ietf-smime
[Top] [All Lists]

Re: I-D ACTION:draft-ietf-smime-multisig-00.txt

2007-01-09 06:32:57

Sean,

My replies are in line too.

Dennis,

Comments inline..

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]
On Behalf Of Denis Pinkas
Sent: Tuesday, December 26, 2006 6:19 AM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: I-D ACTION:draft-ietf-smime-multisig-00.txt


Comments on draft-ietf-smime-multisig-00.txt

..snip

However, this draft is unclear on how it applies. There are three types of
RPs concerned with this draft:

a)     RPs able to process "weak" algorithms, 
b)     RPs able to process "strong" algorithms only, and
c)     RPs able to process both "weak" and "strong" algorithms.

spt> The draft is intended to address all three types of RPs.

This is what I believed, but these cases are not discussed in detail in the 
text.
I am  awaiting some new text.

In case a, the main advantage of this draft is to allow to link digital
signatures from the same signer in case of algorithm migration. If the RP
decodes a SignerInfo with the "strong" algo, then it cannot verify the
digital signature, but then it can easily figure out that there is another
signature with the weak algorithms that it can process. The draft is silent
about this scenario.

spt> The main advantage of the draft is to allow you to know if an attacker
stripped off a SignerInfo.  I will add the point about being easier able to
find the other signature if you only support one of the two.

In case b, the RPs is only able to process strong algorithms. If the RP
decodes a SignerInfo with the "weak" algo, then it can also figure out that
there is another signature that it can process. 
The draft is silent about this scenario.

spt> See above.

In case c, the RPs is able to process both the weak and the strong
algorithms. If the RP decodes a SignerInfo with the "weak" algo, then it can
also figure out that there is another signature that it can process. What
about if a single bit from the digital signature made with the stronger
algorithm is changed by an attacker ? The digital signature is not
suppressed, but becomes invalid. 
What should the RP do ? The draft is silent about this scenario. 

spt> We will add text to address this - this part was going to go in to
section 5.

OK. I am  awaiting some new text.

The draft does not say either whether it applies to the verification of a
CMS structure at the present time or at a time in the past. 

If it is the present time, both the "weak" and "strong" algorithms are safe,
and there is no concern for the "downgrade attack".

If it is a time in the past, then it is important to make a difference
between :

-      the weakness of hash algorithms, and 
-      the weakness of asymmetric algorithm of short keys. 

In the later case, time-stamping or time-marking over the digital signature
provides a protection. 

In the former case, time-stamping or time-marking over the digital signature
does not provide a protection, but an archive time-stamping provides a
protection, since a different and stronger hash algorithm may be used.

This means that there exist solutions to handle the problem without the need
to use the new signed attribute.

spt> I do not believe time should have anything to do with this. If you're
not worried about downgrade attacks then don't use the attribute.

The key point is to explain when this attribute is really useful. 
When you will have detailed the six cases, which case, if any, makes that 
attribute useful ?
The anwser could be none.

In addition, RPs should know which hash algorithms is no more safe, which
means that they will not use the digital signature made with a weak
algorithm. They may try to use the newly defined MultipleSignatures signed
attribute to find out another signature made with a strong algorithm. In
other words, the "downgrade attack" 
is not a concern, but the newly defined MultipleSignatures signed attribute
is useful to link signatures from the same signer. The abstract should be
changed. Hereafter is a proposal: 

spt> While this might be true there are times when an RP won't know and this
draft addresses those instances.

Really ? I believe that the local security policy of the recipient needs to 
know whether SHA-1 is secure enough 
and whether SHA-1 is better or lower than SHA-256.

     CMS SignedData includes the SignerInfo structure to convey per-
     signer information. SignedData supports multiple signers and 
     multiple signature algorithms per-signer with multiple SignerInfo 
     structures. During periods of algorithm migration, a signer may 
     wish to attach more than one SignerInfo. However, there is no 
     way to identify that they are from the same signer. This document 
     defines a signed attribute, its generation rules, and its 
     processing rules to allow a RP to detect SignerInfo structures 
     generated by the same signer.

spt> The point of the draft is to protect against a downgrade attack and I
will not change the abstract because I believe your suggestion misses the
point of the draft.

This point still needs to be proven.

The processing rules for the various RPs should be given (six cases should
be covered).

spt> Agreed that we need to fill in the processing rules.

OK. I am  awaiting some new text.

The MultipleSignature attribute, as defined, is not good enough, to
establish a link without ambiguity.

          MultipleSignature ::= SEQUENCE { 
            bodyHashAlg     DigestAlgorithIdentifier, 
            signAlg         SignatureAlgorithmIdentifier, 
            signAttrsHash   SignAttrsHash, 
            cert            ESSCertIDv2 OPTIONAL} 

If the same algorithm are used (e.g. SHA-1 with RSA) bodyHashAlg and signAlg
will likely be the same. 
If a signature has few signed attributes signAttrsHash will also likely be
the same. The difference will always be guaranteed with cert, which thus
should be made mandatory. 

spt> No the digest alg is sha-1 and the signature alg is rsa with sha-1 so
the values are different. 

OK. You are correct.

Denis

Denis



<Prev in Thread] Current Thread [Next in Thread>