On Sun, Aug 30, 2020 at 08:10:17AM +0100, Neil Madden wrote: > > On 30 Aug 2020, at 07:58, Anders Rundgren <[email protected]> > > wrote: > > > > I have just implemented support for Edwards curves in my JSON > > library. You mean JOSE or JWS? Because JSON is a data model and encoding of it. :-)
> > Although it is certainly not a deal-breaker I find the use of > > "EdDSA" as a generic Edwards algorithm identifier rather quirky > > since it departs from the other JWS algorithms: > > https://tools.ietf.org/html/rfc8037#appendix-A.4 > > > > For curiosity reasons I took a peek at the initial draft which has > > (in my opinion...) a more logical solution: > > https://tools.ietf.org/html/draft-liusvaara-jose-cfrg-curves-00#appendix-A.4 On weird changes, I find the member name changes a bit weird. For example it calls something that is not a curve a curve. > > May I ask why this change was performed? After prehashing was eliminated, there was only one algorithm that made sense with either, so those were merged. > > For JSF (JSON Signature Format) I will stick to the "00" scheme > > which also permits use of ed25519ph and friends if needed: > > https://mobilepki.org/jsf-lab/home Beware of implementations that use wildly wrong algorithms. And on interactions of Ed25519 and Ed25519ph, they originally interacted in harmful ways. Ed25519ph was later changed (in very hacky way) in order to fix this (the same mechanism as used to contextualize Ed25519, which turned out later to be horrible idea due to API issues it causes). And Ed25519ph is weaker than Ed25519. In order to prehash without weakening the algorithm, one needs to salt the prehash, which Ed25519ph does not do. And lack of salting has been exploited in real world. > 8037 was done by CFRG, so probably best to ask there. 8037 was done by JOSE. The CFRG part (generic specification of EdDSA2) was 8032. > I like this aspect of the spec. IMO “alg” as a header was a mistake. > By using a generic algorithm header, it forces implementors to > associate the specific details in metadata stored with the key, which > is much safer. Actually a few months ago I came up with idea of having a way to express "algorithm determined by the key" in JOSE/COSE. - There have been some serious security issues in JWS implementations that have been caused by using completely wrong algorithms. - In general, using the same key with multiple algorithms is not cryptographically safe. There can be algorithm pairs which interact badly (for instance, Ed25519 and the original Ed25519ph). -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
