Hi Tero,
some additional feedback:
Introduction:
In the paragraph 4 you point out the two achievements of the draft:
- A generalized authentication method for authentication with digital signatures
- A negotiation method for the hash function used as message digest within the
signature
The motivation should be structured to reflect this distinction. In particular,
the first and third paragraphs motivate
the authentication method, while the second one motivates the second one. As
ECDSA groups, RSASSA-PSS and DSA with other
hash than SHA-1 all point to deficiencies of the old authentication method, I
would use a list.
How about the following?
The current signature based authentication methods in the IKEv2 are per
algorithm, i.e. there is one for RSA Digital signatures, one for DSS
Digital Signatures (using SHA-1) and three for different ECDSA curves
each tied to exactly one hash algorithm. This design starts to be
cumbersome when more signature algorithms, hash algorithms and elliptic
curves are to be supported:
* The RSA Digital Signatures format in the IKEv2 is specified to use
RSASSA-PKCS1-v1_5 padding, but [RFC 4055] and [PKCS1] recommend the
use of the newer RSASSA_PSS. This new padding method is specified by
additional parameters and for each parameter set to be supported new
authentication methods would be required.
* With ECDSA and DSS there is no way to extract the hash algorithm from
the signature, thus, for each new hash function to be supported with
ECDSA or DSA new authentication methods would be needed. Support for
new hash functions is particularly needed for DSS because the current
restriction to SHA-1 limits its security, meaning there is no point
of using long keys with it.
* The tying of ECDSA authentication methods to particular elliptic curve
groups requires definition of additional methods for each new group.
By combination of new ECDSA groups with various hash functions the
number of required authentication methods may grow unmanageable.
Furthermore, the restriction of ECDSA authentication to a specific
group is inconsistent with the approach taken with DSS.
With the selection of SHA-3 [Ref_TBD], it is seen that it might be
possible that in the future the signature methods are used with SHA-3
also, not only SHA-2. This means new mechanism for negotiating the
hash algorithm for the signature algorithms is needed.
> The new digital signature method needs to be flexible enough to
> include all current signature methods (ECDSA, ECGDSA, RSASSA-PSS,
> ElGamal, etc),
The term "current signature methods" is not precise. Currently used with IKE?
Currently used in practice at all?
Currently specified in standards (which ones)?
Actually:
- the new authentication method is agnostic to the signature algorithm (like
X.509 or CMS are) as far as an ASN.1
algorithm identifier exists. (This holds true only, if parameters of the
algorithm can be included)
- The hash negotiation method supports only those hash algorithms for which
code points have been defined.
Furthermore, I suggest not to list specific signature methods supported, as
some of them (ECDSA) are common while others
are not. This may provoke discussion, in particular, as RSA with PKCS#1v1.5 as
the most common one (by far) is not listed.
Best regards,
Johannes
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
