Open ounsworth opened 8 months ago
We agreeded we need to be more specific so there is no ambiguity. For example P256 needs to define exactly what curve is used..
We agreed to fix this after IETF 119.
Update after the draft is published on lamps-wg github.
We should add a section listing explicitly the DER-encoded AlgorithmIdentifiers for the components of each composite public key and signature algorithm. This is important to resolve ambiguity on, for example, whether the RSA should have a NULL param, and the ECC curve params.
Example, for
id-MLDSA44-ECDSA-P256-SHA256
the ML-DSA SPKI would have an AlgorithmIdentifier of:which is:
And the ECDSA-P256-SHA256 would have a SPKI would have an AlgorithmIdentifier of:
which is:
And the signature algorithm for
id-MLDSA44-ECDSA-P256-SHA256
, the first component signature algorithm would have an AlgorithmIdentifier ofwhich is:
and the second component signature algorithm would have an AlgorithmIdentifier of
which is:
With that done, we should replace the message prefix values in Sectien 2.4 with the SHA256 hash of the signature AlgorithmIdentifiers. This has two nice properties that are better than using the ASCII encoding of the OID name: 1) they are all the same length (ie the length of SHA256), and 2) if the inner OIDs change, for example with a new Kyber version, then the message prefix changes, which prevents cryptographic compatibility issues; or otherwise stated: provides signature domain-separation based on the component OIDs.
Furthermore, once we have this,