On Tue, Jul 30, 2024 at 08:52:09AM -0500, Orie Steele wrote: > The intention is to register the same algorithms. > > Pre-hash algorithms should be treated the same way, but because COSE and > JOSE has algorithm as optional, unless there is domain separation in the > public keys, that would be application later alignment.
One problem with supporting pre-hash algorithms is that the current key type specified in PQ signature drafts is incompatible with pre-hashing. > Pre-hash seems like a good idea, especially if folks are moving from ES256 > with SHA-256. > > Any application interfaces that JOSE or COSE have built around pre-hashing > are probably easier to preserve. As note, such interfaces already break with Ed25519/Ed448. However, non-prehashed ML-DSA can still be supported. For large messages, I would rather have things like hash envelopes or hash once, sign twice. Furthermore, in COSE one really wants to use the same hash as one used in signature. However, all but SLH-DSA (which can also use SHA-2) always use SHA-3. > Imo, it would be good to have the domain separation in the keys as > signatures and not rely on application layer signaling. There already is domain separation in signatures, which prevents any attacks apart from weak pre-hashes. -Ilari _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
