Re: [Anima-bootstrap] voucher yang

Kent Watsen <kwatsen@juniper.net> Fri, 03 March 2017 18:37 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 005C6129977 for <anima-bootstrap@ietfa.amsl.com>; Fri, 3 Mar 2017 10:37:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7V7N5jppxcOk for <anima-bootstrap@ietfa.amsl.com>; Fri, 3 Mar 2017 10:37:22 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0099.outbound.protection.outlook.com [104.47.40.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57674129974 for <anima-bootstrap@ietf.org>; Fri, 3 Mar 2017 10:37:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6pLzbRgjDGTz7PrfxCAJPxTqz7qX/H5bXIHuGErklUQ=; b=AIZuy8rEtzoZicMtxzq10TEOXdxltVAuaNFS5ey5gBtszIqNQGftZRwK/1dqPNWyhfKkwd4GNlYnlDQvzNvbp63qKRdMbrT+NZ2pdnZblgFCDegGu3GXtARcGcZrLY0QcxGMaxRt7WSNUUiYXTJJfWGEeN2utryTgdzytDR/rjw=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.2; Fri, 3 Mar 2017 18:37:21 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.0947.015; Fri, 3 Mar 2017 18:37:21 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [Anima-bootstrap] voucher yang
Thread-Index: AQHSke6O/yztceHfnUmp6ovkVBK+rqGAOr6AgACd0ICAAMHCAIABkjmA///2KQA=
Date: Fri, 3 Mar 2017 18:37:21 +0000
Message-ID: <2567C73D-2305-4221-9117-0CD38D4EF5F5@juniper.net>
References: <18454.1488305685@obiwan.sandelman.ca> <8CBC8F3C-E796-4042-8AFE-AFDC985DAEF5@juniper.net> <25053.1488422367@obiwan.sandelman.ca> <2C1C2636-DE14-4570-99E8-72AEB0B9D57D@juniper.net> <7371.1488550353@obiwan.sandelman.ca>
In-Reply-To: <7371.1488550353@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1f.0.170216
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.11]
x-ms-office365-filtering-correlation-id: a3d1a591-c23b-4b75-3abc-08d46264541a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN3PR0501MB1442;
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1442; 7:ccZJ6TerSrIcpyyZdRaQT4oIQ9ac0HuZ/nAv848gpvtalOxboQ/0TfXz0SZ404j+r4oVBy3NBtandZsMVmbIhtNvhg5oDPfVUxN4cAqQuc1lohaV4Gzy27Ctdy+i20xGNY8PcVu6t1E60VGZt8Hdu8NV5fZauzSAu1uBxkghLtJO8uz86UNPeCU3RM2PUjCSVD5O8/NMVMGmZDAvaFewXnuOf45eK839+Pgj3VpQ1eVxVK1wtX5exyS7MyintaPLjsNmB9lOJ5X1s6eAIY8X7l3f4D+QERQrjQO0FU1cFJkmG0309y9Vxikuj3hiu/pDRkMKLrh4X3YUkhfay+18cA==
x-microsoft-antispam-prvs: <BN3PR0501MB14422375ED033935F62D8D3EA52B0@BN3PR0501MB1442.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123564025)(20161123560025)(20161123558025)(20161123562025)(6072148); SRVR:BN3PR0501MB1442; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1442;
x-forefront-prvs: 0235CBE7D0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39850400002)(39840400002)(39860400002)(39450400003)(2900100001)(2950100002)(3846002)(6116002)(102836003)(36756003)(66066001)(33656002)(92566002)(122556002)(77096006)(6486002)(6436002)(6506006)(25786008)(6512007)(229853002)(99286003)(6306002)(8676002)(93886004)(106116001)(76176999)(54356999)(50986999)(82746002)(83716003)(83506001)(53936002)(305945005)(81166006)(4326008)(4001350100001)(38730400002)(3660700001)(6246003)(8936002)(189998001)(86362001)(7736002)(3280700002)(110136004)(2906002)(5660300001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1442; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C38AAA72AB3E26419514F462CF01709C@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2017 18:37:21.2401 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1442
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/KllBcOME5c73uhgBkAcByi8mr4M>
Cc: anima-bootstrap <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] voucher yang
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 18:37:24 -0000



>>> What I'm saying is that the pledge can't know how the owner was verified.
>>> The pledge actually has to process the same as for "verified" as for
>>> "logged".  It doesn't change the pledge's behaviour.
>>
>> But it does.  Some pledges may be coded to only support 'verified'
>> vouchers.
>
> I agree, but the verification involved can't be confirmed by the pledge.

The pledge confirms the voucher as a whole, which includes the assertion
statement.  What else might you mean?



>> The DER itself works for me (the privacy concern seems minor).  It's
>> also more code (relative to just using an openssl command line option),
>> but actually it's one step less code than calculating the SHA256
>> fingerprint.
>
> A constrained device might not have a shell to run an openssl command
> line :-)

I'm okay with making it a DER.



>> Okay, let's change the nonce to a binary type.
>
> Can we say the nonce is 8 to 32 bytes in size?
> If we have to pick a single number, I'd say 16 bytes.

According to https://tools.ietf.org/html/rfc7950#section-9.8.1:

   A binary type can be restricted with the "length" (Section 9.4.4)
   statement.  The length of a binary value is the number of octets it
   contains.

And Section 9.4.4 says:

   A length range consists of an explicit value, or a lower bound, two
   consecutive dots "..", and an upper bound.

Which means we can have:

  leaf nonce {
    type binary {
      length 8..32;
    }
  }


Cheers,
Kent