Closed danvangeest closed 5 years ago
I think that is a good idea. It works the same way in https://tools.ietf.org/html/draft-ietf-lamps-pkix-shake when the old rsaEncryption OID is not uses for the RSA public key. Instead id-RSASSA-PSS-SHAKE128 / id-RSASSA-PSS-SHAKE256 can be used in both the public key and Sig Algorithm Identifiers.
Note that in splitting the draft into two drafts (one for composite keys, and one for composite signatures), I have reversed this and defined separate OIDs for composite keys and for composite signatures.
See:
I think the
id-CompositeSignature
andid-CompositePrivateKey
OIDs aren't necessary.Signature OIDs only need to be defined when combined with a pre-hash algorithm (e.g.
ecdsa-with-sha384
), but a composite signature isn't combined with a pre-hash algorithm but rather each component signature may use a different (or no) pre-hash algorithm (e.g. ecdsa-with-sha384 + HSS). EdDSA and HSS don't define different OIDs for the signature algorithm for the same reason that they don't have a pre-hash applied before the signature.I'm not aware of any algorithms where a separate OID is defined for a private key version of the algorithm, it just uses the same public key OID (in fact I just added a definition of
CompositePrivateKey
used inpk-CompositePublicKey
defined above which I think covers defining a composite private key using a single composite public key OID).If we look at two of the more recent RFCs or drafts to define new algorithms for use in PKIX-related standards we have: https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-08
and
https://tools.ietf.org/html/rfc8410
So for the OIDs I'd pick
id-CompositePublicKey
(orid-alg-compositePublicKey
if you want to be more like HSS).And I think our draft's definition of composite Signature Algorithm and Public Key corresponding to RFC 5911 would be:
Originally posted by @danvangeest in https://github.com/EntrustDatacard/draft-ounsworth-composite-sigs/issues/45#issuecomment-497198319