Open bsanchezb opened 2 weeks ago
Well, this is embarrassing... This one is probably on me 😓.
I remember raising the issue of which OID to use as a point of discussion at a fairly late stage of the process for both of these standards, and I remember going to look it up in that very same RFC, but I must've missed the fact that the requirement for CMS with signed attrs is opposite from the one without. (I would be very interested to know the rationale behind that distinction in CMS, though... it feels a bit arbitrary)
That said, I don't think we have much of a choice: we need to follow the CMS spec. I suggest changing the requirement (perhaps with a note) to use id-shake256-len with the length set to 512 bits if/when we roll this TS into "core" 32k.
Note that this changes nothing from the cryptographic PoV, it's purely a difference in the way the algorithm choice is presented to the consuming processor.
@MatthiasValvekens , thank you for the quick reply.
So it looks more like an issue in the standard. Maybe a new version of the TS is possible with the fix in the requirement, in case an update of ISO 32000 is not planned in the near time? Would be nice to have it written formally somewhere for better interoperability.
The PDF Association's Digital Signature TWG will take the lead on getting an agreed resolution ASAP. The PDF Association can then immediately publish that industry-recommended guidance to all via https://pdf-issues.pdfa.org/ and via our sponsored standards.
The ISO committees just met last week so timing is poor for formally initiating dated revisions or amendments. ISO committees next meet in Nov 2024, but it will still take many months to work through ISO processes.
Describe the bug
ISO 32001 and ISO 32002 define a requirement for the used SHAKE256 algorithm identifier which looks contradictory to the specification defined in RFC 8419.
In particular, ISO 32001 defines that a digest algorithm with OID id-shake256 shall be used:
and similarly in ISO 32002:
and:
While RFC 8419 specifies that a digest algorithm with identifier id-shake256-len shall be used when signing a CMS with signed-attributes (which is mandatory for CAdES signatures):
Which limits the appliance of ISO 32002 in particular to only CMS signatures without signed attributes (non CAdES conformant).
Is it an intentional limitation of the standard or my interpretation of the standard is not entirely correct? And how should one proceed when creating a CAdES conformant signature with Ed448 + id-shake256-len algorithm?
Additional context
The question was originally raised at EU eSig DSS JIRA.