Re: [sidr] [Sidrops] rsaEncryption vs sha256WithRSAEncryption in RPKI certificates

Russ Housley <housley@vigilsec.com> Sat, 29 June 2019 07:03 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 636F71200E6 for <sidr@ietfa.amsl.com>; Sat, 29 Jun 2019 00:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SUBJ_BRKN_WORDNUMS=0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UGLek7YcBH-M for <sidr@ietfa.amsl.com>; Sat, 29 Jun 2019 00:03:40 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04B2512002F for <sidr@ietf.org>; Sat, 29 Jun 2019 00:03:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 6C543300AE8 for <sidr@ietf.org>; Sat, 29 Jun 2019 02:44:21 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qmfGAKh7tNDD for <sidr@ietf.org>; Sat, 29 Jun 2019 02:44:18 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id 199783009FF; Sat, 29 Jun 2019 02:44:18 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <5C033DD8-EE26-4413-875C-426FFC7E8A4C@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5F1C60AE-FE80-4FFB-A74C-A1EB384F5097"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sat, 29 Jun 2019 03:03:34 -0400
In-Reply-To: <CAMMESsxYwV48N9pa0vuFP01DTJxx67zt4PFSr7OxPZHsj+83xQ@mail.gmail.com>
Cc: Alberto Leiva <ydahhrk@gmail.com>, SIDR Operations WG <sidrops@ietf.org>, IETF SIDR <sidr@ietf.org>
To: Alvaro Retana <aretana.ietf@gmail.com>
References: <CAA0dE=VOCvxb_0-pEB8CO=JZ9FShVf=pQ43pCmAeYCf9LRTTcw@mail.gmail.com> <ACD43E1A-5BBC-4710-A3D4-72EA7E1BC79F@vigilsec.com> <CAA0dE=Wzdrr3kQiM98yehFHKeAafPgoRWQXdg1HoO0Ey0caLLQ@mail.gmail.com> <CAMMESsxYwV48N9pa0vuFP01DTJxx67zt4PFSr7OxPZHsj+83xQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/OoZXBE30GGXYcRJNOkIV7Nnqums>
Subject: Re: [sidr] [Sidrops] rsaEncryption vs sha256WithRSAEncryption in RPKI certificates
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2019 07:03:43 -0000

Alvaro:

I think that RFC 8208 is talking about the keys used to sign BGPsec, where elliptic curve is used because the size a huge consideration.

Russ


> On Jun 28, 2019, at 5:36 PM, Alvaro Retana <aretana.ietf@gmail.com>; wrote:
> 
> [Adding sidrops.]
> 
> Hi!
> 
> I was just looking at this report…
> https://www.rfc-editor.org/errata_search.php?rfc=7935 <https://www.rfc-editor.org/errata_search.php?rfc=7935> 
> 
> The report says: "All existing RPKI readers and writers that I've seen, as well as the global RPKI repository certificates themselves, currently use rsaEncryption as the public key algorithm of subjectPublicKeyInfo. Therefore, this change should also reflect existing practice.”
> 
> It turns out that rfc8208, and then rfc8608 Updated rfc7935…the resulting text is:
> 
>    o  algorithm (an AlgorithmIdentifier type): The id-ecPublicKey OID
>       MUST be used in the algorithm field, as specified in Section 2.1.1
>       of [RFC5480].  The value for the associated parameters MUST be
>       secp256r1, as specified in Section 2.1.1.1 of [RFC5480].
> 
> 
> The erratum was filed in May of this year, and rfc8608 was published in June.
> 
> Does the report apply to rfc8608, or does the information there reflect existing practice?
> 
> Thanks!
> 
> Alvaro.
> 
> On May 23, 2019 at 2:17:17 PM, Alberto Leiva (ydahhrk@gmail.com <mailto:ydahhrk@gmail.com>) wrote:
> 
>> I see. Is this erratum-worthy? 
>> 
>> On Thu, May 23, 2019 at 11:23 AM Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote: 
>> > 
>> > 
>> > 
>> > > On May 22, 2019, at 6:18 PM, Alberto Leiva <ydahhrk@gmail.com <mailto:ydahhrk@gmail.com>> wrote: 
>> > > 
>> > > Hello 
>> > > 
>> > > Another question. 
>> > > 
>> > > RFC 7935 states the following: 
>> > > 
>> > > 3.1. Public Key Format 
>> > > 
>> > > (...) 
>> > > 
>> > > algorithm (which is an AlgorithmIdentifier type): 
>> > > The object identifier for RSA PKCS #1 v1.5 with SHA-256 MUST be 
>> > > used in the algorithm field, as specified in Section 5 of 
>> > > [RFC4055]. The value for the associated parameters from that 
>> > > clause MUST also be used for the parameters field. 
>> > > 
>> > > I've never seen a certificate that declares sha256WithRSAEncryption ({ 
>> > > pkcs-1 11 }) as its public key algorithm. Every certificate I've come 
>> > > across labels its algorithm as rsaEncryption ({ pkcs-1 1 }). 
>> > > 
>> > > (Certificates always define the signature algorithm as 
>> > > sha256WithRSAEncryption, but that's a different field.) 
>> > > 
>> > > Is everyone doing it wrong, or am I missing something? 
>> > > 
>> > > I'm aware that this is likely a triviality--rsaEncryption and 
>> > > sha256WithRSAEncryption probably mean the same in this context. 
>> > > There's also a thread in this list in which people seem to have 
>> > > experienced headaches over this topic. But the thread is talking about 
>> > > CMS signed objects (which I believe is different from certificates), 
>> > > and happened before 7935 was released, so it feels like the RFC should 
>> > > mandate something consistent with reality by now. 
>> > > 
>> > > Thanks for any pointers. 
>> > 
>> > You are right. 
>> > 
>> > In the subjectPublicKeyInfo, the algorithm identifier should be rsaEncryption, which is { 1, 2, 840, 113549, 1, 1, 1 }. This allow the public key to be used with PKCS#1 v1.5, RSASSA-PSS, and RSAES-OAEP. 
>> > 
>> > In the signature, the algorithm identifier should be sha256WithRSAEncryption, which is { 1, 2, 840, 113549, 1, 1, 11 }. This identifies PKCS#1 v1.5 with SHA-256 as the hash algorithm. 
>> > 
>> > Russ 
>> > 
>> > 
>> 
>> _______________________________________________ 
>> sidr mailing list 
>> sidr@ietf.org <mailto:sidr@ietf.org> 
>> https://www.ietf..org/mailman/listinfo/sidr <https://www.ietf.org/mailman/listinfo/sidr> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org <mailto:Sidrops@ietf.org>
> https://www.ietf.org/mailman/listinfo/sidrops <https://www.ietf.org/mailman/listinfo/sidrops>