IETF Logo Mail Archive

Re: [lamps] [CMP Updates] Hash algorithm to us for calculating certHash

David von Oheimb <nl0@von-Oheimb.de> Tue, 15 June 2021 10:00 UTC

Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3D643A292C for <spasm@ietfa.amsl.com>; Tue, 15 Jun 2021 03:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8legDTDgcBOA for <spasm@ietfa.amsl.com>; Tue, 15 Jun 2021 03:00:11 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B5D73A292B for <spasm@ietf.org>; Tue, 15 Jun 2021 03:00:10 -0700 (PDT)
Received: from [192.168.178.115] (dynamic-095-118-012-088.95.118.pool.telefonica.de [95.118.12.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id D09714218F6; Tue, 15 Jun 2021 12:00:07 +0200 (CEST)
To: Russ Housley <housley@vigilsec.com>, Lijun Liao <lijun.liao@gmail.com>, LAMPS WG <spasm@ietf.org>
Cc: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>
References: <AM0PR10MB24188C86D787842B2C7D9DD6FE379@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <783FEFC2-CE5C-430C-8243-F4B80290C80A@vigilsec.com> <AM0PR10MB2418EB88CECDE3315B7388B1FE369@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB24180B8830DE52C665D631D9FE349@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
From: David von Oheimb <nl0@von-Oheimb.de>
Message-ID: <ed01a7e0-cad7-55da-9ca8-c41657033cbc@von-Oheimb.de>
Date: Tue, 15 Jun 2021 12:00:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <AM0PR10MB24180B8830DE52C665D631D9FE349@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
Content-Type: multipart/alternative; boundary="------------2EAED3207D3A640C66D8CE4D"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/XSUIr_vHFW3F4yB-I8Y9nKUZYH0>
Subject: Re: [lamps] [CMP Updates] Hash algorithm to us for calculating certHash
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 10:00:16 -0000

Russ, Lijun, et al.,

we have not yet heard back on our latest proposal how to determine the
hash alg to use for the certHash field in CMP certConf messages.
Would be good to finalize this topic by the end of this week in order to
bring it into the next version of the CMP-related drafts.

To summarize, our proposal is to add a hashAlg field to the CertStatus
structure as follows, which is binary backward compatible:

   CertStatus ::= SEQUENCE {

      hashAlg [0] AlgorithmIdentifier OPTIONAL,

      certHash    OCTET STRING,

      certReqId   INTEGER,

      statusInfo  PKIStatusInfo OPTIONAL

   }

In case the signature alg identifier of the cert explicitly contains a
hash alg (which so far always was the case until EdDSA came up),
then use that hash alg and the optional hashAlg field MUST be omitted,
which means the certConf message can keep version CMPv2.
Otherwise, the hashAlg field MUST be used to specify the hash alg used
and the version of the certConf message is CMPv3.
(In addition, we gonna specify in the CMP- Algorithms draft that 
SHA-512 SHALL be used for Ed25519 and SHAKE256 for Ed448,
like done for CMS in RFC8419).

Does this sound fine?

    David

On 11.06.21 15:21, Brockhaus, Hendrik wrote:
> If there is any further feedback to this from the WG, please let me know.
> If not, I would include the section into the draft and submit an updated version.
>
> Hendrik
>
>> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Brockhaus, Hendrik
>>
>> Russ
>>
>> Thank you for this suggestion. In the meantime, David tested the backward
>> compatibility of this approach. It works fine.
>>
>>> Von: Russ Housley <housley@vigilsec.com>
>>>
>>> The 3rd choice seems to be the most future proof.  You can add something
>> like:
>>> CertStatus ::= SEQUENCE {
>>>    hashFunc [0] AlgorithmIdentifier DEFAULT sha256Identifier,
>>>    ...
>> This was the solution David and I discussed as well. But we called the field
>> hashAlg, like in OOBCertHash.
>> We feel the DEFAULT is in conflict with the CMP V2, that determines the hash
>> algorithm from the signatureAlgorithm field of the certificate to be confirmed.
>> We also tried to prevent to specify fixed algorithms in CMP to be crypto agile
>> and prevent future updates. Therefore, we propose not to use the DEFAULT.
>> @Liao, using this approach, you would need to specify SHA-512 for certificate
>> signed with Ed25519 and SHAKE256 for Ed448. I would add a note on this to
>> CMP Algorithms.
>>
>>> That said, this would introduce another place where the CMP protocol
>>> version comes into play with the ASN.1 parsing.
>> You are absolutely right.
>>
>>
>> To introduce the hashAlg field, we propose to add the following section to CMP
>> Updates:
>>
>> ---------------------------snip---------------------------
>> 2.10.  Update Section 5.3.18. - Certificate Confirmation Content
>>
>> This section introduces an optional hashAlg field to the CertStatus type used in
>> certConf messages to explicitly specify the hash algorithm for those certificates
>> where no hash algorithm is specified in the signatureAlgorithm field.
>>
>> Replace the ASN.1 Syntax of CertStatus with the following text:
>>
>>    CertStatus ::= SEQUENCE {
>>       hashAlg [0] AlgorithmIdentifier OPTIONAL,
>>       certHash    OCTET STRING,
>>       certReqId   INTEGER,
>>       statusInfo  PKIStatusInfo OPTIONAL
>>    }
>>
>> The hashAlg field SHOULD be used only in exceptional cases where the
>> signatureAlgorithm of the certificate to be confirmed does not specify a hash
>> algorithm, neither in the OID nor in the parameters. In such cases, e.g., for
>> EdDSA, the hashAlg MUST be used to specify the hash algorithm to be used for
>> calculating the certHash value. Otherwise, the certHash value SHALL be
>> computed using the same hash algorithm as used to create and verify the
>> certificate signature. If hashAlg is used, the CMP version indicated by the
>> certConf message header must be cmp2021(3).
>> ---------------------------snip---------------------------
>>
>> Any comments and feedback on this proposal from the WG is welcome!
>>
>> Hendrik
>>
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf
>> .org%2Fmailman%2Flistinfo%2Fspasm&amp;data=04%7C01%7Chendrik.brockha
>> us%40siemens.com%7C8a0703abedbe44504c8d08d92b5fec60%7C38ae3bcd957
>> 94fd4addab42e1495d55a%7C1%7C0%7C637588513262560559%7CUnknown%7
>> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
>> XVCI6Mn0%3D%7C1000&amp;sdata=PTvMzW780CJ3gNrZVhPiRZX%2BwzA7LXIo
>> LQcLQkgJk%2Bk%3D&amp;reserved=0
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email