[sidr] RFC 6485 is inconsistent with base CMS specifications
Rob Austein <sra@hactrn.net> Mon, 25 June 2012 15:30 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2FC211E808F for <sidr@ietfa.amsl.com>; Mon, 25 Jun 2012 08:30:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XGOy99cfe4zT for <sidr@ietfa.amsl.com>; Mon, 25 Jun 2012 08:30:03 -0700 (PDT)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [66.92.66.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1FAD211E808C for <sidr@ietf.org>; Mon, 25 Jun 2012 08:30:03 -0700 (PDT)
Received: from thrintun.hactrn.net (thrintun.hactrn.net [10.0.1.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 8663928465 for <sidr@ietf.org>; Mon, 25 Jun 2012 15:29:59 +0000 (UTC)
Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 0642D17415 for <sidr@ietf.org>; Mon, 25 Jun 2012 11:29:59 -0400 (EDT)
Date: Mon, 25 Jun 2012 11:29:58 -0400
From: Rob Austein <sra@hactrn.net>
To: sidr@ietf.org
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/23.4 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20120625152959.0642D17415@thrintun.hactrn.net>
Subject: [sidr] RFC 6485 is inconsistent with base CMS specifications
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2012 15:30:04 -0000
Section 2 of RFC 6485 says that the OID in the CMS signatureAlgorithm field MUST be sha256WithRSAEncryption. This turns out not to be consistent either with the base CMS specifications or, more importantly, with the running code in the existing RPKI implementations. For those not familiar with the details of CMS: the SignerInfo structure includes separate fields indicating the digest and signature algorithms (digestAlgorithm and signatureAlgorithm, respectively). RFC 2630 12.2.2 specified that the signatureAlgorithm should be rsaEncryption when using RSA. RFC 3370 3.2 added the option of using OIDs like sha256WithRSAEncryption which indicate both digest and signature algorithm in a single OID, but maintained the requirement that CMS implementations which include RSA MUST support the rsaEncryption value of signatureAlgorithm. RFCs 4055 and 5754 define OIDs for SHA-2 (including SHA-256) and specify how to use them in CMS, but do not relax the MUST requirement for rsaEncryption. Furthermore, RFC 5754 3.2 explicitly refers back to RFC 3370 3.2. So the requirement to support rsaEncryption is consistent throughout the CMS specifications. Given this history, it should not be a surprise that existing CMS implementations such as OpenSSL and BouncyCastle just use rsaEncryption; it's the only mandatory-to-implement value for this field when using RSA, thus is the obvious choice for a signer whose author wants to maximize the chance that relying parties will be able to verify the message. Unfortunately, RFC 6485 says that only sha256WithRSAEncryption is allowed, so any CMS signer which takes the conservative approach suggested above will be in violation of RFC 6485. It turns out that all of the current RPKI CA engines of which I am aware (APNIC's, RIPE's, and mine) use CMS engines which do the conservative thing, thus are in violation of this portion of RFC 6485. I do not believe that this is what the SIDR WG intended, but that, of course, is for the WG chairs to determine. Given both the history of the base CMS specifications and the current text in RFC 6485, the correct fix for this appears to be to say that RPKI implementations MUST support rsaEncryption for the signatureAlgorithm field and MAY support sha256WithRSAEncryption. If we're seriously worried about compatibility with implementations which only support sha256WithRSAEncryption per RFC 6485, we could require support for both, but as far as I know, no such implementations exist, so it would be cleaner just to re-align the RPKI specifications with the base CMS specification and have done. Note that this is not a blanket change to all uses of sha256WithRSAEncryption in RFC 6485, it's only a change to the signatureAlgorithm field in the CMS SignerInfo. I will leave it for the WG to decide whether this change should take the form of an updated RFC or an erratum, I don't much care. Thanks to Andrew Chi, David Mandelberg, and Russ Housley for their help in finding and understanding this problem. Any errors here are my fault, not theirs.
- [sidr] RFC 6485 is inconsistent with base CMS spe… Rob Austein
- Re: [sidr] RFC 6485 is inconsistent with base CMS… Matt Lepinski