[Curdle] Review of draft-ietf-curdle-pkix-04
David Benjamin <davidben@chromium.org> Wed, 29 March 2017 17:31 UTC
Return-Path: <davidben@google.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86752129453 for <curdle@ietfa.amsl.com>; Wed, 29 Mar 2017 10:31:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFpOCOcXrA-e for <curdle@ietfa.amsl.com>; Wed, 29 Mar 2017 10:31:43 -0700 (PDT)
Received: from mail-pg0-x231.google.com (mail-pg0-x231.google.com [IPv6:2607:f8b0:400e:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4839F129449 for <curdle@ietf.org>; Wed, 29 Mar 2017 10:31:43 -0700 (PDT)
Received: by mail-pg0-x231.google.com with SMTP id 21so14089169pgg.1 for <curdle@ietf.org>; Wed, 29 Mar 2017 10:31:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=xW5JRt5eHWOVpZlkXMUZASgWNXEUaR8yrjYWNTV7rg0=; b=D3UI8HFYqEytD4Ss32tJu4ktidmVVn/+TziZaBhpxtoKsIQpAGD+hqjWzoAAGJvlA2 7+Vf6FVeUzxduBFKb2vEDn5olXIzkFY3xkl8BQOiQdKhSYIDaEeZvvPCQ7YALKctpGON 0mJh/4SexX3kqgeEVSQ7W64sarpAF7KiJjPZA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xW5JRt5eHWOVpZlkXMUZASgWNXEUaR8yrjYWNTV7rg0=; b=mw6Ofl+eXmnJsUFBIFrTYcYHabUnp5UKE+wUFtWA8ewnoUKI2uLo1Ou+gJrhFJxYa0 ZnSejRszboSeecFNAh8GX7FN7niEf7F1tw+aG1otVrfbv+80yz2PXkVwKDpxNI20aAu2 +FkwWpoRHVectT/ucan+uZoLyoT9jyVsne0n+au1vFfbjRM01vBhk0t7RYDagX3LdtPm MvLngVYKBYEZidx8Fon64cC1oM9LrzOC6BaGe/ne8ebLSSM5E4djMsPpKdNFI7cejli2 Jr8eIpRx8ZAbacta/lC4L0Xx0gT33uL/ceLSoiKKMNKBgZu9cVstGpJ1BiBdLot4249Q fWbQ==
X-Gm-Message-State: AFeK/H3mZYKNbyYbkAaGLZRe+YM5MDBMntQHbYYiDsI9J8sj+5Uqh0pXkoH0MBkiPVQMx3JGH8JqMj4O79YdhgTV
X-Received: by 10.84.217.2 with SMTP id o2mr1919824pli.51.1490808702547; Wed, 29 Mar 2017 10:31:42 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Wed, 29 Mar 2017 17:31:31 +0000
Message-ID: <CAF8qwaCqv7gv2DD9mxTQqZ_y8aDD=5KMuz4J2kj-Z5Zp0UPJKw@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c19fe1424f8f0054be1f3e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/bJ1APIl4wtz9aqJ7hQqAA73VAks>
Subject: [Curdle] Review of draft-ietf-curdle-pkix-04
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 17:31:45 -0000
Overall, the document looks good to me. I've actually just implemented it along with the TLS bits in BoringSSL and our Go testing implementation. Seems to work. (Though I haven't done anything with the signature yet, just parsing out keys. Our X.509 story is a little funny since Chrome currently uses OS verifiers.) I have a handful of comments. They are all entirely editorial and mostly nitpicks. In section 3, The same algorithm identifiers are used for identifying a public key, identifying a private key and identifying a signature (for the four EdDSA related OIDs). Additional encoding information is provided below for each of these locations. "four EdDSA related OIDs" should now be "two EdDSA related OIDs" In section 4, o subjectPublicKey contains the byte stream of the public key. While the encoded public keys for the current algorithms are all an even number of octets, future curves could change that. I would suggest replacing the last sentence with "For the algorithms defined in this document, the encoded public keys are an even number of octets." If future curves do something funny, they'll be defined with independent OIDs and won't be bound by any explanatory notes in this document. In section 5, If the keyUsage extension is present in a certificate that indicates id-X25119 or id-X448 in SubjectPublicKeyInfo, then the following MUST be present: "id-X25119" should be "id-X25519". Also, a exceedingly nitpicky nitpick: the various lists of keyUsage values are all indented differently. I'm not sure if this is an artifact of some centering thing or a formatting error. In section 7, For the keys defined in this document, the private key is always an opaque byte sequence. The ASN.1 type CurvePrivateKey is defined in this document to hold the byte sequence. Thus when encoding a OneAsymmetricKey object, the private key is wrapped in an CurvePrivateKey object and wrapped by the OCTET STRING of the 'privateKey' field. The 'privateKey' field is described with single quotes, but in the following paragraph, the "privateKey", "privateKeyAlgorithm", and "publicKey" fields are described with double quotes. In section 8, When the curve is known, use a more specific string. For the id- EdDSA25519 value use the string "Ed25519". For id-EdDSA448 use "Ed448". In keeping with its own advice and to match the names in section 3, "id-EdDSA25519" should be "id-Ed25519" and "id-EdDSA448" should be "id-Ed448". The names also show up elsewhere in the document and should match. In section 10.2, The OIDs in the sample certificate are referred to as "EdDSA 25519 signature algorithm" and "ECDH 25519 key agreement", contradicting the document's own advice on human-readable names. David
- [Curdle] Review of draft-ietf-curdle-pkix-04 David Benjamin
- Re: [Curdle] Review of draft-ietf-curdle-pkix-04 David Benjamin
- Re: [Curdle] Review of draft-ietf-curdle-pkix-04 Jim Schaad
- Re: [Curdle] Review of draft-ietf-curdle-pkix-04 Russ Housley