RE: Required Algorithms for Certificates

[Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>]

At 5:04 PM -0500 12/21/00, Tim Polk wrote:
> If PKIX decides to specify MUSTs or SHOULDs, they should be designed 
> to support broad interoperability.
Exactly. It is easier to get interoperability with one algorithm than 
with two, particularly when one of those algorithms hasn't been 
widely implemented and tested in products.

> Interoperability is a prime concern here at NIST.  In terms of 
> algorithm independence, we have come to the conclusion that 
> interoperability *requires* multi-algorithm clients.
Could you explain the logic there a bit more? If only one algorithm 
is mandated, how does that leasd to less interoperability?

> This implies that we need to move the burden to the clients, even 
> though that will impact many clients.
Here we disagree. Do you *really* think that all the IPsec 
implementations and all the S/MIME implementations are going to add 
DSA support? That is certainly not what I hear from the members of my 
organizations; even the ones who do DSA support are not sure that it 
works that well because it is rarely tested.

>   If a PKIX client can validate both DSA and RSA signatures, it can 
> handle certificates from any CA when signed with a PKIX-specified 
> algorithm.
If we only mandate RSA, well, you can fill in the rest...

> The question is whether multiple algorithm support is a practical 
> requirement for clients.  I just took a few minutes to scan the FIPS 
> 140-1 validated crypto module list.  This list currently has 130 
> modules - some hardware, some software.  (For those interested, see 
> http://csrc.nist.gov/cryptval/140-1/1401val.htm)  Many of those 
> cryptographic modules already support multiple signature algorithms. 
> I didn't count, but it appears that most of the recent products 
> (both hardware and software) support both DSA and RSA for signatures.
>
> To me, this implies that multiple algorithm support is reasonable 
> unless the device footprint must be very small.  This may be a 
> biased data set, though.  Validated products are required to support 
> at least one FIPS-approved algorithm, and RSA has only recently 
> become a FIPS-approved algorithm.
Bingo: that obviously skewed the requirements. In the IPsec and 
S/MIME space, there was no such requirement (that is, S/MIME vendors 
simply ignore the v3 specs), and there are almost no commercial or 
even freeware implementations using DSA.

--Paul Hoffman, Director
--VPN Consortium