[sidr] RFC 6485 is inconsistent with base CMS specifications

Rob Austein <sra@hactrn.net> Mon, 25 June 2012 15:30 UTC

Return-Path: <sra@hactrn.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2FC211E808F for <sidr@ietfa.amsl.com>; Mon, 25 Jun 2012 08:30:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XGOy99cfe4zT for <sidr@ietfa.amsl.com>; Mon, 25 Jun 2012 08:30:03 -0700 (PDT)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [66.92.66.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1FAD211E808C for <sidr@ietf.org>; Mon, 25 Jun 2012 08:30:03 -0700 (PDT)
Received: from thrintun.hactrn.net (thrintun.hactrn.net [10.0.1.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 8663928465 for <sidr@ietf.org>; Mon, 25 Jun 2012 15:29:59 +0000 (UTC)
Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 0642D17415 for <sidr@ietf.org>; Mon, 25 Jun 2012 11:29:59 -0400 (EDT)
Date: Mon, 25 Jun 2012 11:29:58 -0400
From: Rob Austein <sra@hactrn.net>
To: sidr@ietf.org
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/23.4 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20120625152959.0642D17415@thrintun.hactrn.net>
Subject: [sidr] RFC 6485 is inconsistent with base CMS specifications
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2012 15:30:04 -0000

Section 2 of RFC 6485 says that the OID in the CMS signatureAlgorithm
field MUST be sha256WithRSAEncryption.  This turns out not to be
consistent either with the base CMS specifications or, more
importantly, with the running code in the existing RPKI
implementations.

For those not familiar with the details of CMS: the SignerInfo
structure includes separate fields indicating the digest and signature
algorithms (digestAlgorithm and signatureAlgorithm, respectively).
RFC 2630 12.2.2 specified that the signatureAlgorithm should be
rsaEncryption when using RSA.

RFC 3370 3.2 added the option of using OIDs like
sha256WithRSAEncryption which indicate both digest and signature
algorithm in a single OID, but maintained the requirement that CMS
implementations which include RSA MUST support the rsaEncryption value
of signatureAlgorithm.  RFCs 4055 and 5754 define OIDs for SHA-2
(including SHA-256) and specify how to use them in CMS, but do not
relax the MUST requirement for rsaEncryption.  Furthermore, RFC 5754
3.2 explicitly refers back to RFC 3370 3.2.

So the requirement to support rsaEncryption is consistent throughout
the CMS specifications.  Given this history, it should not be a
surprise that existing CMS implementations such as OpenSSL and
BouncyCastle just use rsaEncryption; it's the only
mandatory-to-implement value for this field when using RSA, thus is
the obvious choice for a signer whose author wants to maximize the
chance that relying parties will be able to verify the message.

Unfortunately, RFC 6485 says that only sha256WithRSAEncryption is
allowed, so any CMS signer which takes the conservative approach
suggested above will be in violation of RFC 6485.  It turns out that
all of the current RPKI CA engines of which I am aware (APNIC's,
RIPE's, and mine) use CMS engines which do the conservative thing,
thus are in violation of this portion of RFC 6485.  I do not believe
that this is what the SIDR WG intended, but that, of course, is for
the WG chairs to determine.

Given both the history of the base CMS specifications and the current
text in RFC 6485, the correct fix for this appears to be to say that
RPKI implementations MUST support rsaEncryption for the
signatureAlgorithm field and MAY support sha256WithRSAEncryption.

If we're seriously worried about compatibility with implementations
which only support sha256WithRSAEncryption per RFC 6485, we could
require support for both, but as far as I know, no such
implementations exist, so it would be cleaner just to re-align the
RPKI specifications with the base CMS specification and have done.

Note that this is not a blanket change to all uses of
sha256WithRSAEncryption in RFC 6485, it's only a change to the
signatureAlgorithm field in the CMS SignerInfo.

I will leave it for the WG to decide whether this change should take
the form of an updated RFC or an erratum, I don't much care.

Thanks to Andrew Chi, David Mandelberg, and Russ Housley for their
help in finding and understanding this problem.  Any errors here are
my fault, not theirs.