On Thu, 4 May 2017 12:21:14 -1000 Brian Smith <[email protected]> wrote:
> Draft 24 of rfc6962-bis says that the log must use RFC 6979 for ECDSA > signatures. However, the requirement to use RFC 6979 is problematic > for several reasons, noted below. I think this group should reconsider > if the fingerprinting threat that motivated the requirement for > deterministic signatures is significant enough to overcome these > problems. I think preventing fingerprinting is important. I suggest we loosen the requirement on logs. Logs should still be forbidden from producing more than one distinct signature for any given STH or SCT, but we shouldn't specify how logs must satisfy this requirement. Here are some of the ways a log could satisfy this requirement: 1. Use RFC 6979. 2. Use a different deterministic signature scheme. 3. When producing a new STH or SCT, sign it, store the signature, and serve the stored signature instead of re-signing on-the-fly every time the log needs to serve the STH or SCT. Since the log already needs to store information about STHs and SCTs, also storing the signature should not be burdensome. I'll also note that forbidding the log from producing more than one signature per STH makes it slightly easier for people participating in STH pollination to deduplicate STHs, as it becomes possible to deduplicate based on the entire STH rather than parsing out the non-signature parts. Regards, Andrew _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
