Allow creating randomized EdDSA signatures? #28
Comments
👍 |
|
How will we deal with tests? Ideally:
|
I don't think the question of whether&how we allow randomized signatures in the test suite is really any different than the question of whether&how we allow implementations to create them. So basically if we think the spec text should allow creating randomized signatures (and we're happy that it does), then the tests should reflect that as well.
I agree with this goal as stated but it's not really our job at the W3C to decide what this entails for EdDSA, exactly; that's the IETF's job, IMHO. As long as there's no consensus at the IETF, we can't really make a statement about what is "known to be secure".
RFC 8032 and draft-irtf-cfrg-det-sigs-with-noise are interoperable wrt. verification (randomized signatures will verify for implementations of RFC 8032 and vice versa), so I don't think this is a huge concern. My larger concern would be that an application that assumes (based on RFC 8032) that Ed25519 signatures will be deterministic (for some niche reason), and relies on this somehow, might be surprised to learn that it doesn't work in Safari. To prevent that, we could make a note about this on MDN.
I think if we're willing to include active work as a successor of RFC 8032 for the purpose of implementations, we should accept it for the purpose of testing as well, and vice versa. |
|
Hi, I think we’re fine with allowing randomised signatures. However, we’re not that interested in providing it ourselves or exposing that detail to the user (via a different function or some other API difference). The suggestion of phrasing it as "using RFC 8032 or its compatible successor" seems reasonable. |
I am really happy that we are letting randomized signatures be allowed. |
Perfect. |
|
In the WebAppSec session at the TPAC meeting, @annevk suggested to just note down an issue in the spec, and handle it when IETF comes to a consensus. If that seems reasonable to everyone I'll make a PR for that next week (as officially speaking I'm off this week ^.^)
It seems the tests for deterministic signatures were already inadvertently removed in the refactoring in web-platform-tests/wpt#44719, which I didn't notice at the time, but it does mean that the tests don't need to be updated now if we plan to allow randomized signatures (pending IETF's consensus). In the meantime, I've added a note in mdn/browser-compat-data#24462, which should get added to MDN whenever the browser compatibility data gets updated. |
WebKit's implementation of Ed25519, when using macOS's CryptoKit, produces randomized signatures (presumably as per draft-irtf-cfrg-det-sigs-with-noise).
The current specification of EdDSA, in RFC 8032 (which we refer to), defines Ed25519 and Ed448 as being deterministic, making this implementation technically noncompliant (although for most practical purposes it won't make a difference).
@annevk has requested that we refer to draft-irtf-cfrg-det-sigs-with-noise in Web Crypto, however, from my understanding from the CFRG mailing list, there's no clear consensus on whether this draft should be published as an RFC, yet. The main disagreement seems to be about whether the definition of "Ed25519" should be changed or a new algorithm, e.g. "rEd25519", should be introduced.
Also, the draft is now expired again :/
So, we could either:
@Frosne and @davidben (and of course @annevk, @nmahendru and @chris-wood), do you have any opinions?
The text was updated successfully, but these errors were encountered: