Return-Path: <pkampana@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 67F9E120025
 for <spasm@ietfa.amsl.com>; Wed, 11 Sep 2019 21:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=cisco.com header.b=Srdbs2+e;
 dkim=pass (1024-bit key)
 header.d=cisco.onmicrosoft.com header.b=dMdE8rMX
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id yocwkqHLZdmN for <spasm@ietfa.amsl.com>;
 Wed, 11 Sep 2019 21:21:54 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92])
 (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 207FD120019
 for <spasm@ietf.org>; Wed, 11 Sep 2019 21:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=cisco.com; i=@cisco.com; l=4039; q=dns/txt; s=iport;
 t=1568262114; x=1569471714;
 h=from:to:subject:date:message-id:references:in-reply-to:
 content-transfer-encoding:mime-version;
 bh=wnarrWlWxHV7RyiNkppH3t21pOr1l5UmVYBcpURvLCQ=;
 b=Srdbs2+e8uYHdPke6+96Sk6K26B4pf1bmztmfzAnLJ1yMNp0AoruFWlK
 kUauPWnq7rOH09j93vq15DAdHK2De/vOzbkWj3p32ULkl3e5c3Nchj8Uu
 rFg9MdKSNvNBsuD4bwkC0zJvG8ZLLf8Fb/9cV3IcAGoMydel1FAx16AsM 0=;
IronPort-PHdr: =?us-ascii?q?9a23=3ArPKRLBXsY3NugtYseSdHRO8AnhrV8LGuZFwc94?=
 =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTF?=
 =?us-ascii?q?dE7KdehAk8GIiAAEz/IuTtankiH81HTFZj9lmwMFNeH4D1YFiB6nA=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AVAAAFx3ld/5hdJa1mGgEBAQEBAgE?=
 =?us-ascii?q?BAQEHAgEBAQGBVQMBAQEBCwGBRFADbVYgBAsqh2gDimdNgg+XcIEugSQDVAk?=
 =?us-ascii?q?BAQEMAQEYCwoCAQGEPwKCVSM2Bw4CAwkBAQQBAQECAQYEbYUuDIVKAQEBAQM?=
 =?us-ascii?q?BARAoBgEBLAwLBAIBCBEEAQEeARAnCx0IAgQBEggagwGBagMdAQIMn2oCgTi?=
 =?us-ascii?q?IYYIlgn0BAQWFBRiCFgMGgTQBi3cYgUA/gRFGgkw+gmEBAQIBgWCDO4ImrEs?=
 =?us-ascii?q?KgiGHAY4RmQqNf4gEkGoCBAIEBQIOAQEFgVkBMIFYcBU7gmyCQoNyhRSFP3M?=
 =?us-ascii?q?BgSiOfwEB?=
X-IronPort-AV: E=Sophos;i="5.64,495,1559520000"; d="scan'208";a="329896755"
Received: from rcdn-core-1.cisco.com ([173.37.93.152])
 by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA;
 12 Sep 2019 04:21:53 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21])
 by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x8C4Lrk5024825
 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL);
 Thu, 12 Sep 2019 04:21:53 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-011.cisco.com
 (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1473.3;
 Wed, 11 Sep 2019 23:21:52 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-002.cisco.com
 (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3;
 Wed, 11 Sep 2019 23:21:47 -0500
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (173.37.151.57)
 by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id
 15.0.1473.3 via Frontend Transport; Wed, 11 Sep 2019 23:21:47 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=bvQACOGAfJdyZyqX4/9eROIJihogu1m0+dLM+9Ma4hrbMn7cgTb+thMYcCE3P2H/zsK2a6GHXmgcGM1k2/++xDq2dNNMAjz0ILdIpnI0bHKllqbw102xjy6veiZJS/LIl4SzkvDhzqqxtZ1IJ8RaJXHDaAeWEFJcIiF2prbMHYC1Zu0lyY8/ERtASbjSFA1xKs1DCPA1B42QKrVtN2gi+EbfyoCeIYpDe5Vw929SSFwa+Q/6UbZA2lS/CNeH8BDGcuAbeKb0x/ImVd53KqAxqrK46cYhuSZ4GritvjalFv6/zduL8+v0Lr88DD130tD3RPxjedissuLmrWxWw6CSpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=6BIcC48T7C6A70MPy+6bQI/6whEWZYLypTT10jGw0Ak=;
 b=CTZNxZ8H3CBz03jVMoUAkTLcrIlgoOIoHH5ypZrNOdAyMPuH7X6mLHn0SxghU8rnXP2oH27AL4/IO4qGyzYnaj6rLLGRio6QPGWD0pfMspB8e11emA8gZ+pJE4LWdMTEO+BCk1gO0x9CnwLQofaJRhus7wB87li2ZKL2MRMt9LtudEgfbVoha3A0mAfMesoVW9zhpvozOZsjsU+3EwGI+YiJrK31oPoi4Sr+TEJXLaHlOZEZcaIGSl5HjoT9pOETMoPsVeQXOphPyzjeF1LFXVmLXlEUCe+qXnHJxYk4/oJKbG1x+lfOGHBqrdxRFH8au5oCgkHhYvXYvj8XjKH6ig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com;
 dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; 
 s=selector2-cisco-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=6BIcC48T7C6A70MPy+6bQI/6whEWZYLypTT10jGw0Ak=;
 b=dMdE8rMXcH6hwxonvy/osP7PlopQVur/NOv3bQr6WMaISX9a/lLF8wgyrRtu3/VRIlqoyfxW7r+CtrINwNzozoGPUpuPrxDBfITqgrqBp9Emje57z6fltBrPnbOvdUrPeBecMKK/PW5MjpSF0Pw0fdkytCPFNT/IPo1GXGgoD3Q=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (52.135.255.146) by
 BN7PR11MB2756.namprd11.prod.outlook.com (52.135.246.24) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2220.19; Thu, 12 Sep 2019 04:21:46 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com
 ([fe80::20df:b3df:537d:fd20]) by BN7PR11MB2547.namprd11.prod.outlook.com
 ([fe80::20df:b3df:537d:fd20%7]) with mapi id 15.20.2263.016; Thu, 12 Sep 2019
 04:21:46 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
Thread-Topic: [lamps] draft-ietf-lamps-cms-shakes
Thread-Index: AQHVaNQPFcxLGZJUgkqHUOMyu7XEmacnawkA
Date: Thu, 12 Sep 2019 04:21:45 +0000
Message-ID: <BN7PR11MB2547BEF4B27B52ECBF64525EC9B00@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <6FA94952-63C4-42A3-A85F-AAB0A8145F68@vigilsec.com>
In-Reply-To: <6FA94952-63C4-42A3-A85F-AAB0A8145F68@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=pkampana@cisco.com; 
x-originating-ip: [2001:420:c0c4:1004::49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 67a0b8aa-53dd-479e-c08b-08d73738b93e
x-microsoft-antispam: BCL:0; PCL:0;
 RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020);
 SRVR:BN7PR11MB2756; 
x-ms-traffictypediagnostic: BN7PR11MB2756:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BN7PR11MB2756D7CEB563140D33F77685C9B00@BN7PR11MB2756.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(4636009)(346002)(136003)(376002)(366004)(396003)(39860400002)(189003)(199004)(13464003)(51444003)(99286004)(229853002)(7736002)(25786009)(476003)(33656002)(7696005)(19627235002)(6436002)(256004)(14444005)(86362001)(55016002)(9686003)(486006)(6306002)(76176011)(6116002)(46003)(81166006)(76116006)(8676002)(966005)(478600001)(66476007)(66556008)(64756008)(74316002)(66446008)(6246003)(446003)(186003)(11346002)(316002)(66946007)(110136005)(102836004)(81156014)(8936002)(71200400001)(6506007)(53546011)(66574012)(53936002)(52536014)(14454004)(305945005)(5660300002)(71190400001)(2906002);
 DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2756;
 H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en;
 PTR:InfoNoRecords; MX:1; A:1; 
received-spf: None (protection.outlook.com: cisco.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 90/3pZgB/yYipT5wiSWyV5R564B5tY6hWpunvfJpYxxToJCo7Itr61hOCOtNOt9RPySqWZbkJEFSg/Ks8P+GdtZo5QAb1dWYrXqa0JkZTEAE3WHJ5EYBkYbrkIZ1bl8IFhpEunX3yc6OGTQCf6o0zlykIqbgBgjfzUVF4dveYv5R543jH0S1KeAMNpj65qMK8zRM0EM2C1IqBsKxYlQWrt0jXbUb3ley7HFqHPa8XR2oilgq1j/j9SAnmrXTpNwmzvvAonVglW+M9cT0d4raeUrt4hOGKzLwEb777G7SzJhZEuJO3PnsGZ75DuzTuAyC6q77/z3DLRvAMfR7M88h+yClDgPtWmfWmDjh9C0sQ8w2s331iRqSx368YQg6SgUZMNH/v3qVLLJkfFM9P2XIWJa3JtA/jufqQZPhpByPs08=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 67a0b8aa-53dd-479e-c08b-08d73738b93e
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 04:21:45.9919 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6Ebqy1GScECuvU7l9R435wHSLwtDVJtjpzEFYS3s8evQ63aoJOS3OLV8VaoCKX5+GVA1RqEC32LKPlQ377oSKg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2756
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.21, xch-rcd-011.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/oV_A7gsziU9Oh18UuyB6UT9leWo>
Subject: Re: [lamps] draft-ietf-lamps-cms-shakes
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime
 \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>,
 <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>,
 <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 04:21:56 -0000

Hi Russ,=20

Hmm, do we need it?=20

CMS imports AlgorithmIdentifier from PKIX which we updated in the PKIX SHAK=
Es draft. And then CMS uses these algorithm identifiers in the SignedData S=
ignerInfo signatureAlgorithm field.=20

https://tools.ietf.org/html/rfc5753#appendix-A.2 does import sa-ecdsawithXX=
X as you are suggesting, but I am not sure it needed to. I mean we could im=
port the new sa-ecdsawithshake and sa-rsassapssWithSHAKE and put them Signa=
tureAlgs to make it easier, but it would be commented out like https://tool=
s.ietf.org/html/rfc5753#appendix-A.2 does because it already exists in the =
PKIX SHAKEs ASN.1

Rgs,
Panos


-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Wednesday, September 11, 2019 3:06 PM
To: LAMPS WG <spasm@ietf.org>
Subject: [lamps] draft-ietf-lamps-cms-shakes

I was just working on an implementation, and I discovered an omission in th=
e ASN.1 for draft-ietf-lamps-cms-shakes.

The ASN.1 module for draft-ietf-lamps-pkix-shake includes:

    -- RSASSA-PSS with SHAKE128
    sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::=3D {
      IDENTIFIER id-RSASSA-PSS-SHAKE128
      PARAMS ARE absent
          -- The hashAlgorithm is mda-shake128
          -- The maskGenAlgorithm is id-shake128
          -- Mask Gen Algorithm is SHAKE128 with output length
          -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA
          -- modulus in bits.
          -- The saltLength is 32. The trailerField is 1
      HASHES { mda-shake128 }
      PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 }
      SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 }
    }
    id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=3D  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBD1 }

    -- RSASSA-PSS with SHAKE256
    sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::=3D {
      IDENTIFIER id-RSASSA-PSS-SHAKE256
      PARAMS ARE absent
          -- The hashAlgorithm is mda-shake256
          -- The maskGenAlgorithm is id-shake256
          -- Mask Gen Algorithm is SHAKE256 with output length
          -- (8*ceil((n-1)/8) - 520)-bits, where n is the
          -- RSA modulus in bits.
          -- The saltLength is 64. The trailerField is 1.
     HASHES { mda-shake256 }
     PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 }
     SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 }
    }
    id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=3D  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBD2 }

    -- ECDSA with SHAKE128
    sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::=3D {
      IDENTIFIER id-ecdsa-with-shake128
      VALUE ECDSA-Sig-Value
      PARAMS ARE absent
      HASHES { mda-shake128 }
      PUBLIC-KEYS { pk-ec }
      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 }
    }
    id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=3D  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBD3 }

    -- ECDSA with SHAKE256
    sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::=3D {
      IDENTIFIER id-ecdsa-with-shake256
      VALUE ECDSA-Sig-Value
      PARAMS ARE absent
      HASHES { mda-shake256 }
      PUBLIC-KEYS { pk-ec }
      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 }
    }
    id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=3D  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBD4 }

I think that the draft-ietf-lamps-cms-shakes ASN.1 module should repeat thi=
s information in exactly the same format or it should IMPORT these definiti=
ons.

Russ
_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm