Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
Russ Housley <housley@vigilsec.com> Sun, 10 March 2019 06:17 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3D781274D0 for <spasm@ietfa.amsl.com>; Sat, 9 Mar 2019 22:17:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_3WgtmbXjng for <spasm@ietfa.amsl.com>; Sat, 9 Mar 2019 22:17:27 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42615126DFA for <spasm@ietf.org>; Sat, 9 Mar 2019 22:17:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 521A1300ADA for <spasm@ietf.org>; Sun, 10 Mar 2019 00:59:09 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1VeT6wortdLU for <spasm@ietf.org>; Sun, 10 Mar 2019 00:59:05 -0500 (EST)
Received: from [10.196.217.15] (3-197.icannmeeting.org [199.91.197.3]) by mail.smeinc.net (Postfix) with ESMTPSA id 61A783004B0; Sun, 10 Mar 2019 00:59:00 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <43304DDE-3E5E-406A-ADC3-41185656AEF5@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_428A8DBA-CE6F-415C-A619-C52F1BF5C4A1"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Sun, 10 Mar 2019 01:17:12 -0500
In-Reply-To: <C4E8068B-357C-4E29-A21B-DA75D3F1F93A@isara.com>
Cc: Jim Schaad <ietf@augustcellars.com>, SPASM <spasm@ietf.org>
To: Daniel Van Geest <Daniel.VanGeest@isara.com>
References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> <015401d4d37b$f7673000$e6359000$@augustcellars.com> <BE868716-27FA-4509-972C-EBC57AC64EB4@isara.com> <017d01d4d38a$675cf580$3616e080$@augustcellars.com> <C4E8068B-357C-4E29-A21B-DA75D3F1F93A@isara.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/PFrUdslMUafZuJiUeIHvrpu9OVc>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2019 06:17:31 -0000
Daniel:
> Thanks for the clarification for me below, Jim.
>
> Given that information, I wonder if it’s possible to misinterpret some parts of cms-hash-sig.
>
> In section 3:
>
> The signature value is a large OCTET STRING. The signature format is
> designed for easy parsing. Each format includes a counter and type
> codes that indirectly providing all of the information that is needed
> to parse the value during signature validation.
>
> I think this paragraph is talking about the signature value as returned by the HSS algorithm. In this case it’s not an OCTET STRING (i.e. the ASN.1 structure), but just an octet string. Referring to it as an OCTET STRING could result in confusion as to whether it’s double wrapped in ASN.1.
In RFC 5280 and X.509, the signature on a certificate is defined as:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
This is the BIT STRING that Jim is talking about in his message.
In RFC 5652, the signature appears in SignerInfo:
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
SignatureValue ::= OCTET STRING
This is the OCTET STRING that is being referenced in the quoted text.
> Similarly in section 4:
>
> The public key value is an OCTET STRING. Like the signature format,
> it is designed for easy parsing. The value is the number of levels
> in the public key, L, followed by the LMS public key.
>
> While HSS-LMS-HashSig-PublicKey is actually an OCTET STRING, I think this paragraph is referring to the public key as processed by HSS and so should be an octet string.
That test is referring to this part of the ASN.1:
HSS-LMS-HashSig-PublicKey ::= OCTET STRING
Russ
> On 2019-03-05, 2:34 PM, "Jim Schaad" <ietf@augustcellars.com <mailto:ietf@augustcellars.com>> wrote:
>
>
>
> From: Daniel Van Geest <Daniel.VanGeest@isara.com <mailto:Daniel.VanGeest@isara.com>>
> Sent: Tuesday, March 5, 2019 10:20 AM
> To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>>; 'Russ Housley' <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> Cc: 'SPASM' <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
>
>
>
> On 2019-03-05, 12:50 PM, "Jim Schaad" <ietf@augustcellars.com <mailto:ietf@augustcellars.com>> wrote:
>
>
>
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Daniel Van Geest
> Sent: Tuesday, March 5, 2019 8:38 AM
> To: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>; Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>>
> Cc: SPASM <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
>
> I’m working to align x509-hash-sigs draft and implementations with this one. There’s something in cms-hash-sigs that I’d like clarification on to understand the implications.
>
> The ASN.1 module defines:
>
> pk-HSS-LMS-HashSig PUBLIC-KEY ::= {
> IDENTIFIER id-alg-hss-lms-hashsig
> KEY HSS-LMS-HashSig-PublicKey
> PARAMS ARE absent
> CERT-KEY-USAGE
> { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }
>
> HSS-LMS-HashSig-PublicKey ::= OCTET STRING
>
> Specifically, the public key is an OCTET STRING. The actual public key is “u32str(L) || lms_public_key”, so essentially an opaque octet string.
>
> What are the implications in x.509 of defining “HSS-LMS-HashSig-PublicKey ::= OCTET STRING”? Does this mean that in the Subject Public Key Info attribute, the HSS public key would be encoded as an OCTET STRING which is then wrapped in a BIT STRING encoding? (as opposed to a BIT STRING encoding of the raw “u32str(L) || lms_public_key” octet string).
>
> The closest I could find to this situation is Ed25519/Ed448 since those public keys are also just raw octet strings (32 octets in 25519). But the ASN.1 module for RFC 8410 specifies “-- KEY no ASN.1 wrapping --” within PUBLIC-KEY:
>
> pk-Ed25519 PUBLIC-KEY ::= {
> IDENTIFIER id-Ed25519
> -- KEY no ASN.1 wrapping --
> PARAMS ARE absent
> CERT-KEY-USAGE {digitalSignature, nonRepudiation,
> keyCertSign, cRLSign}
> PRIVATE-KEY CurvePrivateKey
> }
>
> I’m not an ASN.1 expert, so could someone explain the difference? Is the “no wrapping” there because the public key is raw octets? And then whoever encodes the public only applies their own encoding (if any) of the octets. Does it have to do with the fact that the public key can be easily derived from the private key? Is my assumption correct that a SPKI encoding of an HSS key would be a BIT STRING encoding of an ASN.1 OCTET STRING encoding of the raw octets?
>
> [JLS] As I read this what you have deduced is correct. For Ed25519 the public key is directly wrapped in the BIT STRING with no additional encoding. For the hash sig public key the public key is wrapped in an OCTET STRING which is then wrapped in the BIT STRING.
>
> As a general rule, I prefer having the extra layer of ASN.1 encoding because a lot of decoders assume that there is going to be that layer when processing certificates. However, I did not write the initial versions of the Edwards draft and thus I just used the encoding that was there rather than writing it as I would prefer.
>
> [DVG] Do you prefer this general rule for the signature as well? In X.509 would you prefer the raw signature octets wrapped in an OCTET STRING wrapped in a BIT STRING? How would this work in CMS where the signature field within the SignerInfo is already defined as an OCTET string? Wouldn’t the rule imply the raw HSS octet string wrapped in an OCTET STRING wrapped in an OCTET STRING? That’s not how I’m reading cms-hash-sigs, e.g. section 5:
>
> signature contains the single HSS signature value resulting from
> the signing operation as specified in [HASHSIG].
>
> And `signature` already being defined as an OCTET STRING make this read to me as a single wrapping.
>
> [JLS] Signatures have traditionally always been the raw bytes. The difference is that frequently public and private keys have had ASN.1 structure wrapped around them while signatures have not. For an example look at how RSA is done.
>
> Jim
>
>
> Thanks,
> Daniel
>
> Jim
>
>
> Thanks,
> Daniel
>
> On 2019-02-27, 12:27 PM, "Spasm on behalf of Russ Housley" <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org> on behalf of housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>
> Jim:
>
> You are correct. I missed this when I made the last update. I will make the change now in my edit buffer. I'll post it along with any other changes that result from IETF Last Call.
>
> Russ
>
>
> On Feb 26, 2019, at 8:25 PM, Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>> wrote:
> I have a small change to request. I am happy if you deal with it at a later
> date as long as it does not get lost.
> In the ASN.1 module, the SIGNATURE-ALGORITHM definition should have an empty
> or absent HASHES field. There are no hash functions which are to be applied
> prior to given the input to the signing function. This would match what I
> did for EdDSA.
> Jim
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
> Sent: Tuesday, February 26, 2019 10:44 AM
> To: SPASM <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
> This removes the extraneous paragraph that was pointed out by Daniel.
> I believe that all comments have been resolved, and the document is now
> ready to go to the IESG.
> Russ
> On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Limited Additional Mechanisms for PKIX
> and
> SMIME WG of the IETF.
> Title : Use of the HSS/LMS Hash-based Signature
> Algorithm in the
> Cryptographic Message Syntax (CMS)
> Author : Russ Housley
> Filename : draft-ietf-lamps-cms-hash-sig-06.txt
> Pages : 14
> Date : 2019-02-26
> Abstract:
> This document specifies the conventions for using the the HSS/LMS
> hash-based signature algorithm with the Cryptographic Message Syntax
> (CMS). In addition, the algorithm identifier and public key syntax
> are provided. The HSS/LMS algorithm is one form of hash-based
> digital signature; it is described in [HASHSIG].
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ <https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 <https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06>
> https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-06 <https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-06>
> Please note that it may take a couple of minutes from the time of
> submission until the htmlized version and diff are available at
> tools.ietf.org <http://tools.ietf.org/>.
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Tim Hollebeek
- [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig… internet-drafts
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Russ Housley
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Russ Housley
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Russ Housley
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Daniel Van Geest