< draft-ietf-curdle-cms-eddsa-signatures-06.txt		draft-ietf-curdle-cms-eddsa-signatures-07.txt >
	Internet-Draft R. Housley		Internet-Draft R. Housley
	Intended status: Standards Track Vigil Security		Intended status: Standards Track Vigil Security
	Expires: 2 December 2017 2 June 2017		Expires: 4 February 2018 4 August 2017
	Use of EdDSA Signatures in the Cryptographic Message Syntax (CMS)		Use of EdDSA Signatures in the Cryptographic Message Syntax (CMS)
	<draft-ietf-curdle-cms-eddsa-signatures-06.txt>		<draft-ietf-curdle-cms-eddsa-signatures-07.txt>
	Abstract		Abstract
	This document specifies the conventions for using Edwards-curve		This document specifies the conventions for using Edwards-curve
	Digital Signature Algorithm (EdDSA) for curve25519 and curve448 in		Digital Signature Algorithm (EdDSA) for curve25519 and curve448 in
	the Cryptographic Message Syntax (CMS). For each curve, EdDSA		the Cryptographic Message Syntax (CMS). For each curve, EdDSA
	defines the PureEdDSA and HashEdDSA modes. However, the HashEdDSA		defines the PureEdDSA and HashEdDSA modes. However, the HashEdDSA
	mode is not used with the CMS. In addition, no context string is		mode is not used with the CMS. In addition, no context string is
	used with the CMS.		used with the CMS.
	skipping to change at page 1, line 34 ¶		skipping to change at page 1, line 34 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on 2 December 2017.		This Internet-Draft will expire on 4 February 2018.
	Copyright Notice		Copyright Notice
	Copyright (c) 2017 IETF Trust and the persons identified as the		Copyright (c) 2017 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 6, line 45 ¶		skipping to change at page 6, line 45 ¶
	these values can result in little or no security. An attacker may		these values can result in little or no security. An attacker may
	find it much easier to reproduce the PRNG environment that produced		find it much easier to reproduce the PRNG environment that produced
	the keys, searching the resulting small set of possibilities, rather		the keys, searching the resulting small set of possibilities, rather
	than brute force searching the whole key space. The generation of		than brute force searching the whole key space. The generation of
	quality random numbers is difficult. RFC 4086 [RANDOM] offers		quality random numbers is difficult. RFC 4086 [RANDOM] offers
	important guidance in this area.		important guidance in this area.
	Unlike DSA and ECDSA, EdDSA does not require the generation of a		Unlike DSA and ECDSA, EdDSA does not require the generation of a
	random value for each signature operation.		random value for each signature operation.
	Using the same private key for different algorithms has the potential		Using the same private key with different algorithms has the
	of allowing an attacker to get extra information about the private		potential to leak extra information about the private key to an
	key. For this reason, the same private key SHOULD NOT be used with		attacker. For this reason, the same private key SHOULD NOT be used
	more than one EdDSA set of parameters. For example, do not use the		with more than one set of EdDSA parameters, although it appears that
	same private key with PureEdDSA and HashEdDSA.		there are no security concerns when using the same private key with
			PureEdDSA and HashEdDSA [EDDSA].
	When computing signatures, the same hash function should be used for		When computing signatures, the same hash function SHOULD be used for
	all operations. This reduces the number of failure points in the		all operations. This reduces the number of failure points in the
	signature process.		signature process.
	6. IANA Considerations		6. IANA Considerations
	This document requires no actions by IANA.		This document requires no actions by IANA.
	7. Acknowledgements		7. Acknowledgements
	Many thanks to Jim Schaad and Daniel Migault for the careful review		Many thanks to Jim Schaad and Daniel Migault for the careful review
End of changes. 5 change blocks.
	9 lines changed or deleted		10 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/