[lamps] Benjamin Kaduk's Discuss on draft-ietf-lamps-cms-hash-sig-09: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Fri, 13 September 2019 19:10 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: spasm@ietf.org
Delivered-To: spasm@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ED6B1200FA; Fri, 13 Sep 2019 12:10:49 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-lamps-cms-hash-sig@ietf.org, Tim Hollebeek <tim.hollebeek@digicert.com>, lamps-chairs@ietf.org, tim.hollebeek@digicert.com, spasm@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.101.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <156840184931.31866.4936814444231419124.idtracker@ietfa.amsl.com>
Date: Fri, 13 Sep 2019 12:10:49 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ofIZstrwKKynjvtVzqQxrWEd_To>
Subject: [lamps] Benjamin Kaduk's Discuss on draft-ietf-lamps-cms-hash-sig-09: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 19:10:49 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-lamps-cms-hash-sig-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Two fairly minor points that should be easy to resolve, but seem to be worth some time: I think we need to be a bit more clear about what exactly the contents of the signature OCTET STRING are. Section 3 has a fairly abstract note about including enough information to be self-describing (within the HSS/LMS variants), and Section 5 does better with "the single HSS signature value resulting from the signing operation as specified in [HASHSIG]", but it doesn't seem too burdensome to say something like "the string returned from Algorithm 3 in [RFC8554]" or even refer back to the description language at the end of Section 2 and avoid any confusion. Section 5 has a "MUST" for using the same hash for the CMS digestAlgorithm and the HSS/LMS tree, but Section 6 only has a "SHOULD" for the message-digest attribute's digest and the signed attributes digest (the latter of which MUST be the HSS/LMS hash per the previous); should these two requirements be at the same level of normativity? I'm not sure why the one would be more important for correct operation than the other. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 1 based digital signature, and it is described in [HASHSIG]. The HSS/LMS signature algorithm can only be used for a fixed number of signing operations. [...] nit: with a given key use. A post-quantum cryptosystem [PQC] is a system that is secure against quantum computers that have more than a trivial number of quantum bits (qu-bits). It is open to conjecture when it will be nit(?): I'm much more used to seeing "q-bits" or "qbits" than "qu-bits". Section 2.2 It's a bit unfortunate that we have to mix 0- (signed public keys) and 1-based (tree nodes) indexing, but it seems that this is inherent in RFC 8554 and not really avoidable in this document. Section 3 The signature value identifies the hash function used in the HSS/LMS tree. In [HASHSIG] only the SHA-256 hash function [SHS] is supported, but it also establishes an IANA registry [IANA-LMS] to permit the registration of additional hash functions in the future. (This pattern occurs in several places, but I pick an arbitrary one to comment on) I am not sure that the "In [HASHSIG] only <foo> is supported, but it also establishes an IANA registry" is going to present the best interface to readers; the language in Section 2 about "the algorithm specified in [HASHSIG] currently only uses <foo>, but it also establishes an IANA registry to permit the registration of additional [...]" seems to give more emphasis on the registry as opposed to the snapshot in [HASHSIG]. On the other hand, someone is probably going to complain that "currently" will not age well... Section 4 It feels a little surprising to make explicit requirements on the keyUsage contents but not say anything about extendedKeyUsage. Having a static whitelist of EKU OIDs is not reasonable, of course, and the PUBLIC-KEY class from RFC 5912 only covers regular keyUsage, but some advice about "encipherment methods are not going to make sense" might still be appropriate. The public key value is an OCTET STRING. Like the signature format, it is designed for easy parsing. The value is the number of levels in the public key, L, followed by the LMS public key. The HSS/LMS public key value can be summarized as: u32str(L) || lms_public_key "Can be summarized as" does not say to me "here is a rigorous protocol specification" (though it does seem to actually be one, given the notation used in this document and 8554). So unlike the signature OCTET STRING contents, this one is not DISCUSS-worthy, since it's in the same section as the thing being described. Section 5 When signed attributes are absent, the HSS/LMS signature is computed over the content. When signed attributes are present, a hash is computed over the content using the same hash function that is used in the HSS/LMS tree, and then a message-digest attribute is constructed to contain the resulting hash value, and then the result of DER encoding the set of signed attributes (which MUST include a content-type attribute and a message-digest attribute, and then the HSS/LMS signature is computed over the DER-encoded output. In nit(?): is this "the message-digest attribute" constructed in the previous step (as opposed to any old message-digest attribute)? Section 6 tracking data can cause a one-time key to be used more than once. As a result, when a private key and the tracking data are stored on non- volatile media or stored in a virtual machine environment, care must be taken to preserve confidentiality and integrity. It might be worth explicitly noting "in the face of failed writes, virtual machine snapshotting or cloning, and other operational concerns". Appendix: ASN.1 Module MTS-HashSig-2013 Once written, the module name can never change? :)
- [lamps] Benjamin Kaduk's Discuss on draft-ietf-la… Benjamin Kaduk via Datatracker
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Russ Housley
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Russ Housley