Re: [lamps] WGLC: draft-ietf-lamps-pkix-shake-02

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Wed, 05 September 2018 17:44 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71115130DDA for <spasm@ietfa.amsl.com>; Wed, 5 Sep 2018 10:44:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uhMop9AKCNzM for <spasm@ietfa.amsl.com>; Wed, 5 Sep 2018 10:44:10 -0700 (PDT)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on071e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::71e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBE2D127AC2 for <spasm@ietf.org>; Wed, 5 Sep 2018 10:44:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6ZvtGNqR7qiealf4inMX9v176QtMowWcQaty/vhOpu0=; b=zoDtp9QcL+DeqSgS0pMso3xqpKvo5EVF41qlQcGRcRBldErbOHo1TmS/LW3gt8NMFIPbSbS3KL31VVAYbah/gZcAyNtmkzTPxzrmmSsdXev48K+VDuV2Kl9Vgs0i5BoZKX1oaPIlujP79AvxFCTaahb+/3qpbvx8RxqccK5kyFk=
Received: from DM6PR09MB2746.namprd09.prod.outlook.com (20.176.97.156) by DM6PR09MB2748.namprd09.prod.outlook.com (20.176.97.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1080.15; Wed, 5 Sep 2018 17:44:08 +0000
Received: from DM6PR09MB2746.namprd09.prod.outlook.com ([fe80::dca7:b9ba:8b18:f6f5]) by DM6PR09MB2746.namprd09.prod.outlook.com ([fe80::dca7:b9ba:8b18:f6f5%2]) with mapi id 15.20.1080.019; Wed, 5 Sep 2018 17:44:08 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Jim Schaad <ietf@augustcellars.com>
CC: 'Russ Housley' <housley@vigilsec.com>, 'Tim Hollebeek' <tim.hollebeek@digicert.com>, "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: WGLC: draft-ietf-lamps-pkix-shake-02
Thread-Index: AdQrWI/gim0DHC1IRr6kopVYbZGOFwZx5lJ0AALvbgAABN0x1Q==
Date: Wed, 5 Sep 2018 17:44:08 +0000
Message-ID: <DM6PR09MB2746F924F18EA9C1A105FBACF3020@DM6PR09MB2746.namprd09.prod.outlook.com>
References: <00b801d42b61$cf059a60$6d10cf20$@augustcellars.com> <DM6PR09MB2746C78671FFE7B83F0A83ADF3020@DM6PR09MB2746.namprd09.prod.outlook.com>, <083901d4452b$e97f95b0$bc7ec110$@augustcellars.com>
In-Reply-To: <083901d4452b$e97f95b0$bc7ec110$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-originating-ip: [129.6.219.38]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR09MB2748; 6:2ccIdj5l9WPLCu6mG9WbgDkRphokBrQiK3hM6w5G9Iw5WAQc3e0H4nwLcs10twMmC688BxopaUokj3XkHaThtx2EZONuYmE0jTQqIHJz+iznJ7pVg5ySuHIUBL122teHFJnZYL1vQvYnYbr8GqNxfSbJfpAznGm7tybPvLezs1WaEbk7p337s+wbaj2+IeRnqwzX+g3jl/nZZuSarC1hee2lBpNgi7bOWYKVPVfWWLXz4/giA7He4epUXTjHSadE0OjFoGVsF6urgxCTuEZNGVL1pNeeiRm5/ffepmb/PVdsWEXVQ1rCQFNnJ3AeInIdvIBKHJg7HsHBq2fSJq2jOfWR6Ae9Svj7hUYRDjr77A3WCeNRpqMbpd6hGOzJDr9c4Teb1Gi1/cqqmxRg5umueq4pbipASjZHrgH/Wj93r3dJFBbrT9OHTlzbllmjLImnAG2/BtEauLcCax0JiUbFBg==; 5:20AHjDMDp7i6dV+88lHW0nNRjKcnivcxzwaJkHkJH3XYQ/FxAlvouN4F74Vs0XqMTJW7exfrf0mf40dfEJmLVjMPBvPH2Ffz18ffdEUpcvGIw37pOiTn3zJFF8qo5s2IWqdaR4UnaeLJ5Yh3WGeiXmGQCixJ05K3fdYDSG7tHjE=; 7:XzACZChP0a3zSfwsAUuKArkcDWcYUQATakRui4dtwY8iqm04duWji+Ui5PkxzzISnTc2xcrkf29XOIRxW5uFB61o0c8u5ceKx675DewE73x2HT/OwedFkdvaSN+TtIxG8YnUS/fKxMfGqB6jp0uP5bR7K5hIHGcunZgxgUnc8MxcttkGdqOrQzDgu9q7oGg1lERUS5mX5d5Sd0h8KI9oKQXoiVSP8d1bM8cwXWjr49xLRqE4UxBhyvDapm0IfthP
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f4d63e5a-b5cd-49bf-7489-08d613572ec4
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR09MB2748;
x-ms-traffictypediagnostic: DM6PR09MB2748:
x-microsoft-antispam-prvs: <DM6PR09MB27482F27E05D9BA18D147FA8F3020@DM6PR09MB2748.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(95692535739014);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231311)(944501410)(52105095)(10201501046)(3002001)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(201708071742011)(7699016); SRVR:DM6PR09MB2748; BCL:0; PCL:0; RULEID:; SRVR:DM6PR09MB2748;
x-forefront-prvs: 078693968A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(346002)(366004)(376002)(39860400002)(189003)(199004)(14454004)(55016002)(11346002)(53936002)(236005)(74316002)(9686003)(54906003)(26005)(19627405001)(2906002)(97736004)(8936002)(229853002)(33656002)(7736002)(446003)(478600001)(81166006)(476003)(486006)(6436002)(316002)(105586002)(81156014)(186003)(6246003)(106356001)(54896002)(6916009)(99286004)(7696005)(5250100002)(6116002)(66066001)(76176011)(68736007)(6606003)(25786009)(8676002)(86362001)(4326008)(256004)(102836004)(3846002)(6506007)(2900100001)(14444005)(5660300001)(53546011); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB2748; H:DM6PR09MB2746.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-microsoft-antispam-message-info: F9WK7fJokCdB59DScfs9ARXHk4YUwGMAQ8TclT4w9MqNedfSS6eQ0Bj6tCgbRjFdu0qKNrrh3rw3NoYC0XpBtrQ45Shs4e5FQeW/7xPbW8E8207Io7+2HiTAm5sycns+2MQC+XltKahyx0McdnKm8hz6RDIjdgYiUbQR0ime/JMLRgqlS3BlbezTWyvuv70OBFXq4Wb+K98econcrMTEBzOEBSmKiyq5HDCKejM/H0QAoDHQna+ajfX5u3qoWFg1TYHvy7OWC1z+mELfejqbevwX7CvBJnCbISC1fGxbycFecfuHj5RWz5mBSwgJ2VY7ZJXoXmgCW+IFxnhCiwSIaS4/WhIctdwkfZb6h4pno7g=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM6PR09MB2746F924F18EA9C1A105FBACF3020DM6PR09MB2746namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: f4d63e5a-b5cd-49bf-7489-08d613572ec4
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Sep 2018 17:44:08.6532 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB2748
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/aErNQCuRhJArixf_todAyLkC8JY>
Subject: Re: [lamps] WGLC: draft-ietf-lamps-pkix-shake-02
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Sep 2018 17:44:14 -0000

I would have no problems with deterministic ECDSA. But, the adoption was for the original ECDSA.


We need advice from the chairs.


Regards,

Quynh.


________________________________
From: Jim Schaad <ietf@augustcellars.com>
Sent: Wednesday, September 5, 2018 11:19 AM
To: Dang, Quynh (Fed)
Cc: 'Russ Housley'; 'Tim Hollebeek'; 'Panos Kampanakis (pkampana)'; spasm@ietf.org
Subject: RE: WGLC: draft-ietf-lamps-pkix-shake-02


Mostly looks fine – one comment below



From: Dang, Quynh (Fed) <quynh.dang@nist.gov>
Sent: Wednesday, September 5, 2018 7:08 AM
To: Jim Schaad <ietf@augustcellars.com>
Cc: 'Russ Housley' <housley@vigilsec.com>om>; Tim Hollebeek <tim.hollebeek@digicert.com>om>; Panos Kampanakis (pkampana) <pkampana@cisco.com>
Subject: Re: WGLC: draft-ietf-lamps-pkix-shake-02



Hi Jim,



We appreciate your review and comments.



By the co-chairs' direction, let's try to improve the doc using your comments.



________________________________

From: Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>
Sent: Friday, August 3, 2018 3:40 PM
To: draft-ietf-lamps-pkix-shake@ietf.org<mailto:draft-ietf-lamps-pkix-shake@ietf.org>
Subject: WGLC: draft-ietf-lamps-pkix-shake-02



Not ready for progression.

* Run the NITS on this document and fix them.  Examples of problems are the
fact that MUST language section is missing, possible incorrect references,
and you have lines that are too long.



Comment 1: correct. Will fix it.



*  Introduction - I have a problem with the cardinality of items in the
second and third paragraphs here.  I do not ask that you fix the problems
that I have but you should be ready to address this is you get the same
questions from the RFC Editor or the IESG.  I would consider SHAKE to be a
family of extendable-output hash functions and thus has a cardinality of
one.  The two specific hash functions have a cardinality of greater than
one.  The question of cardinality comes in terms of the usage of 'A', 'is',
'are'.



Comment 2: "the SHAKE hash functions " in second paragraph in the intro. should be changed to "the SHAKEs" for a smooth read.  A SHAKE is defined as one function with variable output length.


* Introduction - paragraph 2 - I find the last sentence to be difficult to
read.  The usage of 'and' here seems to be incorrect and it may be difficult
to figure out which pair comes first - resistance or function.



Comment 3:

It would read better if the sentence  "The corresponding collision and preimage resistance security levels for SHAKE128 and SHAKE256 are respectively
   min(d/2,128) and min(d,128) and min(d/2,256) and min(d,256) bits."  to be replaced with "The corresponding collision and second preimage resistance strengths for SHAKE128 are min(d/2,128) and min(d,128) respectively. And, the corresponding collision and second preimage resistance strengths for SHAKE256 are min(d/2,256) and min(d,256) bits respectively. "


* Introduction - paragraph 3 - I am unaware that ECDSA has a mask generating
function associated with it.  This sentence needs to be cleaned up





Comment 4: This sentence "

SHAKEs can be used as the message digest function (to hash the
   message to be signed) and as the hash function in the mask generating
   functions in RSASSA-PSS and ECDSA." should be replaced with "

SHAKEs can be used as the message digest function (to hash the
   message to be signed) in RSASSA-PSS and ECDSA and as the hash function in the mask generating functions in RSASSA-PSS."


* Introduction - paragraph 3 - Consider putting in a reference to the
algorithm identifiers that are not changing.  Probably overkill but still
useful



Comment 5: Adding " see section 3 below" at the end of this sentence: "In this document, we define four new OIDs for RSASSA-PSS and ECDSA when SHAKE128 and SHAKE256 are used as hash functions.".



* Identifiers - This section needs to nail down all parameters associated w/
the different SHAKE functions when used here.  Otherwise you end up with the
first assumption that I made which was d = 128 for SHAKE128 which would not
produce an acceptable result.



Comment 6: The specification of output lengths of the 2 SHAKEs is in Sections 4.1.1 and 4.1.2.  Adding a sentence " See Sections 4.1.1 and 4.1.2 for specification of a required output length for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA."




* Signatures - Para #3 - you refer to section 3 for OIDs, but they are not
there for public keys.



Comment 7: Adding this "

Conforming CA implementations MUST specify the algorithms explicitly
   by using the OIDs specified in Section 3 when encoding  public keys for RSASSA-PSS and ECDSA with SHAKE signatures in certificates and CRLs." as the first paragraph in Section 4.2 "Public keys".


* IANA Considerations is incorrect and MUST be updated





Comment 8: IANA Considerations is incorrect and will be updated.



* Why is there no reference to deterministic ECDSA signatures in the
document.



Comment 9: Deterministic ECDSA has a different signing function because of the way k is generated. The working group has not adopted this option yet. Verification is the same.



[JLS] If you want to say that it is a different signature algorithm that is fine.  I’ll call and raise.  It should be that it is required that ECDSA w/ SHAKE implements deterministic ECDSA and MUST NOT use a random generator for k.


* The ASN.1 module is absent and needs to be instantiated.  Even doing so
with TBD is sufficient for now.



Comment 10: Yes.

The ASN.1 module is absent and needs to be instantiated.



Are you ok with the proposed resolutions ?



Regards,

Quynh.