Should the DomSep be Hash( DER(OID) ) instead of DER(OID)

lamps-wg / draft-composite-sigs

IETF Internet-Draft about X.509 certificates with composite keys and signatures.

Other

3 stars 1 forks source link

Should the DomSep be Hash( DER(OID) ) instead of DER(OID) #19

Closed ounsworth closed 1 month ago

ounsworth commented 3 months ago

The rationale for making it a hash is so that the domain separator Hex string is the same length, even if the OIDs end up being different lengths; for example if IANA decides to assign from multiple arcs, or if in the future (Falcon, new PQ sigs), we get OIDs from different arcs.

On the other hand, maybe it is ok for the domain separators to be different lengths, as long as they are pre-determined and not completely variable length (ie length is controllable by an attacker).

johngray-dev commented 1 month ago

Authors group agreed we will keep it as a DER (OID) instead of a HASH (DER(OID)).