IETF Logo Mail Archive

Re: [Curdle] AlgorithmIdentifier parameters in draft-ietf-curdle-pkix-03

David Benjamin <davidben@chromium.org> Thu, 23 March 2017 17:16 UTC

Return-Path: <davidben@google.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E6AB129A63 for <curdle@ietfa.amsl.com>; Thu, 23 Mar 2017 10:16:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSEGJvZo-XuC for <curdle@ietfa.amsl.com>; Thu, 23 Mar 2017 10:16:45 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA185129B07 for <curdle@ietf.org>; Thu, 23 Mar 2017 10:16:39 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id o126so108511555pfb.3 for <curdle@ietf.org>; Thu, 23 Mar 2017 10:16:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HckgXSpcnQ/IRFuMHRR6uDx4Mp2dJJ9VPTS71u6cQGY=; b=N1p3UpGMyCq3Puw4MKEM2UUSUWt7IxVU6if8cYBftDDdnUmECfH70izgayMSUN3fjC 04BWw49+/n3N/xU/OWYISQRuX2Sasjg/cIUNT/cr/az8fQXYSdmMEJxeIji6OvLCaX60 +A0sPkItAXkkUBZlolUbExgKNOBgJaaOzyOoA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HckgXSpcnQ/IRFuMHRR6uDx4Mp2dJJ9VPTS71u6cQGY=; b=F+luzFAy73QZJYVIKQk2dHsuRiuo0SbhlI480AtcbjP4jtKspRY7ncwluCCT35upKn /15ye/YLLUrCxVQObfhGmNCkhpZYyyqT66OcXjLc0/5VHJTvSh3S/JCZM/y/4PRpN+tD GAP/QMSbDntRKjHiM5v591X4EuSqqxcC0paVXBYdIVQz0Y+5ah+ReHOBqdI0BW2HE//3 nI9dWUm6qe6IJnnCdEkqHjIHb5+EvBFwlY90qwbPNI62L+QeewqVGtDu/+OAyz8ttr9s SajJSm+5X63d163CPGMkHJdgjNFcaog58K5sQrAK2/8wPrgdyAQCeMZWmx3AN6qNLAMK h1+g==
X-Gm-Message-State: AFeK/H0IB7MGfemZsOv6vL/8lnNDgdXQ9kQhLdR352QuM8diV+kBSOfxFvkQ63digPCKlQsGDjwSWVyGeLoji9ph
X-Received: by 10.99.139.196 with SMTP id j187mr4164758pge.176.1490289399443; Thu, 23 Mar 2017 10:16:39 -0700 (PDT)
MIME-Version: 1.0
References: <7d6cfe29-8d4c-436e-fe8a-0cbee915b29e@mail.i2p> <20170311061838.879BAADF28@smtp.postman.i2p> <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5C93@eusaamb107.ericsson.se> <20170314174216.56419ADF21@smtp.postman.i2p> <20170321233151.6B3F8ADF28@smtp.postman.i2p> <22B37E49-154A-4C39-B4F8-4D292C8A9615@vigilsec.com>
In-Reply-To: <22B37E49-154A-4C39-B4F8-4D292C8A9615@vigilsec.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 23 Mar 2017 17:16:27 +0000
Message-ID: <CAF8qwaD9XcT6ZGGF619Cb9C_rduMPneYHv3YYe3TP-N4Lc-CSA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>, str4d <str4d@i2pmail.org>
Cc: "curdle@ietf.org" <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c03e4e8448dbf054b690a4e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/kBegVi9UGFWNRXUar_QH2X7kFSs>
Subject: Re: [Curdle] AlgorithmIdentifier parameters in draft-ietf-curdle-pkix-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 17:16:47 -0000

On Thu, Mar 23, 2017 at 12:49 PM Russ Housley <housley@vigilsec.com> wrote:

> > How would the following language (or something to this effect) work as a
> > compromise?
> >
> >   In this document we defined six new OIDs for identifying the
> >   different curve/algorithm pairs.  The curves being Curve25519 and
> >   Curve448.  The algorithms being ECDH, EdDSA in pure mode and EdDSA in
> >   pre-hash mode.  For all of the OIDs, the parameters MUST be absent.
> >   Regardless of the defect in the original 1997 syntax, implementations
> >   MUST NOT write out a parameters value of NULL, and MUST NOT accept a
> >   parameters value of NULL, EXCEPT where doing so is unavoidable due to
> >   legacy PKCS8 interpretation within the implementation language's
> >   standard libraries (such as Java's Sun security provider before
> >   version XX).
>
>
> EXCEPT is not defined in RFC 2119.
>
> How is your proposed language any different in reality than:
>
>   This document specified object identifiers for using Curve25519 and
>   Curve448 for key agreement and digital signature.  Since none of these
>   algorithm identifiers need parameters, the parameters MUST be absent.
>   As a result of the defect in the AlgorithmIdentifier syntax published
>   in 1997, some implementations produce a parameters value of NULL, even
>   when the parameters ought to be absent.  Conforming implementations
>   MUST NOT produce a parameters value of NULL, but conforming
>   implementations MAY accept a parameters value of NULL for
>   interoperability.
>

I think that encourages normal implementations too much towards laxness,
which will harm the ecosystem. I don't particularly care which encoding it
is (with or without NULL), but there must be only one encoding. We've had
enough trouble with id-rsaEncryption's ambiguity in BoringSSL that I do not
think we would be willing implement a new scheme with two encodings.

If MUST NOT on the parser is problematic, perhaps SHOULD NOT? That said, I
do not follow what is wrong with MUST NOT. It sounds like this Java issue
is purely a local thing, right? That is, you don't expect such malformed
structures to escape into the ecosystem, but you need to be able to parse
the structures back out? In that case, there's need to encourage any other
implementation to be lax here. It's purely so that your parser gets the
conforming checkbox? But the serializer is already violating the MUST NOT,
so violate it in the parser too and add an explanatory comment next to the
code.

Or am I misunderstanding the situation?

David

v2.23.0 | Report a Bug | By Email