Re: [jose] RFC 8037 "alg" quirkiness

Anders Rundgren <anders.rundgren.net@gmail.com> Sun, 20 September 2020 06:25 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D56E43A0BE3 for <jose@ietfa.amsl.com>; Sat, 19 Sep 2020 23:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HbHYTqCxhpg5 for <jose@ietfa.amsl.com>; Sat, 19 Sep 2020 23:25:02 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 143533A0BDE for <jose@ietf.org>; Sat, 19 Sep 2020 23:25:02 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id b79so9392367wmb.4 for <jose@ietf.org>; Sat, 19 Sep 2020 23:25:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=fO+CXFDI9LlGajIFK0S5ZE2zgnmFqqJfNowfo0jVgQ4=; b=d7WG3saLwXlcUZqnFMxuZLyMADPX41ySbBKggjN4m83nXkMd+KAI6TXH8SkkG7awkD F1B6P09jYf2ndk307oghYJOU7MyXbBz66OZxUxGglNiz5r7vsyZVipbQB2EaiUmmhabP thjGHP9RUf9h0uXkCIaxZbMGJIpeGcPiygQs5PCHJz9WsSyJYMf4gEbllK/zA+AL8eo9 bkdt8OEU5/p8Q7ZCdfkqFy2wuct6hZMaqSU7S/HiDMCUftsKX83/YhoHioAig9+UEUPa 3ze01V2FFXxzheDEmWe1RZGVdWjFME5FN9/egaFB619F73uUehnJRsOI+dmcH5i6a3Aq TlHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=fO+CXFDI9LlGajIFK0S5ZE2zgnmFqqJfNowfo0jVgQ4=; b=DHwTmfM20mrevyM25TocLXEdI6M5Ohk2D7ZFKYLcwmOk3EKVpi+qfe6smLcib4ZSDj vqyM+NDJDlFkx4aXqKcVyQ753KOMHSoh+fjE9Sebr20xWC6GbKSp4deKt/ov8hzFVOCp qcFJQMp1CZwCav2EqZigVq0IE12uyMHqw/SIAtkFItnXEAxYvJ6ns4NX81YbWqjE0hvh epdrXdHSZkNAWNHKqQ9I7HQ/Iixyuzrjg/GGtsf63LpalwLvFvouywzoZtvzHVDQvo+D RBqlAjFfrIsZTPd+IbfbddBKRtn1PPraPFRuhXb6u2AI+AV6fXVWYonnpJZH+IIguejl SXrA==
X-Gm-Message-State: AOAM533AtoRvoILcA2PPj1ffRzIY8RYLMcxU0C1tv58LMrLzvR0M71n5 r2Gw/DRE1dObhk9Ix7KXMpHoC7BvcPfvDw==
X-Google-Smtp-Source: ABdhPJzJcPC2WMON20ifxNm2YvEL5uOowcdbkbf7O5j9ILP8av8+F/Dp5tgQUmlDwLOlJ71Py3w3Kg==
X-Received: by 2002:a1c:3505:: with SMTP id c5mr25247127wma.65.1600583099964; Sat, 19 Sep 2020 23:24:59 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id q13sm15175014wra.93.2020.09.19.23.24.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 19 Sep 2020 23:24:58 -0700 (PDT)
To: Jim Schaad <ietf@augustcellars.com>, jose@ietf.org
References: <1a84f81d-c7bd-9961-9f5c-e6c358fc1095@gmail.com> <039901d68ed6$2ed27ba0$8c7772e0$@augustcellars.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <83d038c3-f475-6d17-0d57-946a6ce889c5@gmail.com>
Date: Sun, 20 Sep 2020 08:24:56 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <039901d68ed6$2ed27ba0$8c7772e0$@augustcellars.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/zHuDN6TYLApNaPlnnOqP2HkR3cc>
Subject: Re: [jose] RFC 8037 "alg" quirkiness
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2020 06:25:04 -0000

On 2020-09-20 00:42, Jim Schaad wrote:
> Jumping back to the start.

It seems that your mail system generates duplicates.

FWIW, here is how the quirk manifests itself in my JOSE library:


     JSONObjectWriter setSignatureAlgorithm(JSONObjectWriter joseObject,
                                            SignatureAlgorithms signatureAlgorithm) {
         return joseObject.setString("alg",
                                     signatureAlgorithm.isOkp() ?
              "EdDSA" : signatureAlgorithm.getAlgorithmId());
     }


Presumably few cryptographic API's accept "EdDSA" as a signature algorithm.

You could indeed have used "EdDSA" as signature algorithm in RFC 8410 but
you did not and IMO you did the right choice.

Anyway, navigating in crypto-land is often a bit challenging:
https://mail.openjdk.java.net/pipermail/security-dev/2020-August/022348.html

I've made my point, nothing more to add on my side :)

Anders


> 
> -----Original Message-----
> From: jose <jose-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Saturday, August 29, 2020 11:58 PM
> To: jose@ietf.org
> Subject: [jose] RFC 8037 "alg" quirkiness
> 
> I have just implemented support for Edwards curves in my JSON library.
> 
> Although it is certainly not a deal-breaker I find the use of "EdDSA" as a
> generic Edwards algorithm identifier rather quirky since it departs from the
> other JWS algorithms:
> https://tools.ietf.org/html/rfc8037#appendix-A.4
> 
> [JLS]  I do not find this at all in consistent with the way that the other
> signature algorithms were handled, but that may just be me.  For the ECDSA
> algorithms, the size of the hash is specified because it could be variable
> across the different curve sizes.  So you can do ECDSA with SHA-512 and
> P-256.  The requirement to specify the hash was needed to bring the number
> of options down to just those that are fixed by the curve.
> 
> [JLS] For EdDSA, the hash function is fixed by the curve.  This would change
> if different hash functions where allowed for the same curve but I do not
> believe that this where ever be in danger of happening because it was
> strongly argued that a single hash function was the correct approach.  Since
> there was not a need to specify the hash function independent of the key,
> there was no need to specify an EdDSA with SHA-512 and an EdDSA with
> SHAKE-256 it was not done.
> 
> Jim
> 
> 
> For curiosity reasons I took a peek at the initial draft which has (in my
> opinion...) a more logical solution:
> https://tools.ietf.org/html/draft-liusvaara-jose-cfrg-curves-00#appendix-A.4
> 
> May I ask why this change was performed?
> 
> For JSF (JSON Signature Format) I will stick to the "00" scheme which also
> permits use of ed25519ph and friends if needed:
> https://mobilepki.org/jsf-lab/home
> 
> thanx,
> Anders
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>