On Thu, Oct 30, 2025 at 10:29:50AM -0500, Nico Williams wrote:
> On Thu, Oct 30, 2025 at 11:42:32AM +1100, Viktor Dukhovni wrote:
> > On Wed, Oct 29, 2025 at 12:10:59PM -0400, David Benjamin wrote:
> > > The rules in RFC 5929 are quite unfortunate because it means that the
> > > application needs to actually recognize the signature algorithm, in
> > > addition to breaking through the abstraction and decomposing it. It's
> > > similarly ill-defined for RSA-PSS, which uses a couple different hash
> > > functions, and need not match. This is particularly silly because the side
> > > presenting the certificate does not actually need to evaluate the
> > > certificate signature, and could be broadly opaque to it.
> > > (signature_algorithms_cert aside, but dispatching on that is not very
> > > common.)
> >
> > I strongly support the position that it is a bad idea to require
> > implementations to know the internals of what should be black box
> > constructions.
>
> Sure, but here it's more a specification issue, it's just that those who
> specify signature algorithms don't know that they have to specify a hash
> function for this one purpose even if their signature algorithms don't
> make use of a hash function.
And they should not (or have to). If some specification requires such
knowledge, that specification is flawed, and needs to be revised.
I also think this is why designs that create artificial security alignment
constraints on separate component features of a parametric protocol are
not a good idea, in:
https://datatracker.ietf.org/doc/html/rfc9882#section-3.3
See:
https://datatracker.ietf.org/doc/html/rfc9882#ml-dsa-digest-algs
instead of simply saying that a combination of ML-DSA variant with some
hash is no stronger than the weaker of the two, the specification
creates what amounts to a compatibility matrix, that seems to require
implementations to jump through hoops to determine whether a requested
combination is or isn't aligned with the table. This is NOT a good
idea. Instead the only relevant question is whether the combination
meets a given security floor, something one can reasonably inquire about
each of its components without violating abstractions.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
