Re: [Sidrops] Signed Object signed with Ed25519 (RFC 8419 proof-of-concept)
Ties de Kock <tdekock@ripe.net> Mon, 04 September 2023 11:53 UTC
Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024F3C14CF1D for <sidrops@ietfa.amsl.com>; Mon, 4 Sep 2023 04:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YYK9drNlc7w for <sidrops@ietfa.amsl.com>; Mon, 4 Sep 2023 04:53:18 -0700 (PDT)
Received: from mail-mx-1.ripe.net (mail-mx-1.ripe.net [IPv6:2001:67c:2e8:11::c100:1311]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88CACC15198E for <sidrops@ietf.org>; Mon, 4 Sep 2023 04:53:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Cc:Date:Subject:Mime-Version:Content-Type:Message-Id:From ; bh=CjN3mloHfgrEMyWwgz0B0hgLAr7NxzqL/gSqKrkLnRA=; b=Cz2XGoV6Z1vNPu+qvxfn8L53 C+KafmFWklsXAvj/gY96NGRj6b+wy18AHwCbodrtPf7riSxYe+jPUREPvW2PGVFC/M9ud9rReAkWO OLJQjQaAeH/ls1ODi0e25HZxR1UK9q9HFvP0JBfd2sz9dqfU30PUPH8qFVBYsu+SCY7HW1M8u5Kt9 eCr6Vhh/WDqgRbp8Gpy9TjZt7s4/sDzJTQz1og5mkT8+ZIIBsH3wmuTSD7Gwycg0BtJe8r94bFjeR +uv8SkVgQqhMw4qOjeAZdjE5CdpP6OEdrNWach6ubNzbpjN3+hS9gOt80/9LscJfBOm47VfbPD5NX CXXuhOPnwA==;
Received: from allealle.ripe.net ([2001:67c:2e8:23::c100:170c]:49548) by mail-mx-1.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1qd88q-006Zgf-07; Mon, 04 Sep 2023 11:53:16 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by allealle.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1qd88p-00047M-37; Mon, 04 Sep 2023 11:53:15 +0000
From: Ties de Kock <tdekock@ripe.net>
Message-Id: <06637C36-EBBA-41BE-9117-F6BF3D2F5D6F@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2AC30AD8-64F2-4BEA-9AF0-1AFEAF74C1CD"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Mon, 04 Sep 2023 13:53:05 +0200
In-Reply-To: <EFF76E2D-9D00-42A6-8491-0C26A2DB0806@ripe.net>
Cc: sidrops@ietf.org
To: Job Snijders <job@fastly.com>
References: <ZPS/VK+6Q8a4dHgA@snel> <C61DCBC1-E2E5-4A70-A980-687BAFEDCD8B@ripe.net> <ZPW+682GaAFXymLo@snel> <EFF76E2D-9D00-42A6-8491-0C26A2DB0806@ripe.net>
X-Mailer: Apple Mail (2.3731.700.6)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e115ff035a2ac5c9c94984b3a17512bcff
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/ZAHW9E3ZTEEADucOvOazeeiKdzY>
Subject: Re: [Sidrops] Signed Object signed with Ed25519 (RFC 8419 proof-of-concept)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2023 11:53:23 -0000
> On 4 Sep 2023, at 13:51, Ties de Kock <tdekock@ripe.net> wrote: > > Hi Job, > >> On 4 Sep 2023, at 13:26, Job Snijders <job@fastly.com <mailto:job@fastly.com>> wrote: >> >> On Mon, Sep 04, 2023 at 12:18:59PM +0200, Ties de Kock wrote: >>> I proposed using ECDSA-signed objects due to the ecosystem maturity >>> and provided test objects in private [0]. >> >> Which RFC specifies the parameters to use with ECDSA in CMS? I'm looking >> for something along the lines of RFC 8419. > > https://datatracker.ietf.org/doc/html/rfc7427#appendix-A.3.2 I should have read a bit more there: I used the OIDs from https://datatracker.ietf.org/doc/html/rfc5758#section-3.2 in my test objects. > > >> I generated a secp256k1/sha256 ASPA object, but unfortunately the >> filesize reduction in semantically equivalent objects is only half that >> of Ed25519. See below: >> >> RSA EE w/ RSA CA: 1701 bytes [1] >> secp256k1 w/ sha256 w/ RSA CA: 1463 bytes (attached) >> Ed25519 EE w/ RSA CA: 1281 bytes [2] >> >> Over the years ECDSA seems to be facing increasing criticism, >> specifically due to the difficulty of correctly and safely implementing >> the standard. As many consider this aspect of ECDSA a dangerous >> primitive, ECDSA would not be my go-to choice for future work. > > It would not be my first choice in an ideal world. But at the moment I think it > is a valid choice. We should probably ask the CFRG for advice here. > > In the end, you need to trust your implementation, and I think that high-quality > implementations are available. Ultimately, you trust your RSA implementation to > generate unpredictable primes, ECDSA to use unique NONCEs, and ed25519 > implementations not to leak bits of the sha512 of the private key. > > That is to say: All crypto has caveats, and as a software engineer I stay away > from implementing low-level primitves :) > >> I'm happy to report that extending LibreSSL and OpenSSL to support use >> of Ed25519 in CMS is a trivial patch (as both libraries already >> supported Ed25519 signing & verification operations). >> >> Support for Ed25519 in HSMs indeed remains an open question. Perhaps now >> that the algorithm is FIPS-approved more HSM vendors will feel >> comfortable adding it to their roadmaps? Thank you for sharing that >> Bouncy Castle still needs some work, it's good to identify such gaps. > > I was surprised that it was available (but this is a very recent HSM)! It is > definitely good to identify the gaps. > > Kind regards, > Ties > >> Kind regards, >> >> Job >> >> [1]: https://console.rpki-client.org/chloe.sobornost.net/rpki/RIPE-nljobsnijders/5m80fwYws_3FiFD7JiQjAqZ1RYQ.asa.html >> [2]: https://mailarchive.ietf.org/arch/msg/sidrops/CG2BWxOa6Ly8F0huOULIBd4hGEc/ >> >> ps. Your test object threw errors: 'RSYNC://' != 'Rsync://' in the SIA. >> <secp256k1.asa> > > Seems like this was a conscious change in our test code in 2020. Isn’t the > scheme case-insensitive?
- [Sidrops] Signed Object signed with Ed25519 (RFC … Job Snijders
- Re: [Sidrops] Signed Object signed with Ed25519 (… Ties de Kock
- Re: [Sidrops] Signed Object signed with Ed25519 (… Job Snijders
- Re: [Sidrops] Signed Object signed with Ed25519 (… Ties de Kock
- Re: [Sidrops] Signed Object signed with Ed25519 (… Job Snijders
- Re: [Sidrops] Signed Object signed with Ed25519 (… Ties de Kock
- Re: [Sidrops] Signed Object signed with Ed25519 (… Job Snijders
- Re: [Sidrops] Signed Object signed with Ed25519 (… Russ Housley
- Re: [Sidrops] Signed Object signed with Ed25519 (… Job Snijders
- Re: [Sidrops] Signed Object signed with Ed25519 (… Job Snijders
- Re: [Sidrops] Signed Object signed with Ed25519 (… Russ Housley