Re: [pkix] Strawman on EdDSA/Ed25519 for PKIX Certificate/CRLs
Simon Josefsson <simon@josefsson.org> Mon, 29 June 2015 20:39 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 125551B3415 for <pkix@ietfa.amsl.com>; Mon, 29 Jun 2015 13:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tGW8O8morFRV for <pkix@ietfa.amsl.com>; Mon, 29 Jun 2015 13:39:14 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0619C1B3410 for <pkix@ietf.org>; Mon, 29 Jun 2015 13:39:13 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t5TKcuca001209 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 29 Jun 2015 22:38:57 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Erwann Abalea <eabalea@gmail.com>
References: <20150601142206.1d7bedc0@latte.josefsson.org> <87pp4wka1q.fsf@latte.josefsson.org> <CA+i=0E6cWgNd7MHsP56LaVkdGaTKW+=VWamENwOrda+oebtfZQ@mail.gmail.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150629:pkix@ietf.org::hXidq0caql1P7HK0:+KA
X-Hashcash: 1:22:150629:eabalea@gmail.com::JvHDjXdNGnIe6Xyj:1GPy
Date: Mon, 29 Jun 2015 22:38:55 +0200
In-Reply-To: <CA+i=0E6cWgNd7MHsP56LaVkdGaTKW+=VWamENwOrda+oebtfZQ@mail.gmail.com> (Erwann Abalea's message of "Tue, 23 Jun 2015 16:38:43 +0200")
Message-ID: <87si9a9rmo.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/vyG3rowkvE5VTE6zWzFZt32i1l0>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Strawman on EdDSA/Ed25519 for PKIX Certificate/CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2015 20:39:16 -0000
Erwann Abalea <eabalea@gmail.com> writes: > Bonjour, Hello. Thank you for the feedback! > Section 5: EdDSAParameters is an ENUMERATED with (for now) only one value: > "ed25519", which designates a signature algorithm and not a set of public > key parameters. I guess one might want to find "curve25519" and "curve448" > here. Since this type is used with a public key algorithm, naming it with a > signature algorithm might not be suited. Actually "ed25519" designates the EdDSA parameters. They have an impact on how the public key looks -- EdDSA public keys are not compatible across hash functions. Ed25519 implies SHA-512, which implies how the public key is derived. I tried to clarify this point by adding the following sentence: The value "ed25519" means the set of EdDSA parameters associated with Ed25519, including hash function and curve. Saying "curve25519" does not feel right to me since it only describes the curve. To know the encoding the public key encoding for EdDSA you also need to know the hash function. Do you agree? > Section 5: the subjectPublicKey BIT STRING seems to contain an additional > OCTET STRING, which isn't necessary at this moment (however, since point > encoding hasn't been decided yet at CFRG, it may change). I don't know if you looked at -00 or -01. In -00 there was an additional OCTET STRING step. People suggested that it just waste space, so I removed it for -01. I have now added another sentence clarifying that it is not there: <t>The raw binary EdDSA public key is encoded directly in the subjectPublicKey BIT STRING object. Note that unlike some other schemes, there is no additional OCTET STRING encoding step.</t> > Section 6: what is the rationale to define keyUsage values here? I'd drop > this section. I copied this from RFC 5480. I'm not sure what value there is in having it, but it looks harmless and potentially useful to me. I could remove it too. > Section 7: signature parameters will be necessary and will be declared > either within the algorithm OID (as is done with ECDSA-with-*), within the > parameters data element, or both (as is done with RSASSA-PSS); right now, > Ed25519 is hardcoded to use SHA512, but you'll have to consider EdDSA with > other hash functions, or different curves (it's not yet decided which hash > function to use with curve448). My intention is that the signature parameters follow from the public key parameters. The document says: <t>This document identify an AlgorithmIdentifier OID for EdDSA signatures. No parameters are defined. The EdDSA parameters follow from the public-key parameters.</t> Is there any value in repeating the parameter for the signature? To validate the signature, you need the public key anyway. > Section 7: signature encoding itself must also be defined (or referenced); > for ECDSA, it's a SEQUENCE of 2 INTEGERs; here, it seems that r and s are > concatenated, but it's stated nowhere (maybe draft-josefsson-eddsa-ed25519?) Yes, I'm hoping draft-josefsson-eddsa-ed25519 takes care of that, see section 4.3 of it. I added some text pointing this out: This value is the opaque value ENC(R) || ENC'(S) described in section 4.3 of <xref target="I-D.josefsson-eddsa-ed25519"/>. > Section 8: the example certificate doesn't use the EdDSAParameters type to > indicate the curve used. > Section 8: the example certificate doesn't follow section 7 (parameters > MUST be absent) Yep, the test vector needs to be update -- will work on that. Thanks, /Simon > > > 2015-06-15 22:10 GMT+02:00 Simon Josefsson <simon@josefsson.org>: > >> Hi, >> >> I have updated the document a bit. It appears likely that EdDSA will be >> usable with other parameters than Ed25519, so I made the EdDSA >> parameters an algorithm parameter rather than implied from the OID. >> >> https://tools.ietf.org/html/draft-josefsson-pkix-eddsa-01 >> >> An (already outdated) example of an EdDSA X.509 certificate and EdDSA >> public-key is also included, so you can throw it at your ASN.1 parsers. >> >> /Simon >> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org >> https://www.ietf.org/mailman/listinfo/pkix >> >>
- [pkix] Strawman on EdDSA/Ed25519 for PKIX Certifi… Simon Josefsson
- Re: [pkix] Strawman on EdDSA/Ed25519 for PKIX Cer… Simon Josefsson
- Re: [pkix] Strawman on EdDSA/Ed25519 for PKIX Cer… Erwann Abalea
- Re: [pkix] Strawman on EdDSA/Ed25519 for PKIX Cer… Simon Josefsson