Sure. s/key size/size/g in my description below. Sometimes the sizes are for things like hash function output size, rather than key size.
From: Manger, James H [mailto:[email protected]] Sent: Wednesday, August 29, 2012 6:13 PM To: Mike Jones Cc: [email protected] Subject: RE: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters There is no 384-bit key involved in RS384 (RSASSA-PKCS1-V1_5 with SHA-384). It involves, say, a 2048-bit RSA key. When you say “key size” do you actually mean “important size”, instead of “size of a crypto key”? Perhaps the hash size and hash algorithm are “more important” in an RSA signature than in an RSA encryption padding scheme, though that is a fairly subtle hair to be splitting when naming JOSE algorithms. We would need to stop talking about “hash algorithms” and start talking about, say, “collision-resistant hash algorithms” and “pseudorandom functions” if we want to split that hair. -- James Manger From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of Mike Jones Sent: Thursday, 30 August 2012 10:32 AM To: Manger, James H; Breno de Medeiros Cc: [email protected]<mailto:[email protected]> Subject: Re: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters They’re in the first category, in which a key size is required to fully specify the algorithm. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Manger, James H Sent: Wednesday, August 29, 2012 5:11 PM To: Mike Jones; Breno de Medeiros Cc: [email protected]<mailto:[email protected]> Subject: Re: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters So what about RS256, RS384, and RS512? -- James Manger From: Mike Jones [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, 30 August 2012 10:07 AM To: Breno de Medeiros; Manger, James H Cc: [email protected]<mailto:[email protected]> Subject: RE: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters Where a key size is required to fully specify the algorithm, it’s included in the name. Examples: HS256, A128GCM. Where the size isn’t required to fully specify the algorithm, it isn’t. Examples: RSA1_5, RSA-OAEP, ECSH-ES. No inconsistency. -- Mike From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Breno de Medeiros Sent: Wednesday, August 29, 2012 5:01 PM To: Manger, James H Cc: [email protected]<mailto:[email protected]> Subject: Re: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters Concur with the analysis that 'RSA-OAEP' terminology appears inconsistent with other acronym usage. On Wed, Aug 29, 2012 at 4:58 PM, Manger, James H <[email protected]<mailto:[email protected]>> wrote: > Should SHA1 (and mgf1SHA1) be the default parameters for these > algorithms? We don’t have "algorithm parameters" in JOSE – that is the subject of a separate POLL ("Support multiple types for algorithms"). JOSE currently has algorithm labels with no parameters. Consequently this question is really asking one of the following: Q1. Should RSA OAEP with SHA-1 be defined for use with JOSE? Perhaps additionally, should it be mandatory to implement? The core of this question is whether SHA-1 is cryptographically-compromised enough that we shouldn't use it in new crypto specs, or is its widespread-availability more important than any crypto weakness? Q2. Should the label "RSA-OAEP" be used for RSA OAEP with SHA-1? My answer to Q2 is NO. The "RSA-OAEP" label is inconsistent with other JOSE alg names. JWA specifies "HS512", "RS512", "ES512", and "CS512" where the Sxxx suffix indicates a hash algorithm. RSA OAEP with SHA-1 could use "ROS1" or "ROS160". -- James Manger > -----Original Message----- > From: [email protected]<mailto:[email protected]> > [mailto:[email protected]<mailto:[email protected]>] On Behalf Of > Karen O'Donoghue > Sent: Thursday, 30 August 2012 7:30 AM > To: [email protected]<mailto:[email protected]> > Subject: [jose] (REDO) POLL: RSA-OAEP/RSA-PSS default parameters > > Folks, > > Given the confusion around the original version of this poll, I'd like > to try again. > > The basic question is unchanged, the room count from Vancouver has been > corrected, and a clarification regarding the status of SHA1 in the OAEP > specification has been added. For those of you who voted and feel you > may have misunderstood the question or voted incorrectly, please feel > free to update your answer. > > Question: > Should SHA1 (and mgf1SHA1) be the default parameters for these > algorithms? > Note: These are the default parameters specified in RFC 3447, Section > A.2.1, and are widely deployed. > > Room vote: 5 yes, 0 no, 3 discuss > > Thanks, > Karen > _______________________________________________ > jose mailing list > [email protected]<mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/jose -- --Breno
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
