RE: Parameters and Algorithms. from Phillip M Hallam-Baker on 1999-10-15 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Phillip M Hallam-Baker <pbaker@verisign.com>
Date: Fri, 15 Oct 1999 11:02:05 -0400
To: "Rich Ankney" <rankney@erols.com>, "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>, "'Eric Rescorla'" <ekr@rtfm.com>
Cc: "W3c-Ietf-Xmldsig (E-mail)" <w3c-ietf-xmldsig@w3.org>
Message-ID: <002401bf171e$3e9875e0$6e07a8c0@pbaker-pc.verisign.com>

> The FIPS cites ANSI X9.31, which is a subset of the ISO 9796-2
> version of RSA.  Padding and hash algorithm ID are in the signature
> block, but it's different from PKCS #1.  I believe there will be an
> 18 month grace period to convert from PKCS #1 to X9.31. 

I really would not advise 'conversion' to X9.31. It may be prudent
for applications to be capable of accepting and verifying the X9.31
format but generating it is a bad idea. There is just too much legacy
code out there. Regadless of what means is used to sign the document
it is highly unlikely that there will be an X9.31 certificate chain.

As Rich points out the Bellare & Rogaway scheme has definite advantages
from a security standpoint. The expectation must be that the bulk 
of the crypto market will be using either legacy PKCS#1 v1.1 or
upgrade to 2.0. As I heard it the principle motivation for the X9.31
format was to achieive consistency across RSA and Eliptic Curves.

Given that X9.31 is to be reopened and given that the reality is that
there is practically zero X9.31 installed base and considerable PKCS1
installed base my expectation would be that either X9.31 will not
come to a recomendation or the recomendation and PKCS#1 will 
converge.


Personally I have considerably more confidence in Burt, Ron, Adi,
Butler, Shafi et. al. to get this right than X9.31. PKCS may be
a proprietary standard but every draft of PKCS#1 has been published
for open review at every stage in the proceedings. I know that 
Bellare-Rogaway and PKCS#1 2.0 recieved extensive review by 
academic cryptographers. While I was at MIT I had preliminary 
drafts of PKCS#1 2.0 poked under my nose on several occasions.
Nobody ever came round with any X9.31 document.

Given the credentials of the various parites and the enormous 
inertia of the installed base I strongly suspect that this is 
going to prove to be a 'rolling' 18 month grace period. I'll
bet that the grace period is still 18 months in 18 months time.


		Phill

Received on Friday, 15 October 1999 11:00:50 UTC