Re: [TLS] Drafts for batch signing and PKCS#1 v1.5

David Benjamin <davidben@chromium.org> Wed, 31 July 2019 17:17 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA9661203D6 for <tls@ietfa.amsl.com>; Wed, 31 Jul 2019 10:17:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.251
X-Spam-Level:
X-Spam-Status: No, score=-9.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTJy_4lQiBmm for <tls@ietfa.amsl.com>; Wed, 31 Jul 2019 10:17:20 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52CBE12034D for <tls@ietf.org>; Wed, 31 Jul 2019 10:17:20 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id w17so23035496qto.10 for <tls@ietf.org>; Wed, 31 Jul 2019 10:17:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9JZ5SSliMNoKR8O20HmcQGR3cCirrI9uUW4E6RY8KQc=; b=Viwwq5VLJz6kKGcDS/GI5iUz5OxP0un5vg21sgRs+an7kmceNpLCp9zldiSFesRuFQ kU1q//qM3oK9YRISRV7TEIzbfKiPDJkxt4k91jhmYRctsYgu8zkLMOdAxatYyDOwY0YC F54CZw9uXJNycNu2KNP5s220Em9SQq9WvLs1I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9JZ5SSliMNoKR8O20HmcQGR3cCirrI9uUW4E6RY8KQc=; b=Mj1cUzl2s1SzfpgnKWJn334caJx1zKfAWPMFDUPRx1N+2CgXBXg/a/WUvAEPz88yRR Pvj/35JGD2c+tMsDA8cOcrjhzWcpGfAbFLHRhgEMAm3ViKKqMVw7AFb+BvkXUEBlUfKE +fiOeM/3zuAyyybdLFZVg82qc66fLrvBjmOfsWbFi+RRLQDMOeQM3rVSj0WG8k0mL1Pm CmEcD7C5cIbbsInHqo0wBliZqC/91V/fAb4u3w2pXYNYHZIu0dlAWFBGjvb0zYISVS9K 9eKSFugCh8U+Rz94jXZxYTjWIl2OcugWzG6JEWtSXerVXDDO4eZgGVt9BwNbeMPT+owU UUdw==
X-Gm-Message-State: APjAAAWRaQ1sWxHiTEp5th+Cu4skmeock/XObxMbB7xtZxCwrscBfwmP /a3vefTBOd729FUNdM4nOogMu21oAjiS7wpgfV3x
X-Google-Smtp-Source: APXvYqze4Uh9JwKegOuCd8S4vFKQpYUP6J+/24Hk3PIj3efYagMhz60bWu7ztYLiHmMq1yHF7522kRsqgo4enzm4hZQ=
X-Received: by 2002:a0c:b786:: with SMTP id l6mr89112899qve.148.1564593439210; Wed, 31 Jul 2019 10:17:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaDxRhGXc522Rf4C-8OcGM4Mm08Xca4KNNpHcT=4Va89aA@mail.gmail.com> <20190731073500.GA10363@LK-Perkele-VII>
In-Reply-To: <20190731073500.GA10363@LK-Perkele-VII>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 31 Jul 2019 13:17:03 -0400
Message-ID: <CAF8qwaBkyDpA9dONzLD0uzFYo1DViO=f7hDf6paEDh6951aJsQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000029e3ad058efd4c2f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ShhzJQH9ndsJ2MFZr-36l-lkmKM>
Subject: Re: [TLS] Drafts for batch signing and PKCS#1 v1.5
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 17:17:22 -0000

On Wed, Jul 31, 2019 at 3:35 AM Ilari Liusvaara <ilariliusvaara@welho.com>;
wrote:

> On Mon, Jul 29, 2019 at 08:15:44PM -0400, David Benjamin wrote:
> > Hi all,
> >
> > I’ve just uploaded a pair of drafts relating to signatures in TLS 1..3.
> > https://tools.ietf.org/html/draft-davidben-tls13-pkcs1-00
> > https://tools.ietf.org/html/draft-davidben-tls-batch-signing-00
> >
> > The second describes a batch signing mechanism for TLS using Merkle
> trees.
> > It allows TLS clients and servers to better handle signing load. I think
> it
> > could be beneficial for a number of DoS and remote key scenarios.
>
> Why is the context string same for clients and servers? The base TLS
> 1.3 signatures use different context strings for client and server.
>

I don't think it's necessary here. The existing separation between client
and server in the base TLS 1.3 signatures is preserved here because the
input messages include their respective context strings. And if we do TLS
1.4 with its own context string, that'll get picked up too.


> What is the hash length of SHAKE256 in Ed448_batch? 512 bits (64
> octets) required to saturate the collision resistance?
>

Ah, right. Yeah, let's say 512 bits / 64 bytes. I'll incorporate that into
the next version of the draft.


> "to a random byte of string of" in section 3.1, should that be
> "to a random byte string of"?
>

Oops, thanks! Fixed in local copy.

David