Re: [Trans] Drop RSA PKCS#1 1.5 signatures; maybe replace with RSA PSS
Rob Stradling <rob.stradling@comodo.com> Wed, 24 May 2017 18:43 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80AA3126DC2 for <trans@ietfa.amsl.com>; Wed, 24 May 2017 11:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.489
X-Spam-Level:
X-Spam-Status: No, score=-1.489 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hL7k05gtqFcK for <trans@ietfa.amsl.com>; Wed, 24 May 2017 11:42:57 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B7921201F2 for <trans@ietf.org>; Wed, 24 May 2017 11:42:57 -0700 (PDT)
Received: (qmail 12867 invoked by uid 1004); 24 May 2017 18:42:54 -0000
Received: from rmdccgwarp2.reyn.mcr.dc.comodo.net (HELO maileu.comodo.net) (10.1.72.83) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Wed, 24 May 2017 19:42:54 +0100
Received: from [192.168.0.58] ([192.168.0.58]) by maileu.comodo.net (IceWarp 11.4.5.0 DEB8 x64) with ASMTP (SSL) id 201705241942524573; Wed, 24 May 2017 19:42:52 +0100
To: Eran Messeri <eranm@google.com>, Richard Barnes <rlb@ipv.sx>
Cc: "trans@ietf.org" <trans@ietf.org>, Brian Smith <brian@briansmith.org>
References: <CAFewVt5zNncMBTJ=HuQshvECznEYmXe5N8JGj-HWTvfCXpnB-w@mail.gmail.com> <CAL02cgSvSfvLWYwX3qrOzZT1BX8Cvzx_h7uogJMK-ahmjiZU6w@mail.gmail.com> <CALzYgEfG2Z2jXMEMUf=uij=Hr+yEgVYgOWLxh2Rg9jdCy1r1pw@mail.gmail.com>
From: Rob Stradling <rob.stradling@comodo.com>
Message-ID: <9547a2b2-f33f-eb86-b207-9ec1972ce34c@comodo.com>
Date: Wed, 24 May 2017 19:42:44 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CALzYgEfG2Z2jXMEMUf=uij=Hr+yEgVYgOWLxh2Rg9jdCy1r1pw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/HxXBjIrNBA7WMBG-8uRcvLPLnNI>
Subject: Re: [Trans] Drop RSA PKCS#1 1.5 signatures; maybe replace with RSA PSS
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 18:43:02 -0000
On 22/05/17 11:14, Eran Messeri wrote:
> +1 for switching to RSA PSS.
> I don't have any insight into why RSA was originally in 6962, so can't
> argue strongly in favour of keeping it.
I think RSA PKCS#1 v1.5 was permitted by RFC6962 simply because the
authors believed (and were proven correct) that some log operators might
not be able to use ECDSA.
I'm in favour of dropping RSA PKCS#1 v1.5 from 6962-bis. In 2017, it's
not unreasonable to expect all log operators to be able to use ECDSA.
I'm _not_ in favour of adding RSA PSS, for the reasons Brian mentioned...
"RSA signatures in general are difficult for some devices to process
due to their large size. It would be frustrating to have used a pure
ECC infrastructure with no RSA involved at all, only to need to
implement RSA for the purpose of verifying signatures from logs."
...and because I'm pretty sure that, today, ECDSA is supported more
widely (by deployed OSes and crypto toolkits) than RSA PSS.
> On Fri, May 12, 2017 at 8:18 PM, Richard Barnes <rlb@ipv.sx
> <mailto:rlb@ipv.sx>> wrote:
>
> +1
>
>
> On Fri, May 12, 2017 at 2:51 PM, Brian Smith <brian@briansmith.org
> <mailto:brian@briansmith.org>> wrote:
>
> Hi,
>
> PKCS#1 1.5 signatures are obsolete. New specifications should not
> mandate support for them.
>
> RSA signatures in general are difficult for some devices to process
> due to their large size. It would be frustrating to have used a pure
> ECC infrastructure with no RSA involved at all, only to need to
> implement RSA for the purpose of verifying signatures from logs.
> Thus
> I think the group should consider dropping any mention of RSA
> signatures from section 10.4.so <http://10.4.so> that log
> clients do not have to
> implement RSA.
>
> If it really is important to have RSA signatures, then RSA PSS
> should
> be used instead. In particular, it would be good to require the same
> restricted form specified for TLS, where the same digest algorithm
> must be used for all parts of the signature. Note that RSA PSS
> can be
> made deterministic by using a fixed salt, and most
> implementations of
> RSA PSS seem to support fixed salts if the salt length is set to
> zero.
> As mentioned in the RSA PSS specification, PSS signatures are more
> secure than PKCS#1 1.5 signatures even with a zero-length salt.
>
> Cheers,
> Brian
> --
> https://briansmith.org/
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org <mailto:Trans@ietf.org>
> https://www.ietf.org/mailman/listinfo/trans
> <https://www.ietf.org/mailman/listinfo/trans>
>
>
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org <mailto:Trans@ietf.org>
> https://www.ietf.org/mailman/listinfo/trans
> <https://www.ietf.org/mailman/listinfo/trans>
>
>
>
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
- [Trans] Drop RSA PKCS#1 1.5 signatures; maybe rep… Brian Smith
- Re: [Trans] Drop RSA PKCS#1 1.5 signatures; maybe… Richard Barnes
- Re: [Trans] Drop RSA PKCS#1 1.5 signatures; maybe… Eran Messeri
- Re: [Trans] Drop RSA PKCS#1 1.5 signatures; maybe… Rob Stradling