Use of the HSS/LMS Hash-Based Signature Algorithm with CBOR Object Signing and Encryption (COSE)
draft-ietf-cose-hash-sig-09

[Ballot comment]
Thanks for the work that went into creating this document. I have no
comments on its contents (the crypto is somewhat outside my area of
expertise), although I have a few observations regarding the examples.

---------------------------------------------------------------------------

Appendix A:

>  This appendix provides a non-normative example of a COSE full message
>  signature and an example of a COSE_Sign1 message.  This section
>  follows the formatting used in [RFC8152].

I would suggest that RFC 8610 might be a better reference here, as it is
the document that actually defines the extended CBOR diagnostic format.
In particular my recommendation is:

  "This section is formatted according to the extended CBOR diagnostic
  format defined by [RFC8610]."

---------------------------------------------------------------------------

§A.1:

>  98(
>    [
>      / protected / h'a10300' / {
>          \ content type \ 3:0
>        } / ,
>      / unprotected / {},
>      / payload / 'This is the content.',
>      / signatures / [
>        [
>          / protected / h'a101382d' / {
>              \ alg \ 1:-46 \ HSS-LMS \
>            } / ,
>          / unprotected / {
>            / kid / 4:'ItsBig'
>          },
>          / signature / ...
>        ]
>      ]
>    ]
>  )

I think there are two things here that need to be addressed.

First, section 3 of this document specifies:

>    o  The 'kty' field MUST be present, and it MUST be 'HSS-LMS'.

I can't find a 'kty' field in this example.

Also, this example uses '-46' as the identifier for HSS-LMS,
while section 6.1 specifies the value as "TBD." This example needs
a clear note added for the RFC editor that the "-46" needs to be
replaced by the IANA-assigned value. A similar annotation will be
required for the 'kty' field, regarding the value assigned for section
6.2.

---------------------------------------------------------------------------

§A.2:

Same comments as A.1, above.

[Ballot discuss]
I do see the previous discussion in
https://mailarchive.ietf.org/arch/msg/cose/E6ApKPKlESQQSZwySJAVF1l27OE
but I am still unclear on where exactly we can represent the octet
string that is the HMS-LMS public key.  Do we not need to define a COSE
Key Type Parameter (i.e., label) that maps to the public key value?  For
reference, the examples in Appendix C.7.1 of RFC 8152 include key/value
pairs with the negative map labels from
https://www.iana.org/assignments/cose/cose.xhtml#key-type-parameters
corresponding to the key type in question.
Hopefully I'm just confused and missing where this is already done, but
marking as a Discuss point in case I'm not.  (The linked
cose-wg/Examples seem to be using a JSON structure to describe the input
to the example generation, with the "public" and "private" members of
the "key" that do not seem to correspond to anything that I can find at
https://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters, and
which would in any case not directly apply to the *COSE* usage.)

[Ballot comment]
Related to the above Discuss, should we have an explicit statement that we do
not define a way to convey an HSS/LMS private key in a COSE_Key object?
(I think it is correct to not define such a thing, since conveying a
stateful private key is something of a non-sequitur.)


It's not entirely clear to me how much of RFC 8554 we need to duplicate
in order to give the reader an understanding of the signature structure
we're using.  A few times while reading Sections 2.x I had to
double-check that I was reading the right document :)

Section 1.1

  If large-scale quantum computers are ever built, these computers will
  be able to break many of the public-key cryptosystems currently in
  use.  A post-quantum cryptosystem [PQC] is a system that is secure
  against quantum computers that have more than a trivial number of
  quantum bits (qubits).  It is open to conjecture when it will be

(nit: they're also secure against quantum computers that do have a
trivial number of bits.  Yes, I know this is also true about classical
signature algorithms with sufficiently large keys, but the text here is
perhaps not making quite the point we want to make.)

  Since the HSS/LMS signature algorithm does not depend on the
  difficulty of discrete logarithm or factoring, the HSS/LMS signature
  algorithm is considered to be post-quantum secure.  The use of HSS/
  LMS hash-based signatures to protect software update distribution,
  perhaps using the format that is being specified by the IETF SUIT
  Working Group, will allow the deployment of software that implements
  new cryptosystems.

In light of the genart reviewer's comments, we could recast this as
"there is desire have HSS/LMS-based signatures available to protect
software update distribution, including from the IETF SUIT Working
Group" to place the focus on the desire, which is more easily fixed in
time, rather than the WG output, which will change with time.

Section 2.2

  Each tree in the hash-based signature algorithm specified in
  [HASHSIG] uses the Leighton-Micali Signature (LMS) system.  LMS
  systems have two parameters.  The first parameter is the height of
  the tree, h, which is the number of levels in the tree minus one.

I strongly suggest making it more clear that there are two (types of)
trees involved -- the HSS tree of Section 2.1, and a tree within a given
LMS signature (what's being discussed here).  Just using an unadorned
"the tree" is a recipe for confusion.

  The [HASHSIG] specification defines the value I as the private key
  identifier, and the same I value is used for all computations with
  the same LMS tree.  In addition, the [HASHSIG] specification defines

I think RFC 8554 uses I as the identifier for the key pair, not just the
private key, and it seems that in the COSE context we are more likely to
be referring to a public key than a private key.

Section 2.3

      n -  The number of bytes output by the hash function.  This
          specification supports only SHA-256 [SHS], with n=32.

      H -  A preimage-resistant hash function that accepts byte strings
          of any length, and returns an n-byte string.  This
          specification supports only SHA-256 [SHS].

Is supporting other n values basically just a matter of allocating from
a registry?  If so, we might want to tweak the wording a bit to leave
the possibility for such a generalization.

  The LM-OTS signature value can be summarized as the identifier of the
  LM-OTS variant, the random value, and a sequence of hash values (y[0]
  through y[p-1]) that correspond to the elements of the public key as
  described in Section 4.5 of [HASHSIG]:

nit: I'd consider a different wording than "correspond to"; the
correspondence is a bit hard to describe clearly, but "hash values that
include as input" (or similar) is IMO fairly clear.

Section 3

      o  The 'kty' field MUST be present, and it MUST be 'HSS-LMS'.

(Re. "MUST be present", I note that RFC 8152 already has """The element
"kty" is a required element in a COSE_Key map."""

      o  If the 'alg' field is present, and it MUST be 'HSS-LMS'.

nit: no "and".


Section 5

  To ensure that none of tree nodes are used to generate more than one
  signature, the signer maintains state across different invocations of
  the signing algorithm.  Section 12.2 of [HASHSIG] offers some
  practical implementation approaches around this statefulness.  In

There is no Section 12.2 in RFC 8554; is perhaps Section 9.2 the
intended one?

[Ballot comment]
Please respond to the Gen-ART review. I agree with the Gen-ART reviewer that the reference to the SUIT working group in Section 1.1 should be removed.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-cose-hash-sig-04. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator has a question about one of the actions requested in the IANA Considerations section of this document.

The IANA Functions Operator understands that, upon approval of this document, there are two actions which we must complete.

First, in the COSE Algorithms registry on the CBOR Object Signing and Encryption (COSE) registry page located at:

https://www.iana.org/assignments/cose/

a single, new algorithm is to be registered as follows:

Name: HSS-LMS
Value: [ TBD-at-Registration ]
Description: HSS/LMS hash-based digital signature
Reference: [ RFC-to-be ]
Recommended: Yes

IANA Question --> What range of values is to be used for this new registration.

Second, in the COSE Key Types registry also on the CBOR Object Signing and Encryption (COSE) registry page located at:

https://www.iana.org/assignments/cose/

a single, new jey type is to be registered as follows:

Name: HSS-LMS
Value: [ TBD-at-Registration ]
Description: Public key for HSS/LMS hash-based digital signature
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist

The following Last Call announcement was sent out (ends 2019-10-29):

From: The IESG
To: IETF-Announce
CC: rdd@cert.org, cose-chairs@ietf.org, Ivaylo Petrov , draft-ietf-cose-hash-sig@ietf.org, cose@ietf.org, ivaylo@ackl.io
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Use of the HSS/LMS Hash-based Signature Algorithm with CBOR Object Signing and Encryption (COSE)) to Proposed Standard


The IESG has received a request from the CBOR Object Signing and Encryption
WG (cose) to consider the following document: - 'Use of the HSS/LMS
Hash-based Signature Algorithm with CBOR Object
  Signing and Encryption (COSE)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2019-10-29. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  This document specifies the conventions for using the Hierarchical
  Signature System (HSS) / Leighton-Micali Signature (LMS) hash-based
  signature algorithm with the CBOR Object Signing and Encryption
  (COSE) syntax.  The HSS/LMS algorithm is one form of hash-based
  digital signature; it is described in RFC 8554.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-cose-hash-sig/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-cose-hash-sig/ballot/


No IPR declarations have been submitted directly on this I-D.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

  I believe it should be a Proposed Standard.

  Currently not indicated in the title page.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  Relevant content can frequently be found in the abstract
  and/or introduction of the document. If not, this may be
  an indication that there are deficiencies in the abstract
  or introduction.

    This document specifies the conventions for using the HSS/LMS hash-based
    signature algorithm with the CBOR Object Signing and Encryption (COSE)
    syntax. The HSS/LMS algorithm is one form of hash-based digital signature;
    it is described in RFC 8554.


Working Group Summary

  Was there anything in WG process that is worth noting? For
  example, was there controversy about particular points or
  were there decisions where the consensus was particularly
  rough?

    The document has undergone 1 revision since WG last call. This revision was
    needed to address comments from the last call and to update a reference to
    a draft that has since been published.

Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

    I am not aware of current implementations. As this document specifies
    conventions for using HSS/LMS hash-based signature algorithm with COSE that
    are needed by other working groups. The lack of implementations therefore
    seems acceptable to me.

    Jim Schaad and John Mattsson did an in-depth reviews and had no substantive
    issues.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

    Document Shepherd: Ivaylo Petrov (COSE WG chair)
    AD: Benjamin Kaduk (Sec AD)

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

  The COSE WG Chair (Ivaylo Petrov) has reviewed the document and believes it is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

  No.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

  No concerns.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

  The authors have confirmed that they are not aware of any IPR.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No IPR.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

  My feeling is that the WG understands and agrees with the proposed draft
  without any other alternatives being provided.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

  No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

  ID nits mostly concerned code snippet formatting and references that were
  considered downward normative reference by the tool (discussed separately).

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

  Does not have any formal review criterias, but the algorithms for which it
  provides conventions for usage with COSE has passed formal review.

(13) Have all references within this document been identified as
either normative or informative?

  Yes, in my opinion all the normative references are really needed in order to
  understandd the document and all the informative ones give more context for
  better understanding, but are not strictly necessary for understanding the
  document.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

  None of the normative references are work in progress or otherwise in an
  unclear state.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

  * RFC 8554 is an infomrational document, but I consider it an acceptable
    downref as CFRG publishes only informational crypto document.
  * SHS is a reference to a document that comes outside of the IETF, namely
    from NIST. For that reason the tools consider it a downward normative
    reference. I consider it an acceptable normative reference.


(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

No.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

  The document adds a value to COSE Algorithms Registry and a value to COSE Key
  Types Registry. For those all the needed information is provided.


(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

  No new registries.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

  I believe it should be a Proposed Standard.

  Currently not indicated in the title page.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  Relevant content can frequently be found in the abstract
  and/or introduction of the document. If not, this may be
  an indication that there are deficiencies in the abstract
  or introduction.

    This document specifies the conventions for using the HSS/LMS hash-based
    signature algorithm with the CBOR Object Signing and Encryption (COSE)
    syntax. The HSS/LMS algorithm is one form of hash-based digital signature;
    it is described in RFC 8554.


Working Group Summary

  Was there anything in WG process that is worth noting? For
  example, was there controversy about particular points or
  were there decisions where the consensus was particularly
  rough?

    The document has undergone 1 revision since WG last call. This revision was
    needed to address comments from the last call and to update a reference to
    a draft that has since been published.

Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

    I am not aware of current implementations. As this document specifies
    conventions for using HSS/LMS hash-based signature algorithm with COSE that
    are needed by other working groups. The lack of implementations therefore
    seems acceptable to me.

    Jim Schaad and John Mattsson did an in-depth reviews and had no substantive
    issues.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

    Document Shepherd: Ivaylo Petrov (COSE WG chair)
    AD: Benjamin Kaduk (Sec AD)

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

  The COSE WG Chair (Ivaylo Petrov) has reviewed the document and believes it is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

  No.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

  No concerns.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

  The authors have confirmed that they are not aware of any IPR.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No IPR.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

  My feeling is that the WG understands and agrees with the proposed draft
  without any other alternatives being provided.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

  No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

  ID nits mostly concerned code snippet formatting and references that were
  considered downward normative reference by the tool (discussed separately).

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

  Does not have any formal review criterias, but the algorithms for which it
  provides conventions for usage with COSE has passed formal review.

(13) Have all references within this document been identified as
either normative or informative?

  Yes, in my opinion all the normative references are really needed in order to
  understandd the document and all the informative ones give more context for
  better understanding, but are not strictly necessary for understanding the
  document.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

  None of the normative references are work in progress or otherwise in an
  unclear state.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

  * RFC 8554 is an infomrational document, but I consider it an acceptable
    downref as CFRG publishes only informational crypto document.
  * SHS is a reference to a document that comes outside of the IETF, namely
    from NIST. For that reason the tools consider it a downward normative
    reference. I consider it an acceptable normative reference.


(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

No.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

  The document adds a value to COSE Algorithms Registry and a value to COSE Key
  Types Registry. For those all the needed information is provided.


(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

  No new registries.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.