8032 uses edwards25519 to refer to the elliptic curve in Ed25519. This is a name you've probably never seen used because it is an implementation detail of Ed25519. When using the primitive, you don't actually care how it is defined, just the name (Ed25519) and interface. Now, sometimes people are a bit sloppy and say "Ed25519" to mean the curve. The original Ed25519 paper didn't formally give a name to the curve itself, and if you know you're talking about an elliptic curve instead of a signature scheme, this is unambiguous. There's only one curve in Ed25519, realistically, we'll probably never instantiate another signature scheme with that curve. SHA-512 is fine. *But due to the history of people tryingto separate key and use (always a mistake), it's helpful to have precisenames for individual components when this confusion comes up.* *The fact that P-256-based primitives leak their parameterization is a flawin how we defined those primitives, not an analogy to apply to otherschemes. We should move away from that as much as possible.* This is analogous to how the X.509 work shifted from a heavily parameterized in draft-ietf-curdle-pkix-00 to distinct top-level OIDs in RFC 8410 - https://mailarchive.ietf.org/arch/msg/tls/wX-vDRr8Kbxa2zK1CyTsXsl9_hI/ I'd argue JOSE and COSE got Ed25519 / Ed448 registration for RFC8032 about as wrong as you can get it, something that better guidance can help guard against happening in the future. crv: Ed25519, alg: EdDSA / crv: Ed448, alg: EdDSA When in reality it is: crv: edwards25519, alg: Ed25519, and crv: edwards448, alg: Ed448 The specific names don't matter here, what matters is full specification eddsa-2021 would have been a better name if it implied Ed25519. I have found several of the arguments against duplication registrations compelling, and I admit that encryption has its own set of unique challenges. I really appreciate the comments we have gotten on this topic. Regards, OS On Mon, Jan 8, 2024 at 11:04 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Mon, Jan 08, 2024 at 09:15:48AM -0600, Orie Steele wrote: > > > > > The fact that Ed25519 and > > Ed448 are both EdDSA instantiations, or that the X25519 algorithm and the > > Ed25519 algorithm have a similar structure are just useful properties > when > > analyzing, specifying, or implementing a primitive. It is not relevant to > > protocols that *use* a primitive. As far as we're concerned, these are > just > > names that conform to the signature scheme interface (KeyGen() -> (pk, > sk), > > Sign(sk, msg) -> sig, and Verify(pk, msg, sig)). > > > > To me this last part is most compelling. > > > > If changing a part of the named algorithm, breaks this interface, then > the > > algorithm is fully specified. > > > > key-gen (signature type) --> private-key --> public-key --> signature > > (signature type) > > > > in data integrity, changing the hash function used, or the > canonicalization > > algorithm breaks the signature verification. > > > > the attacker can change these before verification succeeds. > > > > As a practical matter, I cannot generate a key pair with just the word > > "EdDSA", I need to know the curve. > > > > The same is also true of ECDSA. > > > > Differences in registries for algorithms can impact how easy it is to > build > > safe APIs or negotiate, for example: > > > > > https://github.com/panva/jose/blob/main/docs/functions/key_generate_key_pair.generateKeyPair.md > > > > For none fully specified algorithms, the crv property is required to > > generate a key. > > I think part of confusion is confusing encryption and signing. > Encryption in JOSE, let alone COSE, is very flexible, making fully > specified approach infeasible. But signing is relatively simple. > > However, there is a subtle difference between ECDSA and EdDSA. Both > are paramerized by curve and hash function. However, ECDSA keys only > depend on curve, while EdDSA keys depend on both curve and hash. > > ML-DSA ("Dilithium") and SLH-DSA ("SPINCS+") work like EdDSA despite > completely different parametrizations. RSA works like ECDSA. > > Thus: > - EdDSA keys are always fully specified. > - ML-DSA/SLH-DSA keys are always fully specified. > - In COSE, ECDSA keys are fully specified iff there is "alg". > - In JOSE, ECDSA keys are currently fully specified (only one hash > function is allowed for each curve). > - In COSE and JOSE, RSA keys are fully specified iff there is "alg". > > And I think a second source of confusion is keys being fully specified > versus algorithms implying key type. For signing, the latter fails for > EdDSA in COSE and JOSE (alg overloading), and ECDSA in COSE (multiple > allowed curves). Some applications misuse signature algorithms in COSE > and JOSE to imply key types. > > > > > -Ilari > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [jose] Call for Adoption: draft-jones-jose-fully-… Karen ODonoghue
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Michael Jones
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Filip Skokan
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Michael Prorock
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Giuseppe De Marco
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Ilari Liusvaara
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Neil Madden
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Ilari Liusvaara
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Neil Madden
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Neil Madden
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Neil Madden
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Carsten Bormann
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Neil Madden
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Manu Sporny
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Manu Sporny
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Carsten Bormann
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Simo Sorce
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Jeremie Miller
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Axel.Nennker
- Re: [jose] [COSE] Call for Adoption: draft-jones-… Ilari Liusvaara
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Michael Prorock
- Re: [jose] [COSE] Call for Adoption: draft-jones-… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Roland Hedberg
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Ilari Liusvaara
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Orie Steele
- Re: [jose] [COSE] Call for Adoption: draft-jones-… Ilari Liusvaara
- Re: [jose] [COSE] Call for Adoption: draft-jones-… Orie Steele
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Leif Johansson
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Joseph Heenan
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Ilari Liusvaara
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Simo Sorce
- Re: [jose] Call for Adoption: draft-jones-jose-fu… David Waite
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Pieter Kasselman
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Karen ODonoghue
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Oliver Terbu
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Tobias Looker
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Vladimir Dzhuvinov
- Re: [jose] Call for Adoption: draft-jones-jose-fu… Karen ODonoghue