Thanks John! Comments below.
> On 3 Oct 2025, at 08:48, John Mattsson
> <[email protected]> wrote:
>
>
> Hi,
>
> I did a review of draft-ietf-jose-deprecate-none-rsa15-03
>
> ---
>
> “that future algorithm registrations should meet”
>
> “shold meet” does not seem to match the text in 4.2 that says:
>
> “only algorithms that are believed to meet … should be considered for
> approval”
>
> Suggestion to change to “are required to meet” that would match the text in
> 4.2.
> According to 4.2 algorithms not meeting the requirement will not even be
> considered.
Agreed, will update.
>
> ---
>
> “should be registered in future.”
>
> See comment above
+1.
>
> ---
>
> “NIST has disallowed the use of this encryption mode for federal use since
> the end of 2023 [NIST.SP800-131Ar2] and a CFRG draft
> [I-D.irtf-cfrg-rsa-guidance] also deprecates this encryption mode for IETF
> protocols.”
>
> Should add that PKCS#1: RFC 8017, RFC 3447, and RFC 2437 (1998) states that
> “RSAES-PKCS1-v1_5 is included only for compatibility with existing
> applications.”, i.e., don’t use it in any new applications. That a completely
> new application like JOSE (2015) took this PKCS#1 algorithm that PKCS#1
> deprecated in 1998 and made it “Recommended” sent the message that IETF is
> not prioritizing security. Good that this is fixed.
Good point. I will add some wording to this effect.
>
> ---
>
> “only algorithms that are believed to meet the standard security goal of
> existential unforgeability under a chosen message attack (EUF-CMA) should be
> considered for approval”
>
> With my chair hat off, I think this should be changed to strong existential
> unforgeability under a chosen message attack (SUF-CMA). EdDSA, ML-DSA, and
> SLH-DSA are SUF-CMA (for very good reasons). EUF-CMA can lead to significant
> vulnerabilities such as replay of messages, double billing, double money
> transactions, double receipts, double contracts, and log/transaction history
> poisoning. SUF-CMA vs EUF-CMA is not a theoretic consideration; it is very
> much a real-world problem. JOSE is used in a wide variety of use cases. And
> we know that many/most developers will assume that all signatures are SUF-CMA.
>
> While JOSE has some EUF-CMA only signatures registered, I do not think we
> should register any more.
>
From the other thread on this list, it seems that NIST is standardising some PQ
signature schemes that are only EUF-CMA, so I’m not sure we can commit to
SUF-CMA as an absolute requirement. I agree that SUF-CMA is a better bar for
cryptographers to aim for, but I don’t want to potentially exclude useful
algorithms. In the context of JOSE specifically, EUF-CMA seems sufficient?
I.e., my view is that pushing for SUF-CMA is something for CFRG and NIST,
upstream of IETF WGs like JOSE.
(Also, re EdDSA - I thought some of the double-spend issues were using Ed25519?)
Best wishes,
Neil
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
