[Anima-bootstrap] SHA1 usage in Anima-bootstrap voucher yang
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 02 March 2017 01:52 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9008B129479; Wed, 1 Mar 2017 17:52:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nLU1ch8BUknt; Wed, 1 Mar 2017 17:52:55 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ED031293F5; Wed, 1 Mar 2017 17:52:55 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id BF7B0E20F; Wed, 1 Mar 2017 21:15:10 -0500 (EST)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 5596F6381A; Wed, 1 Mar 2017 20:52:51 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: SPASM <SPASM@ietf.org>
In-Reply-To: <18454.1488305685@obiwan.sandelman.ca>
References: <18454.1488305685@obiwan.sandelman.ca>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 01 Mar 2017 20:52:51 -0500
Message-ID: <14573.1488419571@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/AFLHo1WARkRjlF32h3bTFW9L9kw>
Cc: anima-bootstrap <anima-bootstrap@ietf.org>
Subject: [Anima-bootstrap] SHA1 usage in Anima-bootstrap voucher yang
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 01:52:56 -0000
In the ANIMA ownership voucher YANG model, the absolute latest which you can currently see at: https://github.com/anima-wg/voucher/blob/master/draft-ietf-anima-voucher-01.txt we write at line 574: leaf subject-hash { type binary; description "The certificate's entire subject field MUST match this value. This value is calculated as the SHA-1 hash over the TBSCertificate's subject structure, as specified by RFC 5280 Section 4.1.2.6, encoded using the ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. Note: by using the SHA-1 algorithm, the result can be easily compared to OpenSSL's 'subject_hash' output."; } The voucher is a signed artifact (PKCS7? JWT? CWT? TBD) which indicates to a particular device who the devices owner is. ("Are you my mummy?" for Dr.Who Fans) For reasons of key hygiene and longevity, in many cases we do not want to point at the public key of the registrar directly, but rather indicate that it's DN=Foo, as signed by CA=Bar. It seems like there ought be a better way to do this kind of thing than what we specify above, which is annoyingly SHA1 linked. Can SPASM offer any advice? We could list the actual DER itself. Encoded, it might actually not be bigger than a SHA256, for instance. That might have privacy implications though, which we'd need to think through. Some time ago, I proposed replicating the SIDR artifact (RFC3779), and copy and pasted it to make: https://www.ietf.org/archive/id/draft-richardson-anima-idevid-cert-00.txt but, we didn't really want to go exactly that way. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [Anima-bootstrap] voucher yang Kent Watsen
- [Anima-bootstrap] voucher yang Michael Richardson
- Re: [Anima-bootstrap] voucher yang Kent Watsen
- [Anima-bootstrap] SHA1 usage in Anima-bootstrap v… Michael Richardson
- Re: [Anima-bootstrap] voucher yang Michael Richardson
- Re: [Anima-bootstrap] voucher yang Kent Watsen
- Re: [Anima-bootstrap] voucher yang Michael Richardson
- Re: [Anima-bootstrap] [Spasm] SHA1 usage in Anima… Russ Housley
- Re: [Anima-bootstrap] [Spasm] SHA1 usage in Anima… Sean Turner
- Re: [Anima-bootstrap] [Spasm] SHA1 usage in Anima… Michael Richardson
- Re: [Anima-bootstrap] voucher yang Michael Richardson
- Re: [Anima-bootstrap] [Spasm] SHA1 usage in Anima… Russ Housley