Open ounsworth opened 1 month ago
More editorial feedback here:
https://mailarchive.ietf.org/arch/msg/spasm/khasPf3y0_-Lq_0NtJe92unUw6o/
Hi Piotr,
Thank you so much for this detailed review. I have incorporated most of your feedback in
The one that I didn't understand is your comment "e) Section 3.3". You are suggesting changing
OLD """ CompositeKEMPrivateKey ::= SEQUENCE SIZE (2) OF OneAsymmetricKey
Each element is a OneAsymmetricKey` [RFC5958] object for a component private key. """
NEW """ CompositeKEMPrivateKey ::= SEQUENCE SIZE (2) OF OCTET STRING
Each element is a OneAsymmetricKey` [RFC5958] object for a component private key (privateKey field). """
I suppose that basically means SEQUENCE OF OCTET STRING{ DER{ OneAsymmetricKey } }
Can you explain the advantage of this vs just encoding the OneAsymetricKey directly? Or have I misunderstood your suggestion?
You made a suggestion that the "Use in CMS" section should specify a mandatory-to-implement subset of the larger table of composite algorithms:
""" 6.1. Underlying Components
A CMS implementation that supports a composite KEM algorithm MUST
support at least the following underlying components:
id-MLKEM512-ECDH-P256
id-MLKEM512-RSA (RSA 2048 and RSA 3072)
id-MLKEM1024-ECDH-P521 """
Unless the WG feels strongly, I am going to leave out any concept of "mandatory-to-implement" from this draft. X.509 and CMS are used in such broad and diverse applications and jurisdictions that I don't think we are in a position to make policy recommendations.
Section 3.3 In your proposal there is: CompositeKEMPrivateKey ::= SEQUENCE SIZE (2) OF OneAsymmetricKey
According to RFC 5958: OneAsymmetricKey ::= SEQUENCE { version Version, privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, privateKey PrivateKey, attributes [0] Attributes OPTIONAL, ..., [[2: publicKey [1] PublicKey OPTIONAL ]], ... } PrivateKey ::= OCTET STRING
I believe that to specify a pair of composite private keys, a single sequence of OneAsymmetricKey is sufficient, in which the privateKey field will be a sequence of two OCTET STRING, each of which contains the private key of the appropriate algorithm (order by OID). Ie.: CompositeKEMPrivateKey ::= SEQUENCE SIZE (2) OF OCTET STRING PrivateKey ::= CompositeKEMPrivateKey
One OneAsymmetricKey sequence (instead of two) allows the use of a composite OID pointer to the algorithm identifier (it is not clear to me whether in your proposal of two OneAsymmetricKey sequences there would be a repeated composite OID as stated the text into Section 3,3?; or rather separate OIDs pointing to individual algorithms?).
Furthermore, there is an incomprehensible note in your proposal: When a Composite(KEM?)PrivateKey is conveyed inside a OneAsymmetricKey structure (...) the privateKey field SHALL contain the CompositeKEMPrivateKey... Considering that CompositeKEMPrivateKey ::= SEQUENCE SIZE (2) OF OneAsymmetricKey this means that PrivateKey ::= SEQUENCE SIZE (2) OF OneAsymmetricKey, and yet the privateKey field is inside the OneAsymmetricKey sequence.
After my corrections the relevant text is rather understandable: When a CompositeKEMPrivateKey is conveyed inside a OneAsymmetricKey structure (version 1 of which is also known as PrivateKeyInfo) [RFC5958], the privateKeyAlgorithm field SHALL be set to the corresponding composite algorithm identifier defined according to Section 5 (the parameters field MUST be absent), the privateKey field SHALL contain the CompositeKEMPrivateKey, and the publicKey field MUST NOT be present. Associated public key material MAY be present in the OneAsymmetricKey structure containing CompositeKEMPrivateKey and in that case version is 2.
https://mailarchive.ietf.org/arch/msg/spasm/khasPf3y0_-Lq_0NtJe92unUw6o/
b) Section 2.3.2
c) Section 3.1
d) Section 3.2
e) Section 3.3
CompositeKEMPrivateKey ::= SEQUENCE SIZE (2) OF OCTET STRING
Each element is a OneAsymmetricKey` [RFC5958] object for a component private key (privateKey field).
The order of the component keys is the same as the order defined in Section 3.2 for the components of CompositeKEMPublicKey.
When a CompositeKEMPrivateKey is conveyed inside a OneAsymmetricKey structure (version 1 of which is also known as PrivateKeyInfo) [RFC5958], the privateKeyAlgorithm field SHALL be set to the corresponding composite algorithm identifier defined according to Section 5 (the parameters field MUST be absent), the privateKey field SHALL contain the CompositeKEMPrivateKey, and the publicKey field MUST NOT be present. Associated public key material MAY be present in the OneAsymmetricKey structure containing CompositeKEMPrivateKey and in that case version is 2.
f) Section 4.2
4.2. CompositeCipherTextValue
The compositeCipherTextValue is a sequence of the ciphertexts of the underlying component algorithms. It is represented in ASN.1 as follows:
g) Section 4.3
SHA3(counter || tradSS || mlkemSS || tradCT || tradPK || domSep) ([SP.800-56Cr2] Section 4.1 Option 1 (when KDF is SHA3))
where:
counter SHALL be the fixed 32-bit value 0x00000001 which is placed here solely for the purposes of compliance with [SP.800-56Cr2].
tradSS is the shared secret from the traditional component (ECDH or RSA).
mlkemSS is the shared secret from the ML-KEM component.
tradCT is the ciphertext from the traditional component (ECDH or RSA). Note: In the case of ECDH, this is the sender's ephemeral public key.
tradPK is the recipient's public key of the traditional component (ECDH or RSA).
domSep SHALL be the DER encoded value of the object identifier of the composite KEM algorithm as listed in Section 5.1.
|| represents concatenation.
Each registered composite KEM algorithm (see {tab-kem-combiners}) must specify the choice of KDF (ie. type of SHA3 function) and domSep to be used. Comment:
h) Section 4.4
(…) The last sentence starting with: “In the case that KDF is KMAC,…” should be removed.
Piotr Popis