IETF Logo Mail Archive

Re: [stir] Choice of STIR signature algorithm

"DOLLY, MARTIN C" <md3135@att.com> Tue, 17 May 2016 03:51 UTC

Return-Path: <md3135@att.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFEFA12D0E3 for <stir@ietfa.amsl.com>; Mon, 16 May 2016 20:51:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59fL9w_HUjEl for <stir@ietfa.amsl.com>; Mon, 16 May 2016 20:51:18 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4339D12B060 for <stir@ietf.org>; Mon, 16 May 2016 20:51:18 -0700 (PDT)
Received: from pps.filterd (m0049458.ppops.net [127.0.0.1]) by m0049458.ppops.net-00191d01. (8.16.0.11/8.16.0.11) with SMTP id u4H3hmkp007049; Mon, 16 May 2016 23:51:17 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049458.ppops.net-00191d01. with ESMTP id 22yrwusfc0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 16 May 2016 23:51:16 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id u4H3pGJH022064; Mon, 16 May 2016 23:51:16 -0400
Received: from mlpi409.sfdc.sbc.com (mlpi409.sfdc.sbc.com [130.9.128.241]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id u4H3p9QS022026 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 16 May 2016 23:51:12 -0400
Received: from MISOUT7MSGHUBAA.ITServices.sbc.com (MISOUT7MSGHUBAA.itservices.sbc.com [130.9.129.145]) by mlpi409.sfdc.sbc.com (RSA Interceptor); Tue, 17 May 2016 03:50:59 GMT
Received: from MISOUT7MSGUSRDB.ITServices.sbc.com ([169.254.2.208]) by MISOUT7MSGHUBAA.ITServices.sbc.com ([130.9.129.145]) with mapi id 14.03.0294.000; Mon, 16 May 2016 23:50:59 -0400
From: "DOLLY, MARTIN C" <md3135@att.com>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [stir] Choice of STIR signature algorithm
Thread-Index: AQHRrr+9OheKJ/Ct+Eel6HT7NDwuNJ+8UeSAgABsswD//8KPHA==
Date: Tue, 17 May 2016 03:50:59 +0000
Message-ID: <D07F290C-CF3B-4462-945F-DD45AC278847@att.com>
References: <D32953D1.4770F%john.mattsson@ericsson.com> <1A843300-AEB7-4EC6-8256-C88F6847B82E@neustar.biz> <D329995E.477D9%john.mattsson@ericsson.com> <A3723DBB-476C-4F22-95E0-37AE0872FBBD@shockey.us> <F4F09888-780B-4725-9A74-AD2EF661C5C0@vigilsec.com> <0DD82221-E79D-4F15-B2B5-93165EC98919@shockey.us> <570534D4.6010707@nostrum.com> <5195FEBC-8395-4E77-B768-2B2D81144121@shockey.us> <56DF2D20-9381-45CB-8057-6B1AB99B05E9@chriswendt.net> <BB4B8171-BF3E-4D3F-B81B-73AC9768ED75@shockey.us> <D3316C0C.485E4%john.mattsson@ericsson.com> <2EC06927-2614-491E-A499-C86ABB30573C@chriswendt.net> <26AE9662-B919-4B22-AFF8-45CF351AA03F@vigilsec.com> <2C466A8A-D638-49AE-9698-699D67762FF1@standardstrack.com> <EED4C512-B57C-47EC-9CE4-07C64365D246@vigilsec.com> <CABcZeBN3OLiaea10cWrtyv6R9KxHHVMuAsC56o=xmj6MWn_RYg@mail.gmail.com> <AA4D2199-3A8D-4015-86F3-DEE04120E51C@vigilsec.com>, <CABcZeBPSLDeSLRgAyBqCR_K_-=F6Fck+CBZ1rSnLj7CNpDrGAA@mail.gmail.com>
In-Reply-To: <CABcZeBPSLDeSLRgAyBqCR_K_-=F6Fck+CBZ1rSnLj7CNpDrGAA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_D07F290CCF3B4462945FDD45AC278847attcom_"
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-05-17_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1605170046
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/7W14zbtDgwl-ycfIV3AOS8PvJls>
Cc: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] Choice of STIR signature algorithm
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 03:51:20 -0000

Eric

Why less is more?

If we are not forward thinking (directionally), it will make it harder to take the next step

Thanks

Martin C Dolly
Lead Member of Technical Staff
Core & Government/Regulatory Standards
AT&T
Cell: 609-903-3360
Email: md3135@att.com<mailto:md3135@att.com>

On May 16, 2016, at 11:31 PM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:


On Mon, May 16, 2016 at 5:01 PM, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
Eric:

I was thinking P-256, but I could be talked into:

MUST support P-256
SHOULD support P-384

I would tend to just think MUST p-256. Less is more

-Ekr


Russ


On May 15, 2016, at 11:36 AM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

This seems largely reasonable. I would consider removing the SHOULD for RSA for
PASSporT signatures, for two reasons:

1. There's no legacy to deal with
2. Because these objects are just sent out with no negotiation, it's not that useful
to know that relying parties might or might not support your algorithm. The safe
thing to do would be ECDSA.

I would also note that the above doesn't specify a curve, but I assume we're talking
P-256.

-Ekr


On Mon, May 9, 2016 at 1:37 PM, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
I would rather be a bit more granular.

        MUST support ECDSA for PASSporT signatures
        SHOULD support RSA PKCS#1 v1.5 for PASSporT signatures

and

        MUST support ECDSA for certificate signatures
        MUST support RSA PKCS#1 v1.5 for certificate signatures

Then, we should say something to product planners that at some point in the future, we expect support for RSA to be downgraded.

Russ


_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

v2.40.4 | Report a Bug | By Email | System Status