Re: IKEv2-07 Comment on Signature Usage

[Charlie_Kaufman@notesdev.ibm.com]

Russ Housley <housley@vigilsec.com> wrote on 05/09/2003 05:13:41 PM:

> IKEv2-07 says:
>
>     Optionally, messages 3 and 4 MAY include a certificate, or
>     certificate chain providing evidence that the key used to compute a
>     digital signature belongs to the name in the ID payload. The
>     signature or MAC will be computed using algorithms dictated by the
>     type of key used by the signer, an RSA-signed PKCS1-padded-hash for
>     an RSA digital signature, a DSS-signed SHA1-hash for a DSA digital
>     ...
>
> Unfortunately, this does not really work.  Consider a certificate with an

> RSA public key.  The subject public key info contains the rsaEncryption
> algorithm identifier.  This public key can be used to validate signatures

> generated with PKCS #1 version 1.5 or PSS.  And, each of these signature
> algorithms can be used with many different one-way hash functions.
>
> A signature value needs to be coupled with an algorithm identifier.
>
> Russ
>
I agree. There is a one byte field in the AUTH payload called Auth Method
that could be used to specify the algorithm. Currently, it has three
defined values: 1=RSA signature formatted using PKCS#1; 2=PRF computed
using the shared key; and 3=DSS signature currently specified as "using a
DSS private key over a SHA-1 hash" (I believe the DSS signature standard
(unlike RSA) specifies the padding and the use of a SHA-1 hash).

If I changed the wording of the text you quoted to list those as examples
rather than mandates with a pointer to section 3.8, and changed section 3.8
to specify that in the future new codes could be assigned to existing key
types, would that satisfy your concern?

Related issues: should these algorithms be listed in the algorithms spec
instead of or in addition to this one, and should we define a code for PSS
signatures now or should it wait? (And is there an RFC to reference?).

      --Charlie