Clarification on ECDSA signatures

[ejholmes]

We're big fans of HTTP Signatures at @remind101, and have recently contributed support for the rsa-sha1, rsa-sha256 and ecdsa-sha256 algorithms in the Go version from 99designs: 99designs/httpsignatures-go#12

The problem that we're seeing is that:

1. A lot of http signature libraries are missing RSA/ECDSA support.
2. The ones that do implement ECDSA, seem to be implementing an inconsistent signature format that doesn't follow the spec. In our experience, our Go implementation is the only one that seems to be using the correctly specified algorithm for generating an ECDSA signature, defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.3

If you open https://tools.ietf.org/html/draft-cavage-http-signatures-10 in a browser, and search for "ecdsa", there's only one mention in Appendix E.:

Algorithm Name: ecdsa-sha256
Reference: ES256 in JOSE JSON Web Algorithms
[I-D.ietf-jose-json-web-algorithms], Section 3.4
Status: active

Clicking through this brings you down to a link to the JWA RFC:

[I-D.ietf-jose-json-web-algorithms]
Jones, M., "JSON Web Algorithms (JWA)", draft-ietf-jose-
json-web-algorithms-20 (work in progress), January 2014.

And finally, clicking through to this only links to the RFC, but not to the specific section (3.4) that specifies the ecdsa signature format.

I think it would be helpful if the HTTP Signatures RFC provided some test cases and examples for validating ECDSA signatures, like is done for RSA and HMAC in section 4.1.1 and section 4.1.2, respectively. This should include an ECDSA private key in PEM format, and an example signature that should verify with the public key, so that implementers can ensure proper conformance.

[msporny]

Yes, agreed that conformance is an issue.

The real fix to this is that we need a test suite and test reports across implementations. We don't want to junk up the spec with tons of example tests (ECDSA is not the only one we'd want to cover). We have not made much progress on that over the past several years, but may be able to in the next six months or so since we've hired a few people to do just that. In the meantime, we'll track the issue here.

Thanks for raising it, we'll do something about this in time.

[dancju]

Can I use a bitcoin key pair for this ECDSA signature, which uses a fixed (p, a, b, G)?

[msporny]

Can I use a bitcoin key pair for this ECDSA signature, which uses a fixed (p, a, b, G)?

Yes, supporting the Secp256k1 curve is a design goal. We just need someone to contribute the implementation.

@ejholmes -- also, we're currently developing a test suite to reduce the conformance problems you are noting. Development on the conformance test suite started last week... we expect the first pass to be done in a couple of weeks. We'll announce the test suite in issue #1 and request that implementations implement against that.

[liamdennehy]

@ejholmes Since this is not an issue for the specification itself, can you watch #1 as @msporny suggests so we can close this issue?

[ejholmes]

Done. Thanks!