Re: [Curdle] Review of draft-ietf-curdle-cms-ecdh-new-curves-03
Russ Housley <housley@vigilsec.com> Mon, 10 April 2017 18:29 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BCE2129A8F for <curdle@ietfa.amsl.com>; Mon, 10 Apr 2017 11:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxrKaBBSlQQ7 for <curdle@ietfa.amsl.com>; Mon, 10 Apr 2017 11:29:18 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9B8712951B for <curdle@ietf.org>; Mon, 10 Apr 2017 11:29:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 519F6300408 for <curdle@ietf.org>; Mon, 10 Apr 2017 14:29:17 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id XBMIDHGrFpiy for <curdle@ietf.org>; Mon, 10 Apr 2017 14:29:15 -0400 (EDT)
Received: from new-host-2.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id D7A94300229; Mon, 10 Apr 2017 14:29:15 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <002801d2b21f$2c44ea90$84cebfb0$@augustcellars.com>
Date: Mon, 10 Apr 2017 14:29:15 -0400
Cc: draft-ietf-curdle-cms-ecdh-new-curves@ietf.org, curdle <curdle@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0C63B981-D52F-4788-88C0-146C0B04F17A@vigilsec.com>
References: <002801d2b21f$2c44ea90$84cebfb0$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/ZkiOHEv9EC7HHDTCT3ibQFadRGE>
Subject: Re: [Curdle] Review of draft-ietf-curdle-cms-ecdh-new-curves-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 18:29:20 -0000
Jim:
Thanks for your note. I missed these changes. I will not post an updated draft until you confirm that this is aligned with draft-ietf-curdle-pkix.
> Section 3.2 - This section is wrong. It is using the wrong structure.
> idecPublicKey is wrong.
I see that this needs to align with Section 3 of draft-ietf-curdle-pkix.
By the way, that section should drop the “(for the four EdDSA related OIDs)” since the document now only talks about the pure EdDSA version.
I removed the discussion if id-ecPublicKey and ECParameters. That part of Section 3.2 in my edit buffer now says:
The KeyAgreeRecipientInfo originator provides three alternatives for
identifying the originator's public key, and the originatorKey
alternative MUST be used. The originatorKey MUST contain an
ephemeral key for the originator. The originatorKey algorithm field
MUST contain the id-X25519 or the id-X448 object identifier. The
originator's ephemeral public key MUST be encoded as an OCTET STRING.
The object identifiers for X25519 and X448 have been assigned in
[ID.curdle-pkix]. They are repeated below for convenience.
When using X25519, the public key contains exactly 32 octets, and the
id-X25519 object identifier is used:
id-X25519 OBJECT IDENTIFIER ::= { 1 3 101 110 }
When using X448, the public key contains exactly 56 octets, and the
id-X448 object identifier is used:
id-X448 OBJECT IDENTIFIER ::= { 1 3 101 111 }
> These are all nice to haves, but I don't really care if they don't get done.
>
> I would prefer that the check of the all-zero output in section 2.0 be a
> SHOULD rather than a MAY.
I changed MAY to SHOULD.
> Section 2 last paragraph - add network order to the string on representing
> the number
Done. It now reads:
The ECC-CMS-SharedInfo suppPubInfo field contains the length of the
generated key-encryption key, in bits, represented as a 32-bit number
in network byte order. For example, the key length for AES-256 [AES]
would be 0x00000100.
> Section 2.1 - I don't know if you should say that the left most bits of the
> result are used. I know that is correct so I have a problem reading it any
> other way.
Done. It now reads:
To generate a key-encryption key (KEK), the KDF generates one or more
KM blocks, with the counter starting at 0x00000001, and incrementing
the counter for each subsequent KM block until enough material has
been generated. The 32-bit counter is represented in network byte
order. The KM blocks are concatenated left to right, and then the
leftmost portion of the result is used as the pairwise key-encryption
key, KEK:
KM(i) = Hash(K || INT32(counter=i) || DER(ECC-CMS-SharedInfo))
KEK = KM(counter=1) || KM(counter=2) ...
Russ