On 21 Sep 2019, at 01:44, Mike Jones
<[email protected]> wrote:
>
> RSA SHA-1 is used by TPMs, which produce attestations used by W3C WebCrypto.
> That canβt be changed. Thatβs why an algorithm identifier is needed for it.
> Itβs use is prohibited for new applications but TPMs are an existing
> application. I can work to make this clearer when resolving the WGLC
> comments.
I think clarifying the text along those lines would help a lot. It is worrying
that these TPMs have to continue to use a known weak signature method and they
apparently cannot be changed, but at least with the MUST NOT you give people a
clue that this is something they want to run away from pretty quickly.
>
> As for secp256k1, the βES256Kβ algorithm is registered, whose definition is
> βECDSA using secp256k1 curve and SHA-256β. Thatβs only for signing. The
> draft is currently silent on whether the registered curve can also be used
> for other things. I think thatβs how it should be, unless there are security
> reasons to the contrary.
Well section 4.4 registers secp256k1 as a JWK Elliptic Curve so it will be
usable with the existing ECDH-ES family of algorithms without any additional
registrations. There *are* some security concerns about using secp256k1 outside
of signatures - see e.g. [1] which lists the theoretical problems with the
curve. In particular, fast implementations of scalar multiplication (used in
ECDH) for secp256k1 are not constant time making it a riskier choice for ECDH
than for ECDSA. As far as I'm aware though, that just puts it in the same
category as the other NIST/SECG standard curves that are already registered for
JOSE. So I'm not against it being available for both JWS and JWE usage, I'd
just like that to be an explicit documented decision rather than an accident.
[1]: https://crypto.stackexchange.com/a/68286/26028
<https://crypto.stackexchange.com/a/68286/26028>
-- Neil
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
