yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1513973] [NEW] Add support for additional signature types

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brianna Poulos <Brianna.Poulos@xxxxxxxxxx>
Date: Fri, 06 Nov 2015 21:37:01 -0000
Reply-to: Bug 1513973 <1513973@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently, the only supported signature type for image signature
verification [1] is RSA-PSS, although the signature type used is
configurable.

It would be advantageous to support multiple types of signatures beyond
just RSA-PSS.  For one, different types of signatures become out of date
with time (for example, PKCS1v15 is no longer recommended for new
applications).  Also, the signature length is currently limited to 255,
which limits RSA-PSS signatures to having a 1024-bit key, which is less
than the minimum recommended key size for RSA.  Elliptic Curve
signatures, on the other hand, could fit into the 255 limit while still
using a recommended key size.

This lite spec is for the addition of verification support for two
additional signature types: DSA and Elliptic Curve

Note that this support was discussed during the Tokyo Summit [2] and it
was decided that it should be tracked as a lite spec.

[1] http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
[2] https://etherpad.openstack.org/p/mitaka-glance-image-signing-and-encryption

** Affects: glance
     Importance: Undecided
         Status: New


** Tags: spec-lite

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1513973

Title:
  Add support for additional signature types

Status in Glance:
  New

Bug description:
  Currently, the only supported signature type for image signature
  verification [1] is RSA-PSS, although the signature type used is
  configurable.

  It would be advantageous to support multiple types of signatures
  beyond just RSA-PSS.  For one, different types of signatures become
  out of date with time (for example, PKCS1v15 is no longer recommended
  for new applications).  Also, the signature length is currently
  limited to 255, which limits RSA-PSS signatures to having a 1024-bit
  key, which is less than the minimum recommended key size for RSA.
  Elliptic Curve signatures, on the other hand, could fit into the 255
  limit while still using a recommended key size.

  This lite spec is for the addition of verification support for two
  additional signature types: DSA and Elliptic Curve

  Note that this support was discussed during the Tokyo Summit [2] and
  it was decided that it should be tracked as a lite spec.

  [1] http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
  [2] https://etherpad.openstack.org/p/mitaka-glance-image-signing-and-encryption

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1513973/+subscriptions

Follow ups

[Bug 1513973] Re: Add support for additional signature types
From: OpenStack Infra, 2016-03-02