Should we use the context String for the underlying ED448 and X25519 algorithms

lamps-wg / draft-composite-sigs

IETF Internet-Draft about X.509 certificates with composite keys and signatures.

Other

3 stars 1 forks source link

Should we use the context String for the underlying ED448 and X25519 algorithms #64

Open johngray-dev opened 1 month ago

johngray-dev commented 1 month ago

We are using the Domain as a context String for ML-DSA,

We can't use the Domain as the context for RSA or ECDSA as they algorithms don't take a context string.

However, ED448 and X25519 do use a context String and could be used.

That would likely give us SUF security for those algorithm combinations.

johngray-dev commented 1 month ago

Bring up to the mailing list or in the 121 presentation.

ounsworth commented 1 month ago

Both RFC8410 (EdDSA in X.509) and RFC8419 (EdDSA in CMS) say explicitly that the context string is not used. Since currently X.509 and CMS do not use the context string of EdDSA, then the most backwards compatible thing is to maintain that behaviour for the EdDSA component. I think that maintaining the backwards compat on the traditional component is more important than increasing its security above the security that EdDSA has today.

johngray-dev commented 1 month ago

Re-opening issue in light of #79