Re: [saag] Public key parameters in the signature algorithm —that is the question
Martin Thomson <mt@lowentropy.net> Sun, 18 July 2021 23:02 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 796013A1385
for <saag@ietfa.amsl.com>; Sun, 18 Jul 2021 16:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001,
RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=lowentropy.net header.b=pkzPqNDn;
dkim=pass (2048-bit key)
header.d=messagingengine.com header.b=eR1uHtT4
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eY33MC5-Tp3G for <saag@ietfa.amsl.com>;
Sun, 18 Jul 2021 16:02:06 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com
[66.111.4.25])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 3CA893A1383
for <saag@ietf.org>; Sun, 18 Jul 2021 16:02:06 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
by mailout.nyi.internal (Postfix) with ESMTP id 73F2F5C0076
for <saag@ietf.org>; Sun, 18 Jul 2021 19:02:04 -0400 (EDT)
Received: from imap41 ([10.202.2.91])
by compute5.internal (MEProxy); Sun, 18 Jul 2021 19:02:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net;
h=mime-version:message-id:in-reply-to:references:date:from:to
:subject:content-type; s=fm2; bh=3j0Gzzo4HSMAlO76PSHAWtA2F0KChyB
3VXilLgsZUVk=; b=pkzPqNDnfRuADDpxi6OXWIh+m5JH7ncsbCoK419XsPOedXY
GE17sPEW+W4XQpc2nScn4dl/sOXUtajlk69mZiWJ6frXzgpmWtDlrlmAg+EuvYkw
kK7VBmOCOvQleI5uSvjOH+6RLBY1nmdDiI4RQ0CwRAX9KvBFYp8SNcbCTrNiu6VJ
ek1+G41uAejSXxPnRSb+Qmd+Bdgd0SZ0P4LoC3QxUgw9pyirgVRtmSBQssnJxNwu
MSBa/iwJD6qUGWJbegTwT1gVLUiH6ARRiJKaLLJ5lMzYZZW+WofzX6Tt9SO4rxb5
j/nSEqPjWYGi6QIMFxNOC4HKyX40jPabhL+OkvA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=content-type:date:from:in-reply-to
:message-id:mime-version:references:subject:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=3j0Gzz
o4HSMAlO76PSHAWtA2F0KChyB3VXilLgsZUVk=; b=eR1uHtT4D1YyjmXRrTKKuu
y7+gXDi/7fOvkC4GdPw5O0qbEcosJ5Y8QjbijW41a4ybAJzxBwYJIMu8j5LX044U
c4t5fhhFGZIo0TE/Mb861DNe3vd2Q+mVW0yt23RYaqfjTqAnF4ueqOciGjwU/HXk
eqFmab2uuKMtHC4Gz5ukxKjAWV/xLo1vnOxFADG5EM6T01S9iKrqG0a4tw59NcGP
SV9bBfiLRL6kMqWOvBDTf6q+qp/woV3sdGLhwknFFrBHgB7NdnEBZB0MWK7pyhvI
8PUbC73usOcd686BISmuRn8RswC08IP+3f+kiuROh1TF65VtyrKaF4Qyn1mPZceg
==
X-ME-Sender: <xms:67L0YDeqELR2Wh-PHFQfTWOFhu25OArcYawQ6YbCvzbMxRmEa8GO7w>
<xme:67L0YJP_r4j_AJFFMLzRSresujMz42t8xWXZ8eWSE0BstPzRZ1Plgadhsz6oTwHeT
3vNpf91Cu-5x61tMic>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvdelgddufecutefuodetggdotefrodftvf
curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre
dtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif
vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepheefteduudduhedtkefhvd
fhteelffdujeegjeffheffveekudeigfeuveekfeelnecuvehluhhsthgvrhfuihiivgep
tdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:67L0YMg7cl_uWMknTbCzO-YrxW8UPGGmkTk8e2wY5QCfhUaHLaLBzg>
<xmx:67L0YE-QnBZ4LiBRZ3LLrnwDB4tsUJZetpXGvhZzZP2kbVu5cVJqbQ>
<xmx:67L0YPsvaBEYM-iDCWAuZJF3jP9HBwTct_Y4k0UzBMXE-G1zmLx1Iw>
<xmx:7LL0YN6EId9gJdC3IYMDXoVv3W_ccuzZSOh1hrbqj0Zsdy5JtQQn_Q>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
id CCFFE3C0E63; Sun, 18 Jul 2021 19:02:03 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-533-gf73e617b8a-fm-20210712.002-gf73e617b
Mime-Version: 1.0
Message-Id: <8f9afb9a-72a4-4478-a1a3-5071533c1384@www.fastmail.com>
In-Reply-To: <20210718222849.GA88594@kduck.mit.edu>
References: <HE1PR0701MB30506C4D58CF5F9CF476CAD689089@HE1PR0701MB3050.eurprd07.prod.outlook.com>
<20210718222849.GA88594@kduck.mit.edu>
Date: Mon, 19 Jul 2021 09:01:45 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: saag@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/_ITI34_xrFdus1BeqN8wWcw0vlc>
Subject: Re: [saag]
=?utf-8?q?Public_key_parameters_in_the_signature_algorith?=
=?utf-8?q?m_=E2=80=94that_is_the_question?=
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2021 23:02:13 -0000
On Mon, Jul 19, 2021, at 08:28, Benjamin Kaduk wrote: > > - TLS 1.3 is inconsistent. ECDSA, EdDSA, sm2sig_sm3, and gost include the curve, but eccsi_sha256, iso_ibs1, iso_ibs2, and iso_chinese_ibs. RSA does not include the key length. > > We didn't ask the experts to enforce anything about parameters in > SignatureSchemes. Do you think we should? (The ongoing 8446bis would be > an okay place to add such guidance, I think.) So I do think that this is good guidance to give, but we'll need an exception for RSA. That is, a signature scheme should define a singular use of an algorithm that includes all parameters of that algorithm. This works for most of what has been defined in RFC 8446, except RSA. It could work for RSA, but RSA is sufficiently weird that attempting to define RSA 2048 and RSA 3072 and whatever other numbers as discrete schemes would not be backward compatible. Also deciding on which numbers to privilege seems like it would be difficult. Incidentally, RSA 2049 should not be a problem, but I can confirm that it is a real problem in some software (I'd have to go back and check which to be sure, I think it was OpenSSL, but it might have been NSS). As far as the non-recommended options go, informing registrants of this decision might lead them to either reject the advice or ask for a new codepoint, but I don't think it matters.
- [saag] Public key parameters in the signature alg… John Mattsson
- Re: [saag] Public key parameters in the signature… Benjamin Kaduk
- Re: [saag] Public key parameters in the signature… Martin Thomson