Re: [Curdle] draft-ietf-curdle-pkix-00: a simplification proposal
Rob Stradling <rob.stradling@comodo.com> Fri, 22 July 2016 20:54 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3096812B01D for <curdle@ietfa.amsl.com>; Fri, 22 Jul 2016 13:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBrioTHckQJG for <curdle@ietfa.amsl.com>; Fri, 22 Jul 2016 13:54:20 -0700 (PDT)
Received: from mmextmx1.mcr.colo.comodoca.net (mmextmx1.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECB0312D629 for <curdle@ietf.org>; Fri, 22 Jul 2016 13:54:19 -0700 (PDT)
Received: (qmail 1889 invoked by uid 1004); 22 Jul 2016 20:54:17 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx1.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Fri, 22 Jul 2016 21:54:17 +0100
Received: (qmail 19959 invoked by uid 1000); 22 Jul 2016 20:54:16 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Fri, 22 Jul 2016 21:54:16 +0100
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Erwann Abalea <Erwann.Abalea@docusign.com>
References: <CADZyTkn1uxWMaJ2J7OMr6dJckvH1Ynzq3NZu6tSbBDR80Qgf9A@mail.gmail.com> <1553247361.41476124.1465542998520.JavaMail.zimbra@redhat.com> <015201d1caa9$ce55ac60$6b010520$@augustcellars.com> <CAF8qwaByGGP-GAUFUPjLQfhyZGbxn3UPK4BdQNNmRkYHAOR9Mg@mail.gmail.com> <2DD56D786E600F45AC6BDE7DA4E8A8C117F26424@eusaamb107.ericsson.se> <alpine.GSO.1.10.1606252348160.18480@multics.mit.edu> <20160722113642.GA24793@LK-Perkele-V2.elisa-laajakaista.fi> <6F0EA612-DB5F-43A4-899C-36C2956B5D3F@docusign.com> <20160722181825.GA26572@LK-Perkele-V2.elisa-laajakaista.fi> <7C22F8A6-88C0-469F-8D4F-BCBF11922B11@docusign.com> <20160722200830.GA26782@LK-Perkele-V2.elisa-laajakaista.fi>
From: Rob Stradling <rob.stradling@comodo.com>
Message-ID: <2647b6bd-e756-92e8-bf54-cdf9b0588fbc@comodo.com>
Date: Fri, 22 Jul 2016 21:54:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160722200830.GA26782@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/jYdfzrLoqGTK20l7cj399FA9uKA>
Cc: "curdle@ietf.org" <curdle@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>
Subject: Re: [Curdle] draft-ietf-curdle-pkix-00: a simplification proposal
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2016 20:54:24 -0000
On 22/07/16 21:08, Ilari Liusvaara wrote: <snip> >>>> Using ASN.1 and RFC5912 modules: >>>> >>>> -- We need to contact Thawte Consulting, or Verisign, or whoever now >>>> owns the 1.3.101 OID arc, as OID hijacking is not allowed. >>> >>> 1.3.101.100 was used in the IETF -00 draft. I think I heard it got >>> allocated for EdDSA. >> >> I haven’t found an authoritative source for this. >> It’s not the first time, 1.3.6 belongs to DoD, but 1.3.6.1 was « self-allocated » in RFC1065. > > Didn't find anything authoritative, but I did find that Simon > switched to that OID (from much longer one) in persoal -02 draft. Symantec own Thawte. I persuaded Symantec to offer to reserve/delegate a range of OIDs under 1.3.101 for EdDSA (see [1]). Simon accepted the offer and provisionally allocated some OIDs (see [2]). After further discussion (private email exchange between Simon, myself and Rick Andrews) it was decided to start the OID range at 1.3.101.100. This was for two reasons: 1) to avoid clashing with any OIDs that Thawte Consulting might have allocated many years ago. For example, I found evidence that 1.3.101.1.4 and 1.3.101.1.4.1 had been allocated previously. 2) because the printable ASCII for the DER encoding of these OIDs is, frankly, irresistable (see [3]). :-) It's not clear from my records if Rick reserved/delegated 1.3.101.100...1.3.101.115 or 1.3.101.100..1.3.101.127 for EdDSA. It won't be hard to clarify that with Symantec though. Please don't use any 1.3.101.x.y OIDs until we've run out of 1.3.101.x OIDs. There's no point wasting bytes. [1] https://www.ietf.org/mail-archive/web/tls/current/msg16798.html [2] https://www.ietf.org/mail-archive/web/tls/current/msg16835.html [3] https://www.ietf.org/mail-archive/web/tls/current/msg16586.html >>>> id-EdXKeyAgreementAlgorithm OBJECT IDENTIFIER ::= { iso(1) >>>> identified-organization(3) thawte(101) 102 } >>> >>> I don't know what 1.3.101.102 is… >> >> That’s why there’s a commentary saying it needs to be discussed. >> sa-Ed* make use of the pk-Ed* keys. >> There’s no defined use of pk-X* keys, and they’re used for key agreement. > > X.509 SPKI is used for more purposes than just X.509. > >> Since in the message I replied to, you proposed the following DER encoded sigalg: >> 30 06 06 04 2B 65 64/65 01 Ed25519 >> It seemed you wanted to use 1.3.101.101 for signature algorithms, so I expanded to 1.3.101.102 for key agreement algorithms. >> But again, it’s a subject of discussion. > > Back when I wrote that, I had missed that reuse is OK. And as I noted > then one should use those 64 values. > > > > -Ilari > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Benjamin Kaduk
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Daniel Migault
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… David Benjamin
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Jim Schaad
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Jim Schaad
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Rob Stradling
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Erwann Abalea
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Rob Stradling
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Rob Stradling
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Erwann Abalea
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Erwann Abalea
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… David Benjamin
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Russ Housley
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Ilari Liusvaara
- [Curdle] draft-ietf-curdle-pkix-00: a simplificat… Nikos Mavrogiannopoulos
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… David Benjamin
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Nikos Mavrogiannopoulos
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… David Benjamin
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Daniel Migault
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Brian Smith
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… David Benjamin
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Brian Smith
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Russ Housley
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… David Benjamin
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Russ Housley
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Russ Housley
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Daniel Migault
- Re: [Curdle] draft-ietf-curdle-pkix-00: a simplif… Nikos Mavrogiannopoulos