Specifying proof of possession methods

[sander]

In “Proof of possession” I’ve tried to generalize over ECDH and EC(S)DSA based PoP methods. It is still a bit awkward, but potentially makes the rest of the spec easier to follow. This requires some evaluation.

[sander]

One example @emlun found in #11 is that as of 06bf2131eb9535d66ec5f7ec81b3d7bf52b9249c, ECSDSA-based PoP ignores transcript. I’ve tried to describe PoP as an abstract interface with two implementations compatible with ISO/IEC 18013-5:2021 mdoc authentication:

• MAC-based, where the session transcript is used as HKDF salt to derive a MAC key which signs device authentication data info (which includes transcript)
• ECSDSA-based, where the session transcript is not used, but the ECSDSA key signs device authentication data info (which includes transcript)

I wonder if we could make a less confusing abstraction, or if we should just branch out to the two concrete instantiations in each use case.

[emlun]

• device authentication data info (which includes transcript)

Oh? This is not apparent from the parameter descriptions, as far as I could tell they are independent values - transcript computed by some agreed-upon procedure and info presumably a protocol constant.

I wouldn't see much issue with simply adding a comment that transcript is intentially unused, if that is the idea. Or if transcript is meant to be signed, perhaps you could explicitly sign over both, i.e., transcript || info (or perhaps some structured combination to prevent prefix-suffix substitutions)?

[sander]

Thanks! So an iteration to the HDK spec on this could:

• [x] Specify further how info and transcript would be applied in the mdoc application
• [x] Consider renaming the parameters to avoid confusion (indeed info has a more static association)
• [x] For the DSA case, indeed try with signing transcript || info (noting prefix-suffix substitutions need to be accounted for), and indicate that transcript == "" in the mdoc case