Re: [lamps] WGLC: draft-ietf-lamps-pkix-shake-02

"Panos Kampanakis (pkampana)" <> Wed, 26 September 2018 16:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 759A9130EFA for <>; Wed, 26 Sep 2018 09:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vl5KR9qJT9Bz for <>; Wed, 26 Sep 2018 09:59:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F3986130DF3 for <>; Wed, 26 Sep 2018 09:59:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=24356; q=dns/txt; s=iport; t=1537981142; x=1539190742; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Kd+ZmTw1zJ7Om4lzbzxNVDpTaVQOMbonhd1d16yrvMA=; b=CCCjnEPI8HiBHWObU2Yiqp6/nRG9kPUvZRMQHaSxlCJix3Kf6lzB3yS0 ceTMAsgnpr0si0+6AtG0UlKzxNO1b3say//7DB2ImdZeLnQQptXvBvsaY XkkOryETFIUmG3W7lvivQXQQnnO+Qr9s0s5hLJlYaa2e+vL3CR16gOyjl 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AGAACVuatb/4gNJK1bGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUYEXSC9lfygKi3+OPpZPgXoLJ4RFAoN9ITQYAQMBAQI?= =?us-ascii?q?BAQJtHAyFOAEBAQEDLUwQAgEIDgMEAQEhBwcyFAkIAQEEDgUIgxqBHWQPpHG?= =?us-ascii?q?KEAWKexeBQT+BEoMSgxsCAhiBfYUiAo1shXeJJAkChkGJYh+BRodZhhWHG4R?= =?us-ascii?q?ghgmCZgIRFIElHTiBVXAVgyeCJBiDRopSb4wpgR4BAQ?=
X-IronPort-AV: E=Sophos;i="5.54,307,1534809600"; d="scan'208,217";a="177085162"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Sep 2018 16:59:00 +0000
Received: from ( []) by (8.15.2/8.15.2) with ESMTPS id w8QGx04G021826 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 26 Sep 2018 16:59:00 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 26 Sep 2018 11:58:59 -0500
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Wed, 26 Sep 2018 11:58:59 -0500
From: "Panos Kampanakis (pkampana)" <>
To: Jim Schaad <>
CC: "" <>, "'Dang, Quynh (Fed)'" <>, "'Russ Housley'" <>
Thread-Topic: WGLC: draft-ietf-lamps-pkix-shake-02
Thread-Index: AdQrWI/gim0DHC1IRr6kopVYbZGOFwZx5lJ0AA1powAEGQmOkA==
Date: Wed, 26 Sep 2018 16:58:59 +0000
Message-ID: <>
References: <00b801d42b61$cf059a60$6d10cf20$> <> <083901d4452b$e97f95b0$bc7ec110$>
In-Reply-To: <083901d4452b$e97f95b0$bc7ec110$>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_b2dc9e5da2194b0ea3f2022bf24522d3XCHALN010ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [lamps] WGLC: draft-ietf-lamps-pkix-shake-02
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Sep 2018 16:59:06 -0000

Hi Jim,
Thank you for the thorough review.
All your comments (other than the ASN.1 which we deferred for later) were addressed and they are in
The latest, current version of the draft is in

From: Jim Schaad []
Sent: Wednesday, September 05, 2018 11:20 AM
To: 'Dang, Quynh (Fed)' <>
Cc: 'Russ Housley' <>om>; 'Tim Hollebeek' <>om>; Panos Kampanakis (pkampana) <>om>;
Subject: RE: WGLC: draft-ietf-lamps-pkix-shake-02

Mostly looks fine - one comment below

From: Dang, Quynh (Fed) <<>>
Sent: Wednesday, September 5, 2018 7:08 AM
To: Jim Schaad <<>>
Cc: 'Russ Housley' <<>>; Tim Hollebeek <<>>; Panos Kampanakis (pkampana) <<>>
Subject: Re: WGLC: draft-ietf-lamps-pkix-shake-02

Hi Jim,

We appreciate your review and comments.

By the co-chairs' direction, let's try to improve the doc using your comments.

From: Jim Schaad <<>>
Sent: Friday, August 3, 2018 3:40 PM
Subject: WGLC: draft-ietf-lamps-pkix-shake-02

Not ready for progression.

* Run the NITS on this document and fix them.  Examples of problems are the
fact that MUST language section is missing, possible incorrect references,
and you have lines that are too long.

Comment 1: correct. Will fix it.

*  Introduction - I have a problem with the cardinality of items in the
second and third paragraphs here.  I do not ask that you fix the problems
that I have but you should be ready to address this is you get the same
questions from the RFC Editor or the IESG.  I would consider SHAKE to be a
family of extendable-output hash functions and thus has a cardinality of
one.  The two specific hash functions have a cardinality of greater than
one.  The question of cardinality comes in terms of the usage of 'A', 'is',

Comment 2: "the SHAKE hash functions " in second paragraph in the intro. should be changed to "the SHAKEs" for a smooth read.  A SHAKE is defined as one function with variable output length.

* Introduction - paragraph 2 - I find the last sentence to be difficult to
read.  The usage of 'and' here seems to be incorrect and it may be difficult
to figure out which pair comes first - resistance or function.

Comment 3:
It would read better if the sentence  "The corresponding collision and preimage resistance security levels for SHAKE128 and SHAKE256 are respectively
   min(d/2,128) and min(d,128) and min(d/2,256) and min(d,256) bits."  to be replaced with "The corresponding collision and second preimage resistance strengths for SHAKE128 are min(d/2,128) and min(d,128) respectively. And, the corresponding collision and second preimage resistance strengths for SHAKE256 are min(d/2,256) and min(d,256) bits respectively. "

* Introduction - paragraph 3 - I am unaware that ECDSA has a mask generating
function associated with it.  This sentence needs to be cleaned up

Comment 4: This sentence "
SHAKEs can be used as the message digest function (to hash the
   message to be signed) and as the hash function in the mask generating
   functions in RSASSA-PSS and ECDSA." should be replaced with "
SHAKEs can be used as the message digest function (to hash the
   message to be signed) in RSASSA-PSS and ECDSA and as the hash function in the mask generating functions in RSASSA-PSS."

* Introduction - paragraph 3 - Consider putting in a reference to the
algorithm identifiers that are not changing.  Probably overkill but still

Comment 5: Adding " see section 3 below" at the end of this sentence: "In this document, we define four new OIDs for RSASSA-PSS and ECDSA when SHAKE128 and SHAKE256 are used as hash functions.".

* Identifiers - This section needs to nail down all parameters associated w/
the different SHAKE functions when used here.  Otherwise you end up with the
first assumption that I made which was d = 128 for SHAKE128 which would not
produce an acceptable result.

Comment 6: The specification of output lengths of the 2 SHAKEs is in Sections 4.1.1 and 4.1.2.  Adding a sentence " See Sections 4.1.1 and 4.1.2 for specification of a required output length for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA."

* Signatures - Para #3 - you refer to section 3 for OIDs, but they are not
there for public keys.

Comment 7: Adding this "
Conforming CA implementations MUST specify the algorithms explicitly
   by using the OIDs specified in Section 3 when encoding  public keys for RSASSA-PSS and ECDSA with SHAKE signatures in certificates and CRLs." as the first paragraph in Section 4.2 "Public keys".

* IANA Considerations is incorrect and MUST be updated

Comment 8: IANA Considerations is incorrect and will be updated.

* Why is there no reference to deterministic ECDSA signatures in the

Comment 9: Deterministic ECDSA has a different signing function because of the way k is generated. The working group has not adopted this option yet. Verification is the same.

[JLS] If you want to say that it is a different signature algorithm that is fine.  I'll call and raise.  It should be that it is required that ECDSA w/ SHAKE implements deterministic ECDSA and MUST NOT use a random generator for k.

* The ASN.1 module is absent and needs to be instantiated.  Even doing so
with TBD is sufficient for now.

Comment 10: Yes.
The ASN.1 module is absent and needs to be instantiated.

Are you ok with the proposed resolutions ?