< Return to Ballot details

Vote Details

Ballot: Revised DSA mechanism proposal
[New comments on the NO]

1) FIPS 186-4 is now issued. The document should be updated to reflect this.

2) The values in table 4 are completely wrong. It's bytes not bits, and the values for C_Verify need to be tuples e.g. (20, 40), (28, 56) and (32, 64) reflecting the lengths of the input data and input signature respectively.

3) 1.1.6 has an issue in that I believe that any reasonable person reading this would assume that this mechanism (CKM_DSA_PARAMETER_GEN) could be used with any of the pairs of legal key sizes for a DSA key (prime and subprime length) and not just with the (1024, 160) key size. Two of the valid key sizes are (2048, 224) and (2048, 256) which means you can't just assume that the subprime length can be derived from the prime length. That means that - for at least 2048 bit keys - you need to specify the CKA_SUBPRIME_BITS attribute. But then what do you do about backwards compatibility? If you require this to be specified for all prime lengths, you break backwards compatibility. Recommendation here - provide a subprime bits default for each of the valid key lengths.

[Original comments]
I don't know enough about DSA to comment on the technical aspects. These comments may or may not be accurate as they're made without reference back to the DSA document.

In table 4, the input sizes are defined as bits - but I believe those are probably bytes.

The discussion about the encoding of the r and s values should include fixed length and left padded with zeroes or leading zero truncated - an example would be useful.

Is there any relationship between the size of the prime and the size of the subprime? If so, this should be stated.

What is the error code to identify a bad subprime length? (Say for key pair generation)?

The addition of CKA_SUBPRIME_BITS as a required attribute is a non-backwards compatible change that affects CKM_DSA_PARAMETER_GEN. Instead EITHER change the language to retain 160 as a default for that attribute if not specified (preferred - change the superscript in the domain params table), OR add a new mechanism that understands CKA_SUBPRIME_BITS.