On Sat, Sep 21, 2019 at 11:47:53AM +0100, Neil Madden wrote: > On 21 Sep 2019, at 01:44, Mike Jones > <[email protected]> wrote: > > > > RSA SHA-1 is used by TPMs, which produce attestations used by W3C > > WebCrypto. That canβt be changed. Thatβs why an algorithm identifier is > > needed for it. Itβs use is prohibited for new applications but TPMs are an > > existing application. I can work to make this clearer when resolving the > > WGLC comments. > > I think clarifying the text along those lines would help a lot. It is > worrying that these TPMs have to continue to use a known weak signature > method and they apparently cannot be changed, but at least with the MUST NOT > you give people a clue that this is something they want to run away from > pretty quickly. > > > > > As for secp256k1, the βES256Kβ algorithm is registered, whose definition is > > βECDSA using secp256k1 curve and SHA-256β. Thatβs only for signing. The > > draft is currently silent on whether the registered curve can also be used > > for other things. I think thatβs how it should be, unless there are > > security reasons to the contrary. > > Well section 4.4 registers secp256k1 as a JWK Elliptic Curve so it will be > usable with the existing ECDH-ES family of algorithms without any additional > registrations. There *are* some security concerns about using secp256k1 > outside of signatures - see e.g. [1] which lists the theoretical problems > with the curve. In particular, fast implementations of scalar multiplication > (used in ECDH) for secp256k1 are not constant time making it a riskier choice > for ECDH than for ECDSA. As far as I'm aware though, that just puts it in the > same category as the other NIST/SECG standard curves that are already > registered for JOSE. So I'm not against it being available for both JWS and > JWE usage, I'd just like that to be an explicit documented decision rather > than an accident.
I'm also inclined to agree that making an explicit statement is preferred; I have less-strong feelings about whether that statement is to allow or disallow the usage. -Ben > [1]: https://crypto.stackexchange.com/a/68286/26028 > <https://crypto.stackexchange.com/a/68286/26028> > > -- Neil > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
