[Curdle] Review of draft-ietf-curdle-pkix-04
David Benjamin <davidben@chromium.org> Wed, 29 March 2017 17:31 UTC
Return-Path: <davidben@google.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86752129453 for <curdle@ietfa.amsl.com>; Wed, 29 Mar 2017 10:31:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFpOCOcXrA-e for <curdle@ietfa.amsl.com>; Wed, 29 Mar 2017 10:31:43 -0700 (PDT)
Received: from mail-pg0-x231.google.com (mail-pg0-x231.google.com [IPv6:2607:f8b0:400e:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4839F129449 for <curdle@ietf.org>; Wed, 29 Mar 2017 10:31:43 -0700 (PDT)
Received: by mail-pg0-x231.google.com with SMTP id 21so14089169pgg.1 for <curdle@ietf.org>; Wed, 29 Mar 2017 10:31:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=xW5JRt5eHWOVpZlkXMUZASgWNXEUaR8yrjYWNTV7rg0=; b=D3UI8HFYqEytD4Ss32tJu4ktidmVVn/+TziZaBhpxtoKsIQpAGD+hqjWzoAAGJvlA2 7+Vf6FVeUzxduBFKb2vEDn5olXIzkFY3xkl8BQOiQdKhSYIDaEeZvvPCQ7YALKctpGON 0mJh/4SexX3kqgeEVSQ7W64sarpAF7KiJjPZA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xW5JRt5eHWOVpZlkXMUZASgWNXEUaR8yrjYWNTV7rg0=; b=mw6Ofl+eXmnJsUFBIFrTYcYHabUnp5UKE+wUFtWA8ewnoUKI2uLo1Ou+gJrhFJxYa0 ZnSejRszboSeecFNAh8GX7FN7niEf7F1tw+aG1otVrfbv+80yz2PXkVwKDpxNI20aAu2 +FkwWpoRHVectT/ucan+uZoLyoT9jyVsne0n+au1vFfbjRM01vBhk0t7RYDagX3LdtPm MvLngVYKBYEZidx8Fon64cC1oM9LrzOC6BaGe/ne8ebLSSM5E4djMsPpKdNFI7cejli2 Jr8eIpRx8ZAbacta/lC4L0Xx0gT33uL/ceLSoiKKMNKBgZu9cVstGpJ1BiBdLot4249Q fWbQ==
X-Gm-Message-State: AFeK/H3mZYKNbyYbkAaGLZRe+YM5MDBMntQHbYYiDsI9J8sj+5Uqh0pXkoH0MBkiPVQMx3JGH8JqMj4O79YdhgTV
X-Received: by 10.84.217.2 with SMTP id o2mr1919824pli.51.1490808702547; Wed, 29 Mar 2017 10:31:42 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Wed, 29 Mar 2017 17:31:31 +0000
Message-ID: <CAF8qwaCqv7gv2DD9mxTQqZ_y8aDD=5KMuz4J2kj-Z5Zp0UPJKw@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c19fe1424f8f0054be1f3e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/bJ1APIl4wtz9aqJ7hQqAA73VAks>
Subject: [Curdle] Review of draft-ietf-curdle-pkix-04
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 17:31:45 -0000
Overall, the document looks good to me. I've actually just implemented it
along with the TLS bits in BoringSSL and our Go testing implementation.
Seems to work. (Though I haven't done anything with the signature yet, just
parsing out keys. Our X.509 story is a little funny since Chrome currently
uses OS verifiers.)
I have a handful of comments. They are all entirely editorial and mostly
nitpicks.
In section 3,
The same algorithm identifiers are used for identifying a public key,
identifying a private key and identifying a signature (for the four
EdDSA related OIDs). Additional encoding information is provided
below for each of these locations.
"four EdDSA related OIDs" should now be "two EdDSA related OIDs"
In section 4,
o subjectPublicKey contains the byte stream of the public key.
While the encoded public keys for the current algorithms are all
an even number of octets, future curves could change that.
I would suggest replacing the last sentence with "For the algorithms
defined in this document, the encoded public keys are an even number of
octets." If future curves do something funny, they'll be defined with
independent OIDs and won't be bound by any explanatory notes in this
document.
In section 5,
If the keyUsage extension is present in a certificate that indicates
id-X25119 or id-X448 in SubjectPublicKeyInfo, then the following MUST
be present:
"id-X25119" should be "id-X25519".
Also, a exceedingly nitpicky nitpick: the various lists of keyUsage values
are all indented differently. I'm not sure if this is an artifact of some
centering thing or a formatting error.
In section 7,
For the keys defined in this document, the private key is always an
opaque byte sequence. The ASN.1 type CurvePrivateKey is defined in
this document to hold the byte sequence. Thus when encoding a
OneAsymmetricKey object, the private key is wrapped in an
CurvePrivateKey object and wrapped by the OCTET STRING of the
'privateKey' field.
The 'privateKey' field is described with single quotes, but in the
following paragraph, the "privateKey", "privateKeyAlgorithm", and
"publicKey" fields are described with double quotes.
In section 8,
When the curve is known, use a more specific string. For the id-
EdDSA25519 value use the string "Ed25519". For id-EdDSA448 use
"Ed448".
In keeping with its own advice and to match the names in section 3,
"id-EdDSA25519" should be "id-Ed25519" and "id-EdDSA448" should be
"id-Ed448". The names also show up elsewhere in the document and should
match.
In section 10.2,
The OIDs in the sample certificate are referred to as "EdDSA 25519
signature algorithm" and "ECDH 25519 key agreement", contradicting the
document's own advice on human-readable names.
David
- [Curdle] Review of draft-ietf-curdle-pkix-04 David Benjamin
- Re: [Curdle] Review of draft-ietf-curdle-pkix-04 David Benjamin
- Re: [Curdle] Review of draft-ietf-curdle-pkix-04 Jim Schaad
- Re: [Curdle] Review of draft-ietf-curdle-pkix-04 Russ Housley