Re: Excessive Optionality in Cryptography Anti-Pattern (was: Re: JSONWebSignature2020 vs JcsEd25519Signature2022)

On Fri, Mar 10, 2023 at 11:42 AM Orie Steele <orie@transmute.industries> wrote:
>> Your article clearly calls out one of these highly problematic myths
>> -- that "algorithmic agility is a good thing", and cites multiple
>> practicing cryptography and security experts (at IETF and elsewhere)
>> that have been speaking out against the "algorithmic agility" myth for
>> the better part of the last decade.
>
> Citation needed.

The citations are throughout Christopher's article (and all of them
are listed at the bottom).

> Here is counterpoint from IETF regarding HPKE, which is one the most popular new crypto related work items, and has taken the opposite approach:

Let's dissect your example...

> "In recent work here, COSE HPKE <https://datatracker.ietf.org/doc/draft-ietf-cose-hpke/> is however going for the full agility that you criticize. https://mailarchive.ietf.org/arch/msg/cose/4HkrEz2io72eGHss5tFI-wyiQ-E/"

Really? That does not seem like the case at all (in reading the spec
and the registries in their totality).

HPKE picks: 2 KEMs, 1 KDF, and 2 AEAD methods:

https://www.iana.org/assignments/hpke/hpke.xhtml

So, in reality, quite far (and constrained) from where the JOSE stack
is today wrt. algorithmic agility. Granted, HPKE still has a bit too
much parameter variation in the registry, IMHO, but it's certainly not
the mess that is the JWA registry:

https://www.iana.org/assignments/jose/jose.xhtml#table-web-signature-encryption-algorithms

There was a SIGNIFICANT down selection of algorithms and parameters in
HPKE. Now, the counter-argument might be: "Oh, but just wait, the HPKE
registry will fill up with all sorts of questionable algorithms in
time." ... but I expect that Richard and Chris will fight hard against
that happening.

The existence of HPKE is exactly the point... they DID NOT just re-use
existing IANA registries, but created their own (because the entries
are different) and then made a conscious decision to not pull every
KEM, KDF, and AEAD into the registry.

> I think folks using the word "agility" in so many different ways is making the argument "against cryptographic agility" nearly meaningless at this point.

Just because people are asserting that the waters are being muddied
does not mean that there isn't a problem. Yes, some people are
misusing the terminology, and the terminology is also a bit vague and
overly broad. However, that a term is vague or being misused does not
invalidate the argument that there is a problem.

As far as I can tell, the term (as used in Christopher's article), is
being used in a way that is mostly aligned with the definition in the
Wikipedia entry:

https://en.wikipedia.org/wiki/Cryptographic_agility

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Friday, 10 March 2023 17:21:09 UTC