Re: [webauthn] Clarify names for crypto algs, e.g. RS256 from =JeffH via GitHub on 2016-10-26 (public-webauthn@w3.org from October 2016)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 26 Oct 2016 17:14:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-256416058-1477502043-sysbot+gh@w3.org>
@rlin1 wrote: 
> JSON Web Key defines RS256 which is equivalent to the Web Crypto 
defined "RSASSA-PKCS1-v1_5" (see http://www.w3c.org/TR/WebCryptoAPI/)
>
> In Section 3.8.3 in web authentication spec, we reference the 
WebCrypto terminology, but in example two (and other places) we use 
RS256 - the JWK term.

AFAICT, section 3.8.3 is now S 5.3.3 
{#generating-an-attestation-statement}

Upon inspection, this issue appears to be composed of several 
sub-issues:

1. actually, wrt S 5.3.3 {#generating-an-attestation-statement} and 
the notation therein of "RSA PKCS1" and "RSASSA-PSS": the former is 
incorrect/imprecise in terms of both WebCrypto [1] and RFC3447 [2]. 
The latter, "RSASSA-PSS", is used only in RFC3447.

Also, the phrase they are used within -- "Raw encoded RSA PKCS1 or 
RSASSA-PSS public key" -- is incorrect in that the former is an 
identifier for the RSA PKCS #1 spec series itself, the latter is the 
identifier for the RSASSA-PSS signature scheme, and neither are 
identifiers for ostensible subtypes of RSA keys. 

In fact, as I understand it, relative to the various RSA encryption 
and signature schemes, there are no variances of RSA key pairs, 
themselves, relative to their use in encryption or signature schemes. 
I.e., a given RSA key pair can be used with any of the various RSA 
encryption and signature schemes. 

[Note: the so-called "multi-prime" RSA key subtype, where the modulus 
may have more than two prime factors ([2] Section 3), does not affect 
which RSA encryption or signature schemes an RSA key pair may be used 
with, other than said schemes needing to be spec'd per RSA PKCS #1 
v2.1 or greater if the modulus is multi-prime.]

The RSA signature scheme identifiers as used in RFC3447 and WebCrypto 
actually are..
<pre>
   RFC3447              WebCrypto
   -------              ---------

   RSASSA-PKCS1-v1_5    RSASSA-PKCS1-v1_5

   RSASSA-PSS           RSA-PSS
</pre>
..and so there is a difference between the sig scheme identifiers used
 by those two specs in the case of RSA SSA PSS (RSA sig scheme 
w/appendix (SSA) probabilistic sig scheme (PSS)).


1.1. It appears that the only reason to reference RFC3447 & RFC4055 in
 the table in {#generating-an-attestation-statement} is to express 
requirements for the characteristics of, and format of, a credential 
public key of type RSA, and to also express the two supported RSA 
signature algs. 


2. @rlin1 says "in example two (and other places) we use RS256 - the 
JWK term."

"example 2" is in S 10.1 Registration {#sample-registration}, and does
 indeed use the JWA terms [4] for values of `cryptoParams.algorithm`, 
which is incorrect given the present type of 
`ScopedCredentialParameters.algorithm` is `AlgorithmIdentifier`.


3. wrt the question of whether to use either WebCrypto 
`AlgorithmIdentifier`, or RFC7518 JWA, literal algorithm values 
consistently in the WebAuthn spec, there are the following 
considerations: 

a. for `makeCredential()`: need to convey only a key type, e.g. RSA or
 EC.

b. for authenticator (authnr) implementors and RP implementors, need 
to state the set of supported [6] key types, signature algs, and hash 
algs, and their mappings, termed here: "alg tuples" [5].  This is 
applicable to both credential key pairs and attestation key pairs. 

c. bytes-on-the-wire considerations for expressing alg tuples..
<pre>
WebCrypto                                              RFC7518   Note
---------                                              -------   ----

{"name":"RSASSA-PKCS1-v1_5","hash":"SHA-256"}          RS256     [7]

{"name":"RSA-PSS","hash":"SHA-256"}                    PS256     [8]

{"name":"ECDSA","namedCurve":"P-256","hash":"SHA-256"} ES256     [9]
</pre>

>From a bytes-on-the-wire perspective, using RFC7518 seems to win. 

Note: we could ostensibly (mis-)use WebCrypto notation and state only 
the "name" member of the AlgorithmIdentifier and explicilty state in 
the spec the other alg tuple values that go along with each "name".

###
References and Footnotes:

[1] https://www.w3.org/TR/WebCryptoAPI/

[2] https://tools.ietf.org/html/rfc3447

[3] https://tools.ietf.org/html/draft-moriarty-pkcs1

[4] Note: RFC7518 is "JSON Web Algorithms (JWA)" -- JWK refers to 
RFC7517 "JSON Web Key (JWK)", a key conveyance format -- the former, 
JWA, is the correct term and reference for the WebAuthn spec to use in
 that we do not employ JWK (if this PR is merged).

[5] Note: I'll term this "algorithm tuple". I.e., `{ key type, 
signature alg, hash alg }`.

[6] Note: "supported" here **implies** (a) an authnr vendor may 
implement any one of the algorithm tuples in a particular authnr, and 
(b) RPs may honor any or all of the "alg tuples", modulo any notion of
 "Mandatory To Implement" (MTI) statement we add to the spec.

[7] generically: RSASSA-PKCS1-v1_5 using SHA-256

[8] generically: RSASSA-PSS using SHA-256 and MGF1 with SHA-256

[9] generically: Elliptic Curve using curve p-256 with SHA-256


-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/123#issuecomment-256416058 
using your GitHub account
Received on Wednesday, 26 October 2016 17:14:13 UTC