Comments (9)
I'm still convinced that this is a specification bug. "ecdsa-sha2-nistp256" is not a key type. At least the hash algorithm is only relevant for signing. Unless we define "key type" as the information needed for signing/verifying. But then why have key type and scheme? My preferred fix would be to deprecate the key type field altogether. We really only need scheme.
Practical advantage is less ambiguity (in a very complex specification) and less data on the wire (granted, not that important).
I agree that changing key type of "ecdsa-sha2-nistp*" keys to ecdsa in securesystemslib alone is not a big win, and more likely an interoperability problem.
from securesystemslib.
Sure, spec defines three keytypes and allows all implementers to define new ones. Using those implementation-defined keys is totally fine if interoperability is not a goal.
The issue is that a python-tuf repository user who decides to create ecdsa keys probably assumes they would be spec defined ecdsa keys... but they are not, they are implementation-defined keys. So the repository ends up spec compliant but likely not interoperable
from securesystemslib.
I agree that this is a specification bug. I have created a PR theupdateframework/specification#272 to capture what appears to be the specs current intent and document the keytype as "ecdsa". I've also added key formats to the agenda for the TUF project meeting at KubeCon EU.
from securesystemslib.
cc @rdimitrov
from securesystemslib.
This still leads me to wonder what the practical advantage of changing this key type name was.
I understand that some people think keytypes are unneeded (and scheme should fully define the type/scheme)... but why keep making changes to key type then?
from securesystemslib.
oh yeah, you are right and I was confused (I thought the spec had changed):
- "ecdsa-sha2-nistp256" is one of the three keytypes that the spec actually defines, "ecdsa" is not one of them
- ecdsa keys created with securesystemslib have keytype "ecdsa" since PR #267
from securesystemslib.
The way I read the spec, it also kind of offloads the definition of key types to the reference implementation.
from securesystemslib.
theupdateframework/specification#272 has been merged. @jku, can we close here?
from securesystemslib.
👍
from securesystemslib.
Related Issues (20)
- ed25519 workflow is broken
- How should I load signers for immediate signing, e.g. in CLI? HOT 2
- Does `AWSSigner.import_()` really require scheme string? HOT 8
- "ecdsa-sha2-nistp256" wrongly used as default scheme for any "ecdsa" key
- signer api: clarify keyids in signatures HOT 2
- fix permisssions on check-upstream-ed25519 workflow
- ed25519 upstream has new commits
- ecdsa keytypes issue, again HOT 1
- Remove legacy interfaces/implementation HOT 3
- Auto-update pre-commit plugins HOT 8
- Issues for KubeCon EU contribfest HOT 2
- review default signer & key selection HOT 3
- AzureSigner: import_ may return *unsupported* ecdsa-sha2-nistp521 scheme
- AWSSigner: may return *incorrect* ecdsa-sha2-nistp512 scheme
- SSlibKey: consider stronger validation of keytype/scheme for keyval HOT 1
- SigstoreSigner is temporarily broken HOT 2
- gpg tests fail if a yubikey is connected HOT 3
- Get a CryptographyDeprecationWarning just calling generate_ecdsa_key() HOT 2
- CryptoSigner should expose private key bytes
- 1.0 release HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from securesystemslib.