[Bug 29545] New: ECDSA 'alg' names for JWK: ES512 vs ES521 from bugzilla@jessica.w3.org on 2016-03-28 (public-webcrypto@w3.org from March 2016)

From: <bugzilla@jessica.w3.org>
Date: Mon, 28 Mar 2016 18:15:01 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-29545-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=29545

            Bug ID: 29545
           Summary: ECDSA 'alg' names for JWK: ES512 vs ES521
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: ericroman@google.com
                CC: public-webcrypto@w3.org
  Target Milestone: ---

There is confusion (at least to me) on what the meaning of the ECDSA "alg"
parameter is.

  * The WebCrypto spec contains both strings "ES512" and "ES521" when searching
its text.

ES512 is mentioned in the (non-normative) section "Mapping between JSON Web Key
/ JSON Web Algorithm" as meaning P-521 with SHA-512. This definition is
consistent with the JWA spec's definition.

The use of ES512 is nowhere in the WebCrypto spec though, so for all intents
and purposes this is a dangling reference. (issue #1).

Next up, when looking at the JWA's description of ES* algorithms:

 * ES256 -- ECDSA using P-256 and SHA-256
 * ES384 -- ECDSA using P-384 and SHA-384
 * ES512 -- ECDSA using P-521 and SHA-512

This is in contrast to WebCryto's definitions:

 * ES256 -- ECDSA with P-256 (and any hash algorithm)
 * ES384 -- ECDSA with P-384 (and any hash algorithm)
 * ES521 -- ECDSA with P-521 (and any hash algorithm)

The problem here is ES256 and ES384 are spelled the same, but have different
meanings. ES521 is unambiguous as it appears only in WebCrypto.

WebCrypto's understanding of the algorithm means it does not enforce the hash
algorithm restriction implied by JWA. Which I guess is meh. But what I think is
more inconsistent is that ES512 is not supported, even though it could be
interpreted similarly to mean P-521 (with any hash algorithm), even.

This is causing a compatibility problem as Chromium's implementation recognizes
ES512 (the one given by JWA) and not ES521 (the one invented by WebCrypto
spec).

Credit to Jim Schaad for observing Chromium doesn't accept ES521.

I can easily change Chromium to match the current WebCrypto spec, but the
different meaning of these names doesn't seem right. Is this the desired
intent, or should we be using different algorithm names for ES256 and ES384 ?

Also see the Chromium bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=598339

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Monday, 28 March 2016 18:15:04 UTC