W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2022

Re: Signature Crypto Algorithm Details

From: Justin Richer <jricher@mit.edu>
Date: Wed, 26 Jan 2022 12:18:41 -0500
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <27F22E6F-2083-461C-9D6A-69BB05A09377@mit.edu>
All, I’ve added a PR to clarify the ECDSA signature encoding process as well as add EdDSA support, as described below and discussed on this thread. Please take a look:

https://github.com/httpwg/http-extensions/pull/1899 <https://github.com/httpwg/http-extensions/pull/1899>

Another small change here is added text on nondeterministic signature algorithms, and what that means for verifying the examples and in practice.

 — Justin


> On Jan 14, 2022, at 11:39 AM, Justin Richer <jricher@mit.edu> wrote:
> 
> Hi all,
> 
> In the Signatures draft, we’ve got a bunch of strictly-defined algorithms for people to be able to use out of the box. Crypto primitives are often parameterized, giving a lot of flexibility and choice. The idea here though is that if you’re pulling something out of the named algorithm registry, you wouldn’t have choices to make about how to apply it. (You can, as always, go off and do your own algorithm within your own ecosystem without using the registry values.)
> 
> In any event, two elliptic curve algorithms have caught my attention the last couple weeks and I am looking to drum up feedback. First, Edwards curve algorithms, specifically ed25519. It’s been requested by a number of people out there that we add this, so I’ve been working out what parameters we’d need within the spec text to make it interoperable. From early implementations and feedback, we’ve settled on a PureEdDSA algorithm with no pre-hash of the message input, since that seems to be the most common and accepted version of this. We’re preparing text to add this to the draft, and I’m looking to confirm that choice if anyone has any strong feelings on the matter.
> 
> Second, the ECDSA algorithm that we define over curve P256 has its own snag that we didn’t realize: the signature in the mathematical model is two separate numbers, r and s. We need to encode a single value, and all the libraries that I used take the approach that you just concatenate the two into a single 64-byte array and call that the signature. However some implementors have gotten back to me that their libraries use an alternative method of encoding, using ASN.1 to wrap the two integers into an ASN.1 structure. A quick survey shows that this is supported on many libraries, but it does have the drawback of pulling in explicit ASN.1 into the signature definition where it isn’t needed elsewhere. I’m currently leaning towards more carefully defining the concatenation approach, similar to what JOSE uses in this case, but I am seeking feedback on this choice.
> 
> I know that this is a question more for the security/crypto crowd, and we’ll be reaching out there as well for sure, but I wanted to get a feel for any preference within this community that would be implementing and dealing with this spec on the other side. What do your libraries support for ECDSA and EdDSA inputs and outputs? Do you have a strong feeling on either of these choices?
> 
> Thanks,
> — Justin


Received on Wednesday, 26 January 2022 17:18:57 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 26 January 2022 17:18:58 UTC