Re: [OAUTH-WG] Signature crypto
"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Wed, 25 November 2009 16:16 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42D5828C270 for <oauth@core3.amsl.com>; Wed, 25 Nov 2009 08:16:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOrJDPohpdQF for <oauth@core3.amsl.com>; Wed, 25 Nov 2009 08:16:28 -0800 (PST)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by core3.amsl.com (Postfix) with ESMTP id 858773A6AAA for <oauth@ietf.org>; Wed, 25 Nov 2009 08:16:27 -0800 (PST)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id nAPGGHNk013061 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 25 Nov 2009 17:16:17 +0100
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id nAPGGHnJ002491; Wed, 25 Nov 2009 17:16:17 +0100
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 25 Nov 2009 17:16:17 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 25 Nov 2009 18:19:45 +0200
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B4501EE54E2@FIESEXC015.nsn-intra.net>
In-Reply-To: <3a880e2c0911250618w358579d9o38b5ad90cb9242af@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] Signature crypto
Thread-Index: Acpt2kdUTG1tt6wWTq6qbaiQ5IVy0wADocaQ
References: <90C41DD21FB7C64BB94121FBBC2E72343785183009@P3PW5EX1MB01.EX1.SECURESERVER.NET><4B0D3698.8070706@cs.tcd.ie> <3a880e2c0911250618w358579d9o38b5ad90cb9242af@mail.gmail.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: "ext Infinity Linden (Meadhbh Hamrick)" <infinity@lindenlab.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-OriginalArrivalTime: 25 Nov 2009 16:16:17.0185 (UTC) FILETIME=[9DDE5910:01CA6DEA]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Signature crypto
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 16:16:29 -0000
This case is interesting. Until recently I have also thought that one has to specify a mandatory-to-implement algorithm in a security protocol since otherwise interoperability would really suffer. When working in KEYPROV I learned through Russ Housley that this is actually not true. He said: " Some specifications in the security area do not pick a mandatory to implement algorithm. RFC 5280 is one example. Instead the companion specifications tell what algorithm is appropriate for a particular environment. " There are a few reasons why you often cannot agree on a specific algorithm. Examples are different usage scenarios that demand a certain algorithm, certain software packages that may or may not support certain algorithms at a specific point in time, different performance/hardware requirements, IPR concerns, etc. In any case it is likely that the chosen algorithm will get replaced in a few years from now and one does not want to update the specification every time. Hence, having some form of crypto-agility is generally a good idea since you might want to negotiate a set of algorithms anyway and it is quite likely that an algorithm is found that both parties support. Ciao Hannes ________________________________ From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of ext Infinity Linden (Meadhbh Hamrick) Sent: 25 November, 2009 16:19 To: Stephen Farrell Cc: OAuth WG (oauth@ietf.org) Subject: Re: [OAUTH-WG] Signature crypto +1 to stephen's comment. when it comes to algorithm support and selection, i think the consensus that's emerged is we should require an algorithm that "looks good" at the moment the spec is being drafted, but allow the use of other optional algorithms. ("looks good" here means that there are no known successful attacks against the math of the algorithm and there's a general consensus amongst cryptographers that there won't be one in the next 20 years.) the rationale behind this may have to do with the experience some implementers had with MOSS / MIME Object Security Services (aka RFC1848.) MOSS was specified to address issues people had raised with PEM (Privacy Enhanced Mail). The problem with MOSS is that it was near infinitely flexible and you could create an implementation that strictly adhered to the specification, but was non-interoperable if you chose to support a different set of optional encipherment algorithms. so the concern here is that if you allow all hash algorithms to be optional, you'll find some outlier who wants to use HAVAL with Rabin Williams to generate signatures and will sell this solution into the marketplace, then go out of business. people who bought the solution won't think anything's wrong 'til they try to hook it up to someone else who's using a more traditional SHA256+RSA or ECDSA solution. a great wailing and gnashing of teeth will follow. but if we REQUIRE that everyone use SHA256 but allow other hash algorithms, then we won't have this problem. -cheers -meadhbh -- infinity linden (aka meadhbh hamrick) * it's pronounced "maeve" http://wiki.secondlife.com/wiki/User:Infinity_Linden On Wed, Nov 25, 2009 at 05:52, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: Eran Hammer-Lahav wrote: > I think we have consensus that the spec should not mandate a particular hash algorithm. This still leave the issue of assigning algorithms short names for the purpose of negotiation and declaration. Is there a registry available for such algorithms we can use or do we need to create a new one? Sorry to have missed out on the thread where that was discussed, but it'd be odd for an IETF security spec to not mandate some algorithms and quite likely to generate comments later in the process if there's no well-defined way to ensure interop. Do we have that? Ta, S. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Peter Saint-Andre
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] Signature crypto Hubert Le Van Gong
- Re: [OAUTH-WG] Signature crypto Vrancken Bart bv
- Re: [OAUTH-WG] Signature crypto Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] Signature crypto John Kemp
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Ben Laurie
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Manger, James H
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Paul C. Bryan
- Re: [OAUTH-WG] Signature crypto stephen.farrell
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Richard Barnes
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Richard L. Barnes