Hi Mike and Orie, thank you for your replies (see Orie's reply on GitHub <https://github.com/w3c/webauthn/pull/2078#issuecomment-2364535837>). I've now had some time to digest them (pun intended) and consider how to proceed.
I agree that distinct algorithm identifiers seems like a suitable solution for this. I mocked up an outline of the idea, including a few examples of what this might look like for a couple of algorithms, which you can see here for the time being: https://yubico.github.io/arkg-rfc/cose-two-party-sign-algs/draft-bradleylundberg-cfrg-arkg.html#name-temporary-cose-algorithms-f (This address is temporary, we'll move the draft somewhere more appropriate when the ideas are more mature) The relevant section is "5.3. TEMPORARY: COSE algorithms for two-party signing", but it also lightly ties into the preceding section "5.2. COSE key reference types" for things like the *ctx* parameter in HashML-DSA. Perhaps this better illustrates what we're trying to do. As noted in the introduction section, this is subtly different from COSE Hash Envelope (CHE), for example, if I understood CHE correctly. We deliberately want to *avoid* domain-separating these signatures, and avoid an additional protocol-level hash layer. The hope is to be able to generate signatures that look the same as usual, and verify the same as usual, but without having to send the entire original message to the cryptographic hardware that holds the private key. These algorithm identifiers therefore wouldn't appear on signature structures or keys, as those would still be tagged with the existing identifier for the usual signature (verification) algorithm. This would enable our WebAuthn raw signing extension to output signatures that can be fed into existing verifiers, without needing to adapt those verifiers and cryptographic protocols to accomodate a protocol-level prehash. This also enables structuring the extension such that the WebAuthn Relying Party and authenticator (e.g., security key) can negotiate a two-party signature algorithm without needing the WebAuthn client (browser) to support it - the client just passes the data through. Please have a look at the mockup link above. Does this (and the related COSE_Key_Ref idea) seem like a reasonable approach? Emil Lundberg Staff Engineer | Yubico <http://www.yubico.com/> Den ons 25 sep. 2024 kl 00:29 skrev Michael Jones < [email protected]>: > Thanks for writing, Emil. Here are my thoughts. > > > > I would not suggest trying to generically extend the JOSE and COSE signing > structures with additional parameters, such as creating a signing request > data structure. It would be much simpler and more aligned with how JOSE > and COSE work to define new algorithm identifiers for the additional needed > functionality. These should go into the existing registries for JOSE > <https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms> > and COSE > <https://www.iana.org/assignments/cose/cose.xhtml#header-algorithm-parameters> > . > > > > As you probably already know, pre-hash algorithm identifiers for Ed25519 > and Ed448 are not currently registered for JOSE > <https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms> > or COSE > <https://www.iana.org/assignments/cose/cose.xhtml#header-algorithm-parameters>. > I suggest creating them in a new specification. I’d be glad to collaborate > on writing that with you if you’d like. Other needed pre-hash algorithm > identifiers could also be created in the new spec. > > > > Mike Prorock and Orie Steele, it’s relevant to know whether you intent to > extend to register both pre-hash and non-pre-hash algorithm identifiers in > draft-ietf-cose-dilithium. Your thoughts? > > > > Emil, I am glad that you are working on the signing extension for > WebAuthn. I certainly support that work. > > > > Best > wishes, > > -- Mike > > > > *From:* Emil Lundberg <[email protected]> > *Sent:* Friday, September 20, 2024 9:51 AM > *To:* cose <[email protected]>; [email protected] > *Subject:* [jose] Algorithm identifiers for pre-hashing in two-party > signing? > > > > Hi COSE and JOSE WGs, > > I'm currently working on an extension to WebAuthn > <https://github.com/w3c/webauthn/pull/2078> [1] for signing arbitrary > data. The current draft uses `COSEAlgorithmIdentifier`s to negotiate what > signature algorithm to use, and the same `COSEAlgorithmIdentifier` is also > emitted in generated `COSE_Key`s to communicate the signature algorithm to > the signature verifier. > > However, for several reasons we want the caller of this signing API to > pre-hash the data to be signed before passing it into the extension. The > question then is: how should we communicate, _generically_, which steps of > the signing algorithm are performed in advance by the caller and which are > performed by the WebAuthn authenticator? > > In some cases the division is fairly obvious. For example, ESP256 > <https://www.ietf.org/archive/id/draft-ietf-jose-fully-specified-algorithms-05.html> > [2] hashes the input only once, so it's obvious that the caller performs > the hash and the WebAuthn authenticator interprets the input as a raw P-256 > scalar. Ed25519ph <https://www.rfc-editor.org/rfc/rfc8032#section-5.1> > [3] hashes the input once without the key and then hashes the digest again > with the key, so clearly only the first hash can be performed by the caller > (and Ed25519 is impossible to implement in this way). > > But for other algorithms it's less obvious - for example, for HashML-DSA > <https://csrc.nist.gov/pubs/fips/204/final> [4], the caller could compute > only PH_M and submit PH_M and the hash OID into the signing API, or the > caller could compute M' and submit only M' into the signing API (I think > the former is clearly preferable, but the point is that both options > exist). Similarly for RSASSA-PSS > <https://www.rfc-editor.org/rfc/rfc8017#section-9.1.1> [5], should the > caller submit `mHash` or `EM`? This "division of labour" between the caller > and the WebAuthn authenticator needs to be defined somehow. > > So, that is my question: how should we define and communicate this > division of labour? > > - Is there some way we can do it generically, without defining any new > algorithm identifiers? > - Should we define new algorithm identifiers for "pre-hashing for > two-party signing" in some existing registry? > - Should we define a new registry of algorithm identifiers? > - Should we define some new "signing request" data structure, which can > describe whether and how data is pre-hashed (perhaps similar to COSE Hash > Envelopes > <https://cose-wg.github.io/draft-ietf-cose-hash-envelope/draft-ietf-cose-hash-envelope.html#name-hash-envelope-cddl> > [6]?)? > - Other options? > > Any insight and guidance on this would be much appreciated. Of course I'm > also happy to elaborate on anything that is unclear. Thank you. > > > [1]: https://github.com/w3c/webauthn/pull/2078 > [2]: > https://www.ietf.org/archive/id/draft-ietf-jose-fully-specified-algorithms-05.html > [3]: https://www.rfc-editor.org/rfc/rfc8032#section-5.1 > [4]: https://csrc.nist.gov/pubs/fips/204/final > [5]: https://www.rfc-editor.org/rfc/rfc8017#section-9.1.1 > [6]: > https://cose-wg.github.io/draft-ietf-cose-hash-envelope/draft-ietf-cose-hash-envelope.html#name-hash-envelope-cddl > > > *Emil Lundberg* > > Staff Engineer | *Yubico* <http://www.yubico.com/> > > >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
