Update to the Cryptographic Message Syntax (CMS) for Algorithm Identifier Protection
draft-ietf-lamps-cms-update-alg-id-protect-05

[Ballot comment]
Thanks for this; it's perhaps a bit overdue.  Section-by-section comments below.

Section 1

  In an algorithm substitution attack, the attacker looks for a
  different algorithm that produces the same result as the algorithm
  used by the originator.  As an example, if the signer of a message
  used SHA-256 [SHS] as the digest algorithm to hash the message
  content, then the attacker looks for a weaker hash algorithm that
  produces a result that is of the same length.  The attacker's goal is
  to find a different message that results in the same hash value,
  which is commonly called a collision.  [...]

The described scenario seems to be a cross-algorithm collision, which is
not, in my experience, the most common usage of the unqualified term
"collision".  In some sense, it seems that the task for an attacker is
to find (within the context of the "weak" algorithm) a first preimage
for the digest value that is computed by the honest participant (and is
likely to be using a "strong" algorithm).

  Further, when a digest algorithm produces a larger result than is
  needed by a digital signature algorithm, the digest value is reduced
  to the size needed by the signature algorithm.  This can be done both
  by truncation and modulo operations, with the simplest being
  straightforward truncation.  [...]

(But which of truncation and modulo is to be used is fixed by the
algorithm ID, right?  Perhaps a slight rewording to avoid indicating
that the attacker has a free choice is in order.)

  This document makes two updates to CMS to provide similar protection
  for the algorithm identifier.  [...]

nit: the discussion of how X.509 protects the algorithm
identifier/parameters was four paragraphs ago, already; I'd suggest a
bit more exposition about what we're providing "similar protection" as.

Section 3.1

The preexisting text allows implementations to fail to validate
signatures in some cases (when using a digest algorithm not included in
the SignedData digestAlgorithms set); do we want to say anything about
allowing (or requiring?) implementations to fail to validate signatures
if the two digest algorithms are different?

Section 3.2

      When the signedAttrs field is present, the same digest algorithm
      MUST be used to compute the digest of the encapContentInfo
      eContent OCTET STRING, which is carried in the message-digest
      attribute, and the collection of attributes that are signed.

nit: there may be a grammar nit here, relating to the parallelism of
"compute the digest of" -- I think "the collection of attributes that
are signed" should also have an "of" or "digest of" prefix.

Section 3.5

  When producing the TimeStampToken, the TSA MUST use same digest
  algorithm to compute the digest of the encapContentInfo eContent,
  which is an OCTET STRING that contains the TSTInfo, and the message-
  digest attribute within the SignerInfo.

(There's an implicit "in order to comply with the requirement introduced
above" in here, right?)

  To ensure that TimeStampToken values that were generated before this
  update remain valid, no requirement is placed on a TSA to ensure that
  the digest algorithm for the TimeStampToken matches the digest
  algorithm for the MessageImprint embedded within the TSTTokenInfo.

I assume that "TSTTokenInfo" is a typo for "TSTInfo"?

Section 4

I like this quote from RFC 6211:

%                    There is a convention, undocumented as far as I
% can tell, that the same hash algorithm should be used for both the
% content digest and the signature digest.  [...]

It seems we are now documenting this as more than just convention :)

  This section updates [RFC5652] to recommend that the originator
  include the CMSAlgorithmProtection attribute [RFC6211] whenever
  signed attributes or authenticated attributes are present.

Why is the recommendation scoped to only the case when protected
attributes are already present?  Is the recommendation not generically
applicable even when this would be the only protected attribute?

Section 6

  The security properties of the CMS [RFC5652] signed-data and
  authenticated-data content types are updated to ensure that algorithm
  identifiers are adequately protected, which makes algorithm
  substitution attacks significantly more difficult.

Is "ensure" the right word when we only recommend (not require) the use
of the CMSAlgorithmProtection attribute?

  Therefore, it remains important that a signer have a way to signal to
  a recipient which digest algorithms are allowed to be used in
  conjunction with the verification of an overall signature.  This
  signalling can be done as part of the specification of the signature
  algorithm in an X.509v3 certificate extension [RFC5280], or some

I'm not entirely sure I'm picturing what is intended by "part of the
specification of the signature algorithm in an X.509v3 certificate
extension" -- how is the signature algorithm relying on an X.509v3
extension?

  The CMSAlgorithmProtection attribute [RFC6211] offers protection for
  the algorithm identifiers used in the signed-data and authenticated-
  data content types.  However, no protection is provided for the
  algorithm identifiers in the enveloped-data, digested-data, or
  encrypted-data content types.  Likewise, The CMSAlgorithmProtection
  attribute provides no protection for the algorithm identifiers used
  in the authenticated-enveloped-data content type defined in
  [RFC5083].

I feel like we should say something about why we do not provide
protection for those content types (e.g., why it is believed to be safe
to not have such protection).

Section 8.2

The reference to RFC 3161 in Section 3.5 is facially adding a new
MUST-level requirement for processing of the structures from RFC 3161,
which would qualify as a normative reference in my interpretation of
https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
.  (However, I believe that the "MUST" in that section is just repeating
the requirement from a previous section in the more-specific context, so
could safely be rewritten to not have the appearance of a new normative
requirement, in which case RFC 3161 could properly remain as an
informative reference.)

[Ballot comment]
[ section 1 ]

* "the associate parameters" -> "the associated parameters" perhaps

[ section 3.5 ]

* "the TSA MUST use same digest" -> "the TSA MUST use the same digest"
  I think

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-lamps-cms-update-alg-id-protect-02, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist

The following Last Call announcement was sent out (ends 2020-08-10):

From: The IESG
To: IETF-Announce
CC: lamps-chairs@ietf.org, tim.hollebeek@digicert.com, draft-ietf-lamps-cms-update-alg-id-protect@ietf.org, Tim Hollebeek , spasm@ietf.org, rdd@cert.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Update to the Cryptographic Message Syntax (CMS) for Algorithm Identifier Protection) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'Update to
the Cryptographic Message Syntax (CMS) for Algorithm
  Identifier Protection'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2020-08-10. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document updates the Cryptographic Message Syntax (CMS)
  specified in RFC 5652 to ensure that algorithm identifiers in signed-
  data and authenticated-data content types are adequately protected.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-update-alg-id-protect/



No IPR declarations have been submitted directly on this I-D.

Shepherd Write-up for draft-ietf-lamps-cms-update-alg-id-protect-02


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)?  Why is this the proper type of RFC?  Is this type of RFC indicated in the title page header?

  Proposed Standard.  Yes, the title page indicates that type of RFC.
 

(2) The IESG approval announcement includes a Document Announcement Write-Up.  Please provide such a Document Announcement Write-Up.  Recent examples can be found in the "Action" announcements for approved documents.  The approval announcement contains the following sections:

  Technical Summary:

  This document updates the Cryptographic Message Syntax as specified
  in RFC 5652 to ensure that algorithm identifiers in signed-data
  and authenticated-data content types are adequately protected.

  It does so by making two changes: requiring that the originator
  use the same hash algorithm to compute the digest of the message
  content and the digest of signed attributes, and recommends that
  the originator use the CMSAlgorithmProtection attribute [RFC6211].

  Working Group Summary:

  There is consensus for this document in the LAMPS WG.

  Document Quality:

  The document is well-written and easy to understand.

  Personnel:

    Tim Hollebeek is the document shepherd.
    Roman Danyliw is the responsible area director.


(3) Briefly describe the review of this document that was performed by the Document Shepherd.  If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

  The document shepherd and other LAMPS WG participants reviewed the
  document during WG Last Call.  All issues raised have been resolved.


(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization?  If so, describe the review that took place.

  No special review needed.


(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of?  For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it.  In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any unexpired
  IPR related to this document.


(8) Has an IPR disclosure been filed that references this document?  If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

  No IPR disclosures have been submitted against this Internet-Draft.


(9) How solid is the WG consensus behind this document?  Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?  If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director.  (It should be in a separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this document.  (See http://www.ietf.org/tools/idnits and the Internet-Drafts Checklist).  Boilerplate checks are not enough; this check needs to be thorough.

IDNits review reports no errors or warnings.  The document shepherd reviewed the Internet-Drafts checklist with respect to this draft and found no issues.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

  None needed.


(13) Have all references within this document been identified as either normative or informative?

  Yes, the references are divided into normative and informative.


(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state?  If such normative references exist, what is the plan for their completion?

  All references are already published.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the Last Call procedure.

  There are no downward references.


(16) Will publication of this document change the status of any existing RFCs?  Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction?  If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed.  If this information is not in the document, explain why the WG considers it unnecessary.

  The document updates RFC 5652, and this is listed in the title page header and abstract. 
  The introduction discusses the reasons for updating the document.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document.  Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

  The document does not require any action from IANA.

(18) List any new IANA registries that require Expert Review for future allocations.  Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.
 
  The document does not contain any sections written in a formal language.

Shepherd Write-up for draft-ietf-lamps-cms-update-alg-id-protect-02


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)?  Why is this the proper type of RFC?  Is this type of RFC indicated in the title page header?

  Proposed Standard.  Yes, the title page indicates that type of RFC.
 

(2) The IESG approval announcement includes a Document Announcement Write-Up.  Please provide such a Document Announcement Write-Up.  Recent examples can be found in the "Action" announcements for approved documents.  The approval announcement contains the following sections:

  Technical Summary:

  This document updates the Cryptographic Message Syntax as specified
  in RFC 5652 to ensure that algorithm identifiers in signed-data
  and authenticated-data content types are adequately protected.

  It does so by making two changes: requiring that the originator
  use the same hash algorithm to compute the digest of the message
  content and the digest of signed attributes, and recommends that
  the originator use the CMSAlgorithmProtection attribute [RFC6211].

  Working Group Summary:

  There is consensus for this document in the LAMPS WG.

  Document Quality:

  The document is well-written and easy to understand.

  Personnel:

    Tim Hollebeek is the document shepherd.
    Roman Danyliw is the responsible area director.


(3) Briefly describe the review of this document that was performed by the Document Shepherd.  If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

  The document shepherd and other LAMPS WG participants reviewed the
  document during WG Last Call.  All issues raised have been resolved.


(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization?  If so, describe the review that took place.

  No special review needed.


(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of?  For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it.  In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any unexpired
  IPR related to this document.


(8) Has an IPR disclosure been filed that references this document?  If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

  No IPR disclosures have been submitted against this Internet-Draft.


(9) How solid is the WG consensus behind this document?  Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?  If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director.  (It should be in a separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this document.  (See http://www.ietf.org/tools/idnits and the Internet-Drafts Checklist).  Boilerplate checks are not enough; this check needs to be thorough.

IDNits review reports no errors or warnings.  The document shepherd reviewed the Internet-Drafts checklist with respect to this draft and found no issues.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

  None needed.


(13) Have all references within this document been identified as either normative or informative?

  Yes, the references are divided into normative and informative.


(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state?  If such normative references exist, what is the plan for their completion?

  All references are already published.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the Last Call procedure.

  There are no downward references.


(16) Will publication of this document change the status of any existing RFCs?  Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction?  If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed.  If this information is not in the document, explain why the WG considers it unnecessary.

  The document updates RFC 5652, and this is listed in the title page header and abstract. 
  The introduction discusses the reasons for updating the document.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document.  Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

  The document does not require any action from IANA.

(18) List any new IANA registries that require Expert Review for future allocations.  Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.
 
  The document does not contain any sections written in a formal language.

Shepherd Write-up for draft-ietf-lamps-cms-mix-with-psk-04


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)?  Why is this the proper type of RFC?  Is this type of RFC indicated in the title page header?

  Proposed Standard.  Yes, the title page indicates that type of RFC.
 

(2) The IESG approval announcement includes a Document Announcement Write-Up.  Please provide such a Document Announcement Write-Up.  Recent examples can be found in the "Action" announcements for approved documents.  The approval announcement contains the following sections:

  Technical Summary:

  This document updates the Cryptographic Message Syntax as specified
  in RFC 5652 to ensure that algorithm identifiers in signed-data
  and authenticated-data content types are adequately protected.

  It does so by making two changes: requiring that the originator
  use the same hash algorithm to compute the digest of the message
  content and the digest of signed attributes, and recommends that
  the originator use the CMSAlgorithmProtection attribute [RFC6211].

  Working Group Summary:

  There is consensus for this document in the LAMPS WG.

  Document Quality:

  The document is well-written and easy to understand.

  Personnel:

    Tim Hollebeek is the document shepherd.
    Roman Danyliw is the responsible area director.


(3) Briefly describe the review of this document that was performed by the Document Shepherd.  If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

  The document shepherd and other LAMPS WG participants reviewed the
  document during WG Last Call.  All issues raised have been resolved.


(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization?  If so, describe the review that took place.

  No special review needed.


(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of?  For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it.  In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any unexpired
  IPR related to this document.


(8) Has an IPR disclosure been filed that references this document?  If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

  No IPR disclosures have been submitted against this Internet-Draft.


(9) How solid is the WG consensus behind this document?  Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?  If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director.  (It should be in a separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this document.  (See http://www.ietf.org/tools/idnits and the Internet-Drafts Checklist).  Boilerplate checks are not enough; this check needs to be thorough.

IDNits review reports no errors or warnings.  The document shepherd reviewed the Internet-Drafts checklist with respect to this draft and found no issues.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

  None needed.


(13) Have all references within this document been identified as either normative or informative?

  Yes, the references are divided into normative and informative.


(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state?  If such normative references exist, what is the plan for their completion?

  All references are already published.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the Last Call procedure.

  There are no downward references.


(16) Will publication of this document change the status of any existing RFCs?  Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction?  If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed.  If this information is not in the document, explain why the WG considers it unnecessary.

  The document updates RFC 5652, and this is listed in the title page header and abstract. 
  The introduction discusses the reasons for updating the document.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document.  Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

  The document does not require any action from IANA.

(18) List any new IANA registries that require Expert Review for future allocations.  Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.
 
  The document does not contain any sections written in a formal language.