IETF Logo Mail Archive

Re: [lamps] [CMP Updates] Hash algorithm to us for calculating certHash

Russ Housley <housley@vigilsec.com> Tue, 15 June 2021 15:14 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2A93A337C for <spasm@ietfa.amsl.com>; Tue, 15 Jun 2021 08:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R41okowzXTOE for <spasm@ietfa.amsl.com>; Tue, 15 Jun 2021 08:14:16 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8EDE3A337E for <spasm@ietf.org>; Tue, 15 Jun 2021 08:14:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id C3DA9300BEF for <spasm@ietf.org>; Tue, 15 Jun 2021 11:14:15 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id e4GD6yAnRWS6 for <spasm@ietf.org>; Tue, 15 Jun 2021 11:14:07 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 5CEF2300B8A; Tue, 15 Jun 2021 11:14:06 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <DB57BE98-990A-4455-8153-6081A1193400@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D2FA8EF2-9D3C-4F7E-BCF0-A367607EB61A"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Tue, 15 Jun 2021 11:14:06 -0400
In-Reply-To: <ed01a7e0-cad7-55da-9ca8-c41657033cbc@von-Oheimb.de>
Cc: Lijun Liao <lijun.liao@gmail.com>, LAMPS WG <spasm@ietf.org>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>
To: David von Oheimb <nl0@von-Oheimb.de>
References: <AM0PR10MB24188C86D787842B2C7D9DD6FE379@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <783FEFC2-CE5C-430C-8243-F4B80290C80A@vigilsec.com> <AM0PR10MB2418EB88CECDE3315B7388B1FE369@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB24180B8830DE52C665D631D9FE349@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <ed01a7e0-cad7-55da-9ca8-c41657033cbc@von-Oheimb.de>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/JdSXrzguQFpMT7BKyyVdflm_tU0>
Subject: Re: [lamps] [CMP Updates] Hash algorithm to us for calculating certHash
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 15:14:22 -0000

David:

I think this means that any new signature mechanisms need to say what the default hash for use with CMP will be.

Russ


> On Jun 15, 2021, at 6:00 AM, David von Oheimb <nl0@von-Oheimb.de> wrote:
> 
> Russ, Lijun, et al.,
> 
> we have not yet heard back on our latest proposal how to determine the hash alg to use for the certHash field in CMP certConf messages.
> Would be good to finalize this topic by the end of this week in order to bring it into the next version of the CMP-related drafts.
> 
> To summarize, our proposal is to add a hashAlg field to the CertStatus structure as follows, which is binary backward compatible:
> 
>    CertStatus ::= SEQUENCE {
>       hashAlg [0] AlgorithmIdentifier OPTIONAL,
>       certHash    OCTET STRING,
>       certReqId   INTEGER,
>       statusInfo  PKIStatusInfo OPTIONAL
>    }
> In case the signature alg identifier of the cert explicitly contains a hash alg (which so far always was the case until EdDSA came up),
> then use that hash alg and the optional hashAlg field MUST be omitted, which means the certConf message can keep version CMPv2.
> Otherwise, the hashAlg field MUST be used to specify the hash alg used and the version of the certConf message is CMPv3.
> (In addition, we gonna specify in the CMP- Algorithms draft that  SHA-512 SHALL be used for Ed25519 and SHAKE256 for Ed448, 
> like done for CMS in RFC8419).
> 
> Does this sound fine?
> 
>     David
> 
> On 11.06.21 15:21, Brockhaus, Hendrik wrote:
>> If there is any further feedback to this from the WG, please let me know.
>> If not, I would include the section into the draft and submit an updated version.
>> 
>> Hendrik
>> 
>>> Von: Spasm <spasm-bounces@ietf.org> <mailto:spasm-bounces@ietf.org> Im Auftrag von Brockhaus, Hendrik
>>> 
>>> Russ
>>> 
>>> Thank you for this suggestion. In the meantime, David tested the backward
>>> compatibility of this approach. It works fine.
>>> 
>>>> Von: Russ Housley <housley@vigilsec.com> <mailto:housley@vigilsec.com>
>>>> 
>>>> The 3rd choice seems to be the most future proof.  You can add something
>>> like:
>>>> CertStatus ::= SEQUENCE {
>>>>    hashFunc [0] AlgorithmIdentifier DEFAULT sha256Identifier,
>>>>    ...
>>> This was the solution David and I discussed as well. But we called the field
>>> hashAlg, like in OOBCertHash.
>>> We feel the DEFAULT is in conflict with the CMP V2, that determines the hash
>>> algorithm from the signatureAlgorithm field of the certificate to be confirmed.
>>> We also tried to prevent to specify fixed algorithms in CMP to be crypto agile
>>> and prevent future updates. Therefore, we propose not to use the DEFAULT.
>>> @Liao, using this approach, you would need to specify SHA-512 for certificate
>>> signed with Ed25519 and SHAKE256 for Ed448. I would add a note on this to
>>> CMP Algorithms.
>>> 
>>>> That said, this would introduce another place where the CMP protocol
>>>> version comes into play with the ASN.1 parsing.
>>> You are absolutely right.
>>> 
>>> 
>>> To introduce the hashAlg field, we propose to add the following section to CMP
>>> Updates:
>>> 
>>> ---------------------------snip---------------------------
>>> 2.10.  Update Section 5.3.18. - Certificate Confirmation Content
>>> 
>>> This section introduces an optional hashAlg field to the CertStatus type used in
>>> certConf messages to explicitly specify the hash algorithm for those certificates
>>> where no hash algorithm is specified in the signatureAlgorithm field.
>>> 
>>> Replace the ASN.1 Syntax of CertStatus with the following text:
>>> 
>>>    CertStatus ::= SEQUENCE {
>>>       hashAlg [0] AlgorithmIdentifier OPTIONAL,
>>>       certHash    OCTET STRING,
>>>       certReqId   INTEGER,
>>>       statusInfo  PKIStatusInfo OPTIONAL
>>>    }
>>> 
>>> The hashAlg field SHOULD be used only in exceptional cases where the
>>> signatureAlgorithm of the certificate to be confirmed does not specify a hash
>>> algorithm, neither in the OID nor in the parameters. In such cases, e.g., for
>>> EdDSA, the hashAlg MUST be used to specify the hash algorithm to be used for
>>> calculating the certHash value. Otherwise, the certHash value SHALL be
>>> computed using the same hash algorithm as used to create and verify the
>>> certificate signature. If hashAlg is used, the CMP version indicated by the
>>> certConf message header must be cmp2021(3).
>>> ---------------------------snip---------------------------
>>> 
>>> Any comments and feedback on this proposal from the WG is welcome!
>>> 
>>> Hendrik
>>> 
>>> _______________________________________________
>>> Spasm mailing list
>>> Spasm@ietf.org <mailto:Spasm@ietf.org>
>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf>
>>> .org%2Fmailman%2Flistinfo%2Fspasm&amp;data=04%7C01%7Chendrik.brockha
>>> us%40siemens.com%7C8a0703abedbe44504c8d08d92b5fec60%7C38ae3bcd957
>>> 94fd4addab42e1495d55a%7C1%7C0%7C637588513262560559%7CUnknown%7
>>> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
>>> XVCI6Mn0%3D%7C1000&amp;sdata=PTvMzW780CJ3gNrZVhPiRZX%2BwzA7LXIo
>>> LQcLQkgJk%2Bk%3D&amp;reserved=0
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org <mailto:Spasm@ietf.org>
>> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>
>>

v2.23.0 | Report a Bug | By Email