Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
Daniel Van Geest <Daniel.VanGeest@isara.com> Sun, 10 March 2019 06:53 UTC
Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B92126DFA for <spasm@ietfa.amsl.com>; Sat, 9 Mar 2019 22:53:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgEjIrVx0fp7 for <spasm@ietfa.amsl.com>; Sat, 9 Mar 2019 22:53:08 -0800 (PST)
Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5892A126C15 for <spasm@ietf.org>; Sat, 9 Mar 2019 22:53:07 -0800 (PST)
Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip1.isaracorp.com with ESMTP; 10 Mar 2019 06:53:06 +0000
Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Sun, 10 Mar 2019 01:53:06 -0500
Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Sun, 10 Mar 2019 01:53:06 -0500
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: Russ Housley <housley@vigilsec.com>
CC: Jim Schaad <ietf@augustcellars.com>, SPASM <spasm@ietf.org>
Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
Thread-Index: AQHUzgL4B8nMv8e3gk6J29Pq8ccSVaXyvj+AgABwIYCAAQyKgIAJDLAAgABoHID//7RwAIAAaHAAgAabL4CAAFEPAP//xvcA
Date: Sun, 10 Mar 2019 06:53:05 +0000
Message-ID: <9B262F1B-4904-4586-ADCF-3F7DDC1B96EC@isara.com>
References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> <015401d4d37b$f7673000$e6359000$@augustcellars.com> <BE868716-27FA-4509-972C-EBC57AC64EB4@isara.com> <017d01d4d38a$675cf580$3616e080$@augustcellars.com> <C4E8068B-357C-4E29-A21B-DA75D3F1F93A@isara.com> <43304DDE-3E5E-406A-ADC3-41185656AEF5@vigilsec.com>
In-Reply-To: <43304DDE-3E5E-406A-ADC3-41185656AEF5@vigilsec.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.5.52]
Content-Type: multipart/alternative; boundary="_000_9B262F1B49044586ADCF3F7DDC1B96ECisaracom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rPKd0Nh6sChlwbyJmTeFRtl2bb4>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2019 06:53:11 -0000
Russ,
I understand what they are referring to, but when the paragraph begins “The (signature, public key) value is an OCTET STRING” and then goes on to describe it as (designed for easy parsing, including a counter and type codes, the number of levels followed by the key), all of which describe the HSS algorithm signature’s contents, one might also read the first sentence as referring to the HSS algorithm’s signature.
It’s just a nit, and if you don’t agree that one could end up reading those paragraphs that way, then they’re fine as is.
Thanks,
Daniel
On 2019-03-10, 1:17 AM, "Russ Housley" <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
Daniel:
Thanks for the clarification for me below, Jim.
Given that information, I wonder if it’s possible to misinterpret some parts of cms-hash-sig.
In section 3:
The signature value is a large OCTET STRING. The signature format is
designed for easy parsing. Each format includes a counter and type
codes that indirectly providing all of the information that is needed
to parse the value during signature validation.
I think this paragraph is talking about the signature value as returned by the HSS algorithm. In this case it’s not an OCTET STRING (i.e. the ASN.1 structure), but just an octet string. Referring to it as an OCTET STRING could result in confusion as to whether it’s double wrapped in ASN.1.
In RFC 5280 and X.509, the signature on a certificate is defined as:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
This is the BIT STRING that Jim is talking about in his message.
In RFC 5652, the signature appears in SignerInfo:
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
SignatureValue ::= OCTET STRING
This is the OCTET STRING that is being referenced in the quoted text.
Similarly in section 4:
The public key value is an OCTET STRING. Like the signature format,
it is designed for easy parsing. The value is the number of levels
in the public key, L, followed by the LMS public key.
While HSS-LMS-HashSig-PublicKey is actually an OCTET STRING, I think this paragraph is referring to the public key as processed by HSS and so should be an octet string.
That test is referring to this part of the ASN.1:
HSS-LMS-HashSig-PublicKey ::= OCTET STRING
Russ
On 2019-03-05, 2:34 PM, "Jim Schaad" <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
From: Daniel Van Geest <Daniel.VanGeest@isara.com<mailto:Daniel.VanGeest@isara.com>>
Sent: Tuesday, March 5, 2019 10:20 AM
To: Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>; 'Russ Housley' <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Cc: 'SPASM' <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
On 2019-03-05, 12:50 PM, "Jim Schaad" <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Daniel Van Geest
Sent: Tuesday, March 5, 2019 8:38 AM
To: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>
Cc: SPASM <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
I’m working to align x509-hash-sigs draft and implementations with this one. There’s something in cms-hash-sigs that I’d like clarification on to understand the implications.
The ASN.1 module defines:
pk-HSS-LMS-HashSig PUBLIC-KEY ::= {
IDENTIFIER id-alg-hss-lms-hashsig
KEY HSS-LMS-HashSig-PublicKey
PARAMS ARE absent
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign } }
HSS-LMS-HashSig-PublicKey ::= OCTET STRING
Specifically, the public key is an OCTET STRING. The actual public key is “u32str(L) || lms_public_key”, so essentially an opaque octet string.
What are the implications in x.509 of defining “HSS-LMS-HashSig-PublicKey ::= OCTET STRING”? Does this mean that in the Subject Public Key Info attribute, the HSS public key would be encoded as an OCTET STRING which is then wrapped in a BIT STRING encoding? (as opposed to a BIT STRING encoding of the raw “u32str(L) || lms_public_key” octet string).
The closest I could find to this situation is Ed25519/Ed448 since those public keys are also just raw octet strings (32 octets in 25519). But the ASN.1 module for RFC 8410 specifies “-- KEY no ASN.1 wrapping --” within PUBLIC-KEY:
pk-Ed25519 PUBLIC-KEY ::= {
IDENTIFIER id-Ed25519
-- KEY no ASN.1 wrapping --
PARAMS ARE absent
CERT-KEY-USAGE {digitalSignature, nonRepudiation,
keyCertSign, cRLSign}
PRIVATE-KEY CurvePrivateKey
}
I’m not an ASN.1 expert, so could someone explain the difference? Is the “no wrapping” there because the public key is raw octets? And then whoever encodes the public only applies their own encoding (if any) of the octets. Does it have to do with the fact that the public key can be easily derived from the private key? Is my assumption correct that a SPKI encoding of an HSS key would be a BIT STRING encoding of an ASN.1 OCTET STRING encoding of the raw octets?
[JLS] As I read this what you have deduced is correct. For Ed25519 the public key is directly wrapped in the BIT STRING with no additional encoding. For the hash sig public key the public key is wrapped in an OCTET STRING which is then wrapped in the BIT STRING.
As a general rule, I prefer having the extra layer of ASN.1 encoding because a lot of decoders assume that there is going to be that layer when processing certificates. However, I did not write the initial versions of the Edwards draft and thus I just used the encoding that was there rather than writing it as I would prefer.
[DVG] Do you prefer this general rule for the signature as well? In X.509 would you prefer the raw signature octets wrapped in an OCTET STRING wrapped in a BIT STRING? How would this work in CMS where the signature field within the SignerInfo is already defined as an OCTET string? Wouldn’t the rule imply the raw HSS octet string wrapped in an OCTET STRING wrapped in an OCTET STRING? That’s not how I’m reading cms-hash-sigs, e.g. section 5:
signature contains the single HSS signature value resulting from
the signing operation as specified in [HASHSIG].
And `signature` already being defined as an OCTET STRING make this read to me as a single wrapping.
[JLS] Signatures have traditionally always been the raw bytes. The difference is that frequently public and private keys have had ASN.1 structure wrapped around them while signatures have not. For an example look at how RSA is done.
Jim
Thanks,
Daniel
Jim
Thanks,
Daniel
On 2019-02-27, 12:27 PM, "Spasm on behalf of Russ Housley" <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org> on behalf of housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
Jim:
You are correct. I missed this when I made the last update. I will make the change now in my edit buffer. I'll post it along with any other changes that result from IETF Last Call.
Russ
On Feb 26, 2019, at 8:25 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
I have a small change to request. I am happy if you deal with it at a later
date as long as it does not get lost.
In the ASN.1 module, the SIGNATURE-ALGORITHM definition should have an empty
or absent HASHES field. There are no hash functions which are to be applied
prior to given the input to the signing function. This would match what I
did for EdDSA.
Jim
-----Original Message-----
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
Sent: Tuesday, February 26, 2019 10:44 AM
To: SPASM <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
This removes the extraneous paragraph that was pointed out by Daniel.
I believe that all comments have been resolved, and the document is now
ready to go to the IESG.
Russ
On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Limited Additional Mechanisms for PKIX
and
SMIME WG of the IETF.
Title : Use of the HSS/LMS Hash-based Signature
Algorithm in the
Cryptographic Message Syntax (CMS)
Author : Russ Housley
Filename : draft-ietf-lamps-cms-hash-sig-06.txt
Pages : 14
Date : 2019-02-26
Abstract:
This document specifies the conventions for using the the HSS/LMS
hash-based signature algorithm with the Cryptographic Message Syntax
(CMS). In addition, the algorithm identifier and public key syntax
are provided. The HSS/LMS algorithm is one form of hash-based
digital signature; it is described in [HASHSIG].
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06
https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-06
Please note that it may take a couple of minutes from the time of
submission until the htmlized version and diff are available at
tools.ietf.org<http://tools.ietf.org/>.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Tim Hollebeek
- [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig… internet-drafts
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Russ Housley
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Russ Housley
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Russ Housley
- Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash… Daniel Van Geest