[lamps] Comment on draft-ietf-lamps-cert-binding-for-multi-auth
Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Wed, 20 March 2024 17:11 UTC
Return-Path: <daniel.vangeest.ietf@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A114C14F6A0 for <spasm@ietfa.amsl.com>; Wed, 20 Mar 2024 10:11:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ThI-9joRGlX for <spasm@ietfa.amsl.com>; Wed, 20 Mar 2024 10:11:28 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CAACC14F684 for <spasm@ietf.org>; Wed, 20 Mar 2024 10:11:28 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-41401ee5828so111585e9.0 for <spasm@ietf.org>; Wed, 20 Mar 2024 10:11:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710954685; x=1711559485; darn=ietf.org; h=content-language:thread-index:mime-version:message-id:date:subject :to:from:from:to:cc:subject:date:message-id:reply-to; bh=I/H+SNRLRbz9QFL2aFhzjtqAMUQbM3g0CWVsomg3PLg=; b=fJ/UNUi4t0CN1VSoQrdVKu9wcSaqMbPEi8ndA7NUbETEMfQlIfZ/2FVt9e0a5ygQw0 mctB3QSPHcYgZmv+azg20uCII93W4dQh72uFHnxGFJn6HT6B9ETX51M1h2Bae6RZBFKx 7inOunBqDlfRaMh8r5Nxdec2vX2K1zRBnSiZ/oZReofUA6xBfMlIlJGMFKNe9YRt5yGp ROCI+EHvtF1/weBMqX5OkjyOiAoQ7m6/TEkUh4UDcoMO2UDamhydfa0KEkctn0P24Sxs VGwhM3QOtavyZfY3yh2XgYFItaw1Ud5x0u50IdVUv7FlPJ/8eH3IL6B0ZC3IMJ7l7MIa H7fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710954685; x=1711559485; h=content-language:thread-index:mime-version:message-id:date:subject :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I/H+SNRLRbz9QFL2aFhzjtqAMUQbM3g0CWVsomg3PLg=; b=h7XeQZ61aTZI8gULRBCEiga4YLXG37809CvL2EPmuOHqjdfzJo1OYgyQYfXvYMilnP WOZXIzxwZC7b3wIJYAiXSi67gkJ7bYvx6HUO2Lo85RH9lJDiXXOs9qEGuJWrPwKCwDdW F1eTeK3KkcVRejpLaMcwALk3LjWIYj6yVxNA3z4aUPSs65nFBOVFGvCycFwpHwU5T2Tl 3E1x6hV77BefWjneyl0AoYQVQSBumpqgR3NJ/AN4LtpCWC9OxleWGccyXeP+Phjqgt8r wl186YEivyWd5mWWg6pxyyCL9PRY4K1AJXHxtgUHIHEcfJNZoeMTcBfMkTfUxQaJhVST /Bmw==
X-Gm-Message-State: AOJu0YxBSOXA4giSSIBrwQPsGWL+5uCt2gfcCKn06i0vhtSgHAqDB5Xf ERYs4ZexcFi4RNaXcf68/tZYey3U9alIUc7oVw1A8NBKvrqcdAXHJXepftuu
X-Google-Smtp-Source: AGHT+IHBGEOvcMPLc7yDhNvLp4M169WGFuW3FVk4nUn0SDiQwYJ7vfrOnD9LfAHr2ID8REWWDyG9qw==
X-Received: by 2002:a05:600c:4f8d:b0:414:653f:2677 with SMTP id n13-20020a05600c4f8d00b00414653f2677mr4167198wmq.3.1710954685375; Wed, 20 Mar 2024 10:11:25 -0700 (PDT)
Received: from DESKTOPUE07G7D ([2001:8a0:6a10:d300:2a0:a513:16c9:5800]) by smtp.gmail.com with ESMTPSA id fc16-20020a05600c525000b004131310a29fsm2792389wmb.15.2024.03.20.10.11.24 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Mar 2024 10:11:24 -0700 (PDT)
From: Daniel Van Geest <daniel.vangeest.ietf@gmail.com>
To: 'LAMPS' <spasm@ietf.org>
Date: Wed, 20 Mar 2024 17:11:24 -0000
Message-ID: <006801da7ae9$a3592cf0$ea0b86d0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0069_01DA7AE9.A3592CF0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: Adp65h2DI2IgF/C1Tx6LHhkVaJjOyQ==
Content-Language: en-ca
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rmDI49M1Wd85SU17PaLs1jyi3tA>
Subject: [lamps] Comment on draft-ietf-lamps-cert-binding-for-multi-auth
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 17:11:30 -0000
I was just going through draft-ietf-lamps-cert-binding-for-multi-auth again
and noticed something I thought was worth bringing up. I didn't find any
mention of this on the mailing list.
Section 4.1 says:
The
algorithm used to hash the certificate in the RelatedCertificate
extension MUST match the hash algorithm used to sign the certificate
that contains the extension.
I wonder if that is not explicit enough. Ed{25519,448}*, ML-DSA** and
SLH-DSA** don't have pre-hashing, so no hash algorithm is communicated in
the certificate as part of the signature algorithm identifier. Is a
developer expected to dig into the Ed25519 spec to know that SHA-512 should
be used? SLH-DSA, okay the hash algorithm is in the name of the parameter
set. ML-DSA uses both SHAKE128 and SHAKE256 internally, but SHAKE256 is
used to generate the message representative. What happens if a new
signature algorithm comes along that does something more esoteric and harder
to determine "the hash algorithm" of the signature? It's not a signature
algorithm, but any particular variant of ML-KEM uses all of SHAKE128,
SHAKE256, SHA3-256 and SHA3-512 internally.
Not communicating the hash algorithm in the extension seems like it's
setting us up for development errors and other future problems.
Also (not a personal concern, but now this thought is haunting me everywhere
thanks to feedback on the cms-kyber draft): "what if SHA3/SHAKE isn't
available at the X.509 level, only at the crypto level?"
Are these reasonable concerns?
* Ed{25519,448}ph is not specified for use in LAMPS.
**unless updated by NIST, and even then we may not want to use prehashing
for certificate signatures.
Apologies for noticing this so late in the game,
Daniel Van Geest
- [lamps] Comment on draft-ietf-lamps-cert-binding-… Daniel Van Geest
- Re: [lamps] Comment on draft-ietf-lamps-cert-bind… Russ Housley