IETF Logo Mail Archive

Re: [lamps] draft-ietf-lamps-cms-shakes

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Thu, 12 September 2019 14:40 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C608120106 for <spasm@ietfa.amsl.com>; Thu, 12 Sep 2019 07:40:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=QMj6NGsM; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=YHGFXV1G
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v_uIeOn88W1N for <spasm@ietfa.amsl.com>; Thu, 12 Sep 2019 07:40:02 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C91531200FB for <spasm@ietf.org>; Thu, 12 Sep 2019 07:40:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5775; q=dns/txt; s=iport; t=1568299201; x=1569508801; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Vzk1ei0LkafUkisbc5izpQ8SZgByAO61kbEus+jHwsk=; b=QMj6NGsMEGRcTChvuudB8HPMwLU8WaYv87N9CtuCCBVEAqYM7y9VCFzo dPSXSpniWIpRcAJKW5i/yT4KdicNtu94r+tScn39yEQaoYTLJPLp6fFe/ mDLrePvvYavjUhg9QapFFv+yrBVI79UPvma1sOJr1Q0BewRuMLp5Fi3+T 8=;
IronPort-PHdr: 9a23:rbpjtBawwbHQF37mH7hpx1r/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gabRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavybCU/BM1EXXdu/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ApAABHWHpd/5tdJa1mGgEBAQEBAgEBAQEHAgEBAQGBVgIBAQEBCwGBRFADbVYgBAsqCodeA4ppglyXcIJSA1QJAQEBDAEBGAsKAgEBhD8Cgl0jNwYOAgMJAQEEAQEBAgEGBG2FLgyFSgEBAQECAQEBECgGAQEsCwEEBwQCAQgRBAEBAR4QJwsdCAIEDgUIGoMBgWoDDg8BAgyfNQKBOIhhgiWCfQEBBYUKGIIWAwaBNAGLdxiBQD+BEUaCTD6CYQEBAgGBYIM7giasSwqCIYcBjhGZCpYDkGoCBAIEBQIOAQEFgWgigVhwFTuCbIJCg3KFFIU/cwGBKI1cAYEiAQE
X-IronPort-AV: E=Sophos;i="5.64,497,1559520000"; d="scan'208";a="409503796"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Sep 2019 14:40:00 +0000
Received: from XCH-RCD-015.cisco.com (xch-rcd-015.cisco.com [173.37.102.25]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id x8CEe0k4003215 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Sep 2019 14:40:00 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-015.cisco.com (173.37.102.25) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 12 Sep 2019 09:40:00 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 12 Sep 2019 09:39:59 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 12 Sep 2019 09:39:59 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SH7kANXcMol+3CJL43zI4aGAyBaz6SiFOZOuhNiLbiPLsZylpti3qlOFcX1kYES6MfaPd3Fx5nRy/hlWKa21ZO/Uk0osyPT0DtgbpefEcrqZ4C/8t9pcYY15jz67LbIFR4SonMo+CQRarx+snvVUDFx48GN5WSX23CS4UIGE36ZQCzMR6Dl2rpAiU7mgsJX8yqOG9Ne5OtflkVFqExpfU5xkHTVfrDXjChg0CpLJhHDLN7pAbPO2r/7rI2CtNN/rS/ormQPAmBzrPiF97puDhhRsFWRPRmAHpja976XxOqemw6gbKLZs8VVrv1Ny9j/QP9r1jTYLLNzL+JalWRcPKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=It0Oigoy0FtVzQRTAiDoQFnYv210kV7g6BVcACyEBzA=; b=HrPgn0wA7QNX7zIXTl4YC/z7DJxt4m/WKPozcuvp1QLIO4HKCecv5SarOfNpgb2BYTvsAv/nfD30H/6o2+U8Log8O+VpPwd10+XfjHQqVH+PjllFFDldLBRMocapNJO2FNdNPptVAQiA2KzPSvoL6K5My88Pz9pk1nYUEkfNASD+2heIkyIHe/KFJ00nFo5H8BkEpE2feeliJ3zIDrQGTtbFmspEgjNTBarMV12kgJuAjJrXNKZPrqnIVmjbZ6VOGVa74d9z1qrn5ahWicZB46uUP2udHERGyfizJYD1AnIlH7NuosEx5GsMckRHZzHHoghlF/4OcLxgtC0BFYmWFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=It0Oigoy0FtVzQRTAiDoQFnYv210kV7g6BVcACyEBzA=; b=YHGFXV1GfTnnAYUUNCAcOP0IYAqWI58mbryS5sVIPb2f29eLzdguO8sPpzOF9p0yq0P1CV/NzuiPC8QEAaH9mkkbPtIh3g+UoejqUBFWkTlsIwlWtcqcnj9V8hkEVxsNolbXe7YHG0f1GYDLoniwannTqtyPVkXK8wqOCeZz3VI=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (52.135.255.146) by BN7PR11MB2530.namprd11.prod.outlook.com (52.135.254.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17; Thu, 12 Sep 2019 14:39:58 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::20df:b3df:537d:fd20]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::20df:b3df:537d:fd20%7]) with mapi id 15.20.2263.016; Thu, 12 Sep 2019 14:39:58 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Russ Housley <housley@vigilsec.com>
CC: LAMPS WG <spasm@ietf.org>
Thread-Topic: [lamps] draft-ietf-lamps-cms-shakes
Thread-Index: AQHVaNQPFcxLGZJUgkqHUOMyu7XEmacnawkAgAAPnYCAAG0NgIAANg8Q
Date: Thu, 12 Sep 2019 14:39:58 +0000
Message-ID: <BN7PR11MB2547496222E6A9C85658A2BEC9B00@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <6FA94952-63C4-42A3-A85F-AAB0A8145F68@vigilsec.com> <BN7PR11MB2547BEF4B27B52ECBF64525EC9B00@BN7PR11MB2547.namprd11.prod.outlook.com> <00bb01d56926$296d4b80$7c47e280$@augustcellars.com> <0C2B305A-27DC-45A8-97B9-C51F61BCB2EB@vigilsec.com>
In-Reply-To: <0C2B305A-27DC-45A8-97B9-C51F61BCB2EB@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [173.38.117.80]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 22ec4210-0d88-4742-ed75-08d7378f1611
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BN7PR11MB2530;
x-ms-traffictypediagnostic: BN7PR11MB2530:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BN7PR11MB2530089C6D9C789F11B203EDC9B00@BN7PR11MB2530.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(366004)(376002)(39860400002)(396003)(189003)(13464003)(199004)(51444003)(99286004)(26005)(486006)(74316002)(76176011)(186003)(305945005)(966005)(316002)(446003)(11346002)(6506007)(53546011)(102836004)(7696005)(7736002)(14454004)(66476007)(66556008)(64756008)(66446008)(66946007)(6916009)(52536014)(8936002)(81156014)(33656002)(66066001)(81166006)(8676002)(2906002)(19627235002)(9686003)(6436002)(53936002)(6246003)(25786009)(478600001)(229853002)(76116006)(6116002)(3846002)(71200400001)(71190400001)(86362001)(66574012)(14444005)(6306002)(256004)(4326008)(55016002)(476003)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2530; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: cKMAgizeOygSCTPB/4qVarh0m+MwsvAv53AvkLhVUWMnKTCCuDwgGdx3XGcCSzCuSdr2PEy40PMA41mZG9iLMYPekDrppbN42VHuFMPztVN9c1qkNuxhlCnPfop8u6Vw0TNbDVuanse0rPTs/TEcgJXvakW806cl2C7oZWNWscwBE1x2+JnTqKXE9wxH5aGtbMGACILpedhhmpNEzUsQI81tXD5Y28zKz/CesNyJxuv8a2GMxFEQiMxsGHiQGh5sma8cS0sz1Dgg2uUSAWTim0q8WoLeIflXBwhVav4RZHZvA44CMCLVMhFUvHzm6QZNe7+0rnL5tgo1C0dg6jypukdoHsrNFBjr7kV/45llNemiV6SPG8eKUWK0m22WKnxdhmN7+tmD4mMXJr/Z+uGt8Ci+dugC4aS/ID2dfWRa+q8=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 22ec4210-0d88-4742-ed75-08d7378f1611
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 14:39:58.4370 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KvO9lRih1Ja0H0qs0KbvJgOL8ew0iqE6LRvQPAgbu/NZkr8ybF9S9vojsHwxvDwbik5xsttsxDoiN8O8TsBUGg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2530
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.25, xch-rcd-015.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/GYAI8fROxtuvKDLFkofEteZtIj0>
Subject: Re: [lamps] draft-ietf-lamps-cms-shakes
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 14:40:05 -0000

ACK, thanks. 
I will spin up a new iteration early next week. 


-----Original Message-----
From: Russ Housley <housley@vigilsec.com> 
Sent: Thursday, September 12, 2019 7:25 AM
To: Jim Schaad <ietf@augustcellars.com>; Panos Kampanakis (pkampana) <pkampana@cisco.com>
Cc: LAMPS WG <spasm@ietf.org>
Subject: Re: [lamps] draft-ietf-lamps-cms-shakes

Since pkix-shake is going through the process sirse, it would be easy to add an IMPORT for the four sa-* values.

Russ


> On Sep 12, 2019, at 12:54 AM, Jim Schaad <ietf@augustcellars.com> wrote:
> 
> Redefining is something that is not good.  You only want to have a 
> single definition if at all possible.
> 
> Importing something that is not referenced is a bit odd, but does not 
> hurt anything.  Pointing to where something is defined would be 
> sufficient as far as I am concerned
> 
> -- sa-rsassapssWithSHAKE  - this is defined in RFCXXXX
> 
> Jim
> 
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Panos Kampanakis
> (pkampana)
> Sent: Wednesday, September 11, 2019 9:22 PM
> To: Russ Housley <housley@vigilsec.com>; LAMPS WG <spasm@ietf.org>
> Subject: Re: [lamps] draft-ietf-lamps-cms-shakes
> 
> Hi Russ,
> 
> Hmm, do we need it? 
> 
> CMS imports AlgorithmIdentifier from PKIX which we updated in the PKIX 
> SHAKEs draft. And then CMS uses these algorithm identifiers in the 
> SignedData SignerInfo signatureAlgorithm field.
> 
> https://tools.ietf.org/html/rfc5753#appendix-A.2 does import 
> sa-ecdsawithXXX as you are suggesting, but I am not sure it needed to. 
> I mean we could import the new sa-ecdsawithshake and 
> sa-rsassapssWithSHAKE and put them SignatureAlgs to make it easier, 
> but it would be commented out like
> https://tools.ietf.org/html/rfc5753#appendix-A.2 does because it 
> already exists in the PKIX SHAKEs ASN.1
> 
> Rgs,
> Panos
> 
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: Wednesday, September 11, 2019 3:06 PM
> To: LAMPS WG <spasm@ietf.org>
> Subject: [lamps] draft-ietf-lamps-cms-shakes
> 
> I was just working on an implementation, and I discovered an omission 
> in the
> ASN.1 for draft-ietf-lamps-cms-shakes.
> 
> The ASN.1 module for draft-ietf-lamps-pkix-shake includes:
> 
>    -- RSASSA-PSS with SHAKE128
>    sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= {
>      IDENTIFIER id-RSASSA-PSS-SHAKE128
>      PARAMS ARE absent
>          -- The hashAlgorithm is mda-shake128
>          -- The maskGenAlgorithm is id-shake128
>          -- Mask Gen Algorithm is SHAKE128 with output length
>          -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA
>          -- modulus in bits.
>          -- The saltLength is 32. The trailerField is 1
>      HASHES { mda-shake128 }
>      PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 }
>      SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 }
>    }
>    id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=  { iso(1)
>            identified-organization(3) dod(6) internet(1)
>            security(5) mechanisms(5) pkix(7) algorithms(6)
>            TBD1 }
> 
>    -- RSASSA-PSS with SHAKE256
>    sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= {
>      IDENTIFIER id-RSASSA-PSS-SHAKE256
>      PARAMS ARE absent
>          -- The hashAlgorithm is mda-shake256
>          -- The maskGenAlgorithm is id-shake256
>          -- Mask Gen Algorithm is SHAKE256 with output length
>          -- (8*ceil((n-1)/8) - 520)-bits, where n is the
>          -- RSA modulus in bits.
>          -- The saltLength is 64. The trailerField is 1.
>     HASHES { mda-shake256 }
>     PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 }
>     SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 }
>    }
>    id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=  { iso(1)
>            identified-organization(3) dod(6) internet(1)
>            security(5) mechanisms(5) pkix(7) algorithms(6)
>            TBD2 }
> 
>    -- ECDSA with SHAKE128
>    sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= {
>      IDENTIFIER id-ecdsa-with-shake128
>      VALUE ECDSA-Sig-Value
>      PARAMS ARE absent
>      HASHES { mda-shake128 }
>      PUBLIC-KEYS { pk-ec }
>      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 }
>    }
>    id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { iso(1)
>            identified-organization(3) dod(6) internet(1)
>            security(5) mechanisms(5) pkix(7) algorithms(6)
>            TBD3 }
> 
>    -- ECDSA with SHAKE256
>    sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= {
>      IDENTIFIER id-ecdsa-with-shake256
>      VALUE ECDSA-Sig-Value
>      PARAMS ARE absent
>      HASHES { mda-shake256 }
>      PUBLIC-KEYS { pk-ec }
>      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 }
>    }
>    id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { iso(1)
>            identified-organization(3) dod(6) internet(1)
>            security(5) mechanisms(5) pkix(7) algorithms(6)
>            TBD4 }
> 
> I think that the draft-ietf-lamps-cms-shakes ASN.1 module should 
> repeat this information in exactly the same format or it should IMPORT 
> these definitions.
> 
> Russ
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email