Re: [lamps] [CMP Updates] Hash algorithm to us for calculating certHash
Russ Housley <housley@vigilsec.com> Tue, 15 June 2021 15:14 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2A93A337C for <spasm@ietfa.amsl.com>; Tue, 15 Jun 2021 08:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R41okowzXTOE for <spasm@ietfa.amsl.com>; Tue, 15 Jun 2021 08:14:16 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8EDE3A337E for <spasm@ietf.org>; Tue, 15 Jun 2021 08:14:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id C3DA9300BEF for <spasm@ietf.org>; Tue, 15 Jun 2021 11:14:15 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id e4GD6yAnRWS6 for <spasm@ietf.org>; Tue, 15 Jun 2021 11:14:07 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 5CEF2300B8A; Tue, 15 Jun 2021 11:14:06 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <DB57BE98-990A-4455-8153-6081A1193400@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D2FA8EF2-9D3C-4F7E-BCF0-A367607EB61A"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Tue, 15 Jun 2021 11:14:06 -0400
In-Reply-To: <ed01a7e0-cad7-55da-9ca8-c41657033cbc@von-Oheimb.de>
Cc: Lijun Liao <lijun.liao@gmail.com>, LAMPS WG <spasm@ietf.org>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>
To: David von Oheimb <nl0@von-Oheimb.de>
References: <AM0PR10MB24188C86D787842B2C7D9DD6FE379@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <783FEFC2-CE5C-430C-8243-F4B80290C80A@vigilsec.com> <AM0PR10MB2418EB88CECDE3315B7388B1FE369@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB24180B8830DE52C665D631D9FE349@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <ed01a7e0-cad7-55da-9ca8-c41657033cbc@von-Oheimb.de>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/JdSXrzguQFpMT7BKyyVdflm_tU0>
Subject: Re: [lamps] [CMP Updates] Hash algorithm to us for calculating certHash
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 15:14:22 -0000
David: I think this means that any new signature mechanisms need to say what the default hash for use with CMP will be. Russ > On Jun 15, 2021, at 6:00 AM, David von Oheimb <nl0@von-Oheimb.de> wrote: > > Russ, Lijun, et al., > > we have not yet heard back on our latest proposal how to determine the hash alg to use for the certHash field in CMP certConf messages. > Would be good to finalize this topic by the end of this week in order to bring it into the next version of the CMP-related drafts. > > To summarize, our proposal is to add a hashAlg field to the CertStatus structure as follows, which is binary backward compatible: > > CertStatus ::= SEQUENCE { > hashAlg [0] AlgorithmIdentifier OPTIONAL, > certHash OCTET STRING, > certReqId INTEGER, > statusInfo PKIStatusInfo OPTIONAL > } > In case the signature alg identifier of the cert explicitly contains a hash alg (which so far always was the case until EdDSA came up), > then use that hash alg and the optional hashAlg field MUST be omitted, which means the certConf message can keep version CMPv2. > Otherwise, the hashAlg field MUST be used to specify the hash alg used and the version of the certConf message is CMPv3. > (In addition, we gonna specify in the CMP- Algorithms draft that SHA-512 SHALL be used for Ed25519 and SHAKE256 for Ed448, > like done for CMS in RFC8419). > > Does this sound fine? > > David > > On 11.06.21 15:21, Brockhaus, Hendrik wrote: >> If there is any further feedback to this from the WG, please let me know. >> If not, I would include the section into the draft and submit an updated version. >> >> Hendrik >> >>> Von: Spasm <spasm-bounces@ietf.org> <mailto:spasm-bounces@ietf.org> Im Auftrag von Brockhaus, Hendrik >>> >>> Russ >>> >>> Thank you for this suggestion. In the meantime, David tested the backward >>> compatibility of this approach. It works fine. >>> >>>> Von: Russ Housley <housley@vigilsec.com> <mailto:housley@vigilsec.com> >>>> >>>> The 3rd choice seems to be the most future proof. You can add something >>> like: >>>> CertStatus ::= SEQUENCE { >>>> hashFunc [0] AlgorithmIdentifier DEFAULT sha256Identifier, >>>> ... >>> This was the solution David and I discussed as well. But we called the field >>> hashAlg, like in OOBCertHash. >>> We feel the DEFAULT is in conflict with the CMP V2, that determines the hash >>> algorithm from the signatureAlgorithm field of the certificate to be confirmed. >>> We also tried to prevent to specify fixed algorithms in CMP to be crypto agile >>> and prevent future updates. Therefore, we propose not to use the DEFAULT. >>> @Liao, using this approach, you would need to specify SHA-512 for certificate >>> signed with Ed25519 and SHAKE256 for Ed448. I would add a note on this to >>> CMP Algorithms. >>> >>>> That said, this would introduce another place where the CMP protocol >>>> version comes into play with the ASN.1 parsing. >>> You are absolutely right. >>> >>> >>> To introduce the hashAlg field, we propose to add the following section to CMP >>> Updates: >>> >>> ---------------------------snip--------------------------- >>> 2.10. Update Section 5.3.18. - Certificate Confirmation Content >>> >>> This section introduces an optional hashAlg field to the CertStatus type used in >>> certConf messages to explicitly specify the hash algorithm for those certificates >>> where no hash algorithm is specified in the signatureAlgorithm field. >>> >>> Replace the ASN.1 Syntax of CertStatus with the following text: >>> >>> CertStatus ::= SEQUENCE { >>> hashAlg [0] AlgorithmIdentifier OPTIONAL, >>> certHash OCTET STRING, >>> certReqId INTEGER, >>> statusInfo PKIStatusInfo OPTIONAL >>> } >>> >>> The hashAlg field SHOULD be used only in exceptional cases where the >>> signatureAlgorithm of the certificate to be confirmed does not specify a hash >>> algorithm, neither in the OID nor in the parameters. In such cases, e.g., for >>> EdDSA, the hashAlg MUST be used to specify the hash algorithm to be used for >>> calculating the certHash value. Otherwise, the certHash value SHALL be >>> computed using the same hash algorithm as used to create and verify the >>> certificate signature. If hashAlg is used, the CMP version indicated by the >>> certConf message header must be cmp2021(3). >>> ---------------------------snip--------------------------- >>> >>> Any comments and feedback on this proposal from the WG is welcome! >>> >>> Hendrik >>> >>> _______________________________________________ >>> Spasm mailing list >>> Spasm@ietf.org <mailto:Spasm@ietf.org> >>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf> >>> .org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.brockha >>> us%40siemens.com%7C8a0703abedbe44504c8d08d92b5fec60%7C38ae3bcd957 >>> 94fd4addab42e1495d55a%7C1%7C0%7C637588513262560559%7CUnknown%7 >>> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ >>> XVCI6Mn0%3D%7C1000&sdata=PTvMzW780CJ3gNrZVhPiRZX%2BwzA7LXIo >>> LQcLQkgJk%2Bk%3D&reserved=0 >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org <mailto:Spasm@ietf.org> >> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm> >>
- [lamps] [CMP Updates] Hash algorithm to us for ca… Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Lijun Liao
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Russ Housley
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… David von Oheimb
- [lamps] Fwd: [CMP Updates] Hash algorithm to us f… David von Oheimb
- Re: [lamps] Fwd: [CMP Updates] Hash algorithm to … Russ Housley
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Russ Housley
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… Russ Housley
- Re: [lamps] [CMP Updates] Hash algorithm to us fo… David von Oheimb