On 04/12/2016 12:16 PM, Tero Kivinen wrote:
Yaron Sheffer writes:
Thanks for your response, I am fine with your comments but I have a
question: in Sec. 4.2, we have: "With the use of Digital Signature,
RSASSA-PKCS1-v1.5 MAY be implemented. RSASSA-PSS MUST be implemented."
And then the table has SHOULD for RSA (as well as ECDSA). How come?
RSASSA-PSS MUST be implemented if Digital Signature authentication
method is implemented, but it can be implemented with multiple hash
algorithms. On the other hand in hash algorithms part we have just one
MUST and that is for SHA2-256.
The reason why RSASSA-PSS with SHA-256 is listed only as SHOULD, is
mostly caused by the fact that Digital Signature authentication method
is still onl SHOULD and we do not have implementations for it, so we
do not have implementor comments for it yet.
So Digital Signature in general is SHOULD.
SHA2-256 as hash algorithm is MUST when implementing Digital Signature
authentication method.
RSASSA-PSS is MUST when implementing Digital Signature.
That would actually make RSASSA-PSS with SHA-256 a effective MUST, if
Digital Signature is in general supported, but we do not label it as
MUST as complient implementation can still decide not to implement
digital signatures at all.
Coming to think of it, if we want to ensure interoperability between
peers that use RSA certs and peers that use ECDSA certs, then at least
one (probably RSA) needs to be a MUST, even if people are using RFC7427.
Usually this is not a problem, i.e., in normal use the configuration
has just one private key (either rsa or ECDSA) and that is what is
used. If you have ECDSA private key and they implementation does not
support ECDSA, you cannot use that implementation, you need to pick
another implementation. The other end of the configuration is also
configured to trust your private key (either by config, or through
CA), and if it cannot support your private key type you cannot really
configure it that way. I.e., the implementation requirements do not
come from this document, they came from the pre-existing
authentication infrastructure and private keys users have.
Anyways when we make Digital Signature authentication method a MUST,
we can also make RSASSA-PSS with SHA-256 a MUST.
The question there is should we already mark this fact by making it
now SHOULD+, as we do expect it to be next mandatory to implement
algorithm if Digital Signature authentication method really gets
deployed?
IMHO, yes.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
