On Thu, Nov 17, 2016 at 6:31 PM, Yoav Nir <[email protected]> wrote: > Hi, Watson > > On 18 Nov 2016, at 9:18, Watson Ladd <[email protected]> wrote: > >> Dear all, >> >> In reviewing the proceedings now online I noticed that someone is >> proposing to support using the same key with multiple signature >> algorithms. This is a bad idea that makes everyone sad. Showing that a >> signature under one algorithm cannot be abused to obtain another >> signature with a different algorithm is not something that is done. > > I don’t know where you got that, but I haven’t reviewed the proceedings. I > believe you mean what I said about contexts in Ed448 (and possibly > Ed25519ctx) from the CFRG draft. > > The question raised in IPsec (and TLS and in 30 minutes also in Curdle) was > whether to specify a non-empty context string fro Ed448 (like “IKEv2”), or > whether to just use the empty string. > > The argument for adding the string is that people use the same keys for > different purposes (not different algorithms) anyway, even if we tell them > not to, and by adding a context string we’re preventing signing oracles > between IKEv2 and other protocols. > > The argument against is that this encourages the bad practice of using the > same key for different purposes. We could end up with people regularly > re-using keys and then they do it with RSA. Or EDCSA. Or any algorithm that > does not feature contexts. > > At no point did anyone propose support for the same key with multiple > signature algorithms or even for multiple purposes.
I might be confused, but the slides in https://www.ietf.org/proceedings/97/slides/slides-97-ipsecme-signature-forms-ambiguity-in-ikev2-00.pdf seem to very clearly want something else. Apologies for my insufficient context inclusion. > > HTH > > Yoav > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
