IETF Logo Mail Archive

Re: [Curdle] AlgorithmIdentifier parameters in draft-ietf-curdle-pkix-03

str4d <str4d@i2pmail.org> Sun, 26 March 2017 17:22 UTC

Return-Path: <str4d@i2pmail.org>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21ADA129659 for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 10:22:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.519
X-Spam-Level: ****
X-Spam-Status: No, score=4.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_SORBS_HTTP=0.001, RCVD_IN_SORBS_SOCKS=1.927, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fbFSrDGp2IPV for <curdle@ietfa.amsl.com>; Sun, 26 Mar 2017 10:22:54 -0700 (PDT)
Received: from mail01.sigterm.no (mail01.sigterm.no [193.150.121.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00FD1126CE8 for <curdle@ietf.org>; Sun, 26 Mar 2017 10:22:42 -0700 (PDT)
Received: from smtp.postman.i2p (i2p-outproxy01.privacysolutions.no [193.150.121.66]) by postman.meeh.i2p (Postfix) with ESMTP id 55B052E0FC9 for <curdle@ietf.org>; Sun, 26 Mar 2017 19:22:39 +0200 (CEST)
X-Virus-Scanned: clamav-milter 0.97 on milter.postman.i2p
To: David Benjamin <davidben@chromium.org>, Russ Housley <housley@vigilsec.com>
References: <7d6cfe29-8d4c-436e-fe8a-0cbee915b29e@mail.i2p> <20170311061838.879BAADF28@smtp.postman.i2p> <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5C93@eusaamb107.ericsson.se> <20170314174216.56419ADF21@smtp.postman.i2p> <20170321233151.6B3F8ADF28@smtp.postman.i2p> <22B37E49-154A-4C39-B4F8-4D292C8A9615@vigilsec.com> <20170323171654.D228AADF2A@smtp.postman.i2p>
Cc: "curdle@ietf.org" <curdle@ietf.org>
X-Mailer: smtp.postman.i2p - Official I2P Mailer
From: str4d <str4d@i2pmail.org>
MIME-Version: 1.0
In-Reply-To: <20170323171654.D228AADF2A@smtp.postman.i2p>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="FUVa9UBLCLEGiQwCBdI1x3qQQttECHAKs"
Message-Id: <20170326110338.71C71ADF2F@smtp.postman.i2p>
Date: Sun, 26 Mar 2017 11:03:38 +0000
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/kTLF7AB7aJ_L8wn8CL1SHSzgL_w>
Subject: Re: [Curdle] AlgorithmIdentifier parameters in draft-ietf-curdle-pkix-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 17:22:56 -0000

On 03/24/2017 06:16 AM, David Benjamin wrote:
> On Thu, Mar 23, 2017 at 12:49 PM Russ Housley <housley@vigilsec.com> wrote:
> 
>>> How would the following language (or something to this effect) work as a
>>> compromise?
>>>
>>>   In this document we defined six new OIDs for identifying the
>>>   different curve/algorithm pairs.  The curves being Curve25519 and
>>>   Curve448.  The algorithms being ECDH, EdDSA in pure mode and EdDSA in
>>>   pre-hash mode.  For all of the OIDs, the parameters MUST be absent.
>>>   Regardless of the defect in the original 1997 syntax, implementations
>>>   MUST NOT write out a parameters value of NULL, and MUST NOT accept a
>>>   parameters value of NULL, EXCEPT where doing so is unavoidable due to
>>>   legacy PKCS8 interpretation within the implementation language's
>>>   standard libraries (such as Java's Sun security provider before
>>>   version XX).
>>
>>
>> EXCEPT is not defined in RFC 2119.

Yeah, my apologies - I was writing in pseudo-language, but am new enough
to this sphere that this RFC isn't yet burned into my brain ^_^;

>>
>> How is your proposed language any different in reality than:
>>
>>   This document specified object identifiers for using Curve25519 and
>>   Curve448 for key agreement and digital signature.  Since none of these
>>   algorithm identifiers need parameters, the parameters MUST be absent.
>>   As a result of the defect in the AlgorithmIdentifier syntax published
>>   in 1997, some implementations produce a parameters value of NULL, even
>>   when the parameters ought to be absent.  Conforming implementations
>>   MUST NOT produce a parameters value of NULL, but conforming
>>   implementations MAY accept a parameters value of NULL for
>>   interoperability.
>>
> 
> I think that encourages normal implementations too much towards laxness,
> which will harm the ecosystem.

Correct. I was trying to come up with something that maintained the
existing strictness as much as possible, because in theory I agree with it.

> I don't particularly care which encoding it
> is (with or without NULL), but there must be only one encoding. We've had
> enough trouble with id-rsaEncryption's ambiguity in BoringSSL that I do not
> think we would be willing implement a new scheme with two encodings.

I'm *already* having to deal with parsing two encodings, due to the
presence of draft-josefsson-pkix-eddsa-04 (which was the active draft
for a proposed encoding when that part of my parser was contributed) -
so the horse has kinda left the barn already in that respect.

> 
> If MUST NOT on the parser is problematic, perhaps SHOULD NOT? That said, I
> do not follow what is wrong with MUST NOT. It sounds like this Java issue
> is purely a local thing, right? That is, you don't expect such malformed
> structures to escape into the ecosystem, but you need to be able to parse
> the structures back out? In that case, there's need to encourage any other
> implementation to be lax here. It's purely so that your parser gets the
> conforming checkbox? But the serializer is already violating the MUST NOT,
> so violate it in the parser too and add an explanatory comment next to the
> code.
> 
> Or am I misunderstanding the situation?

It's not so much that I want a "conforming checkbox" to tick, but that
I'm mindful of how easily context can be lost. You don't want to
encourage laxness by allowing flexibility, but you also don't want
implementors reading the RFC, discovering they can't implement it
correctly, and simply ignoring it - that will result in undefined
behaviour. I would prefer that the RFC explicitly acknowledge that the
MUST NOT may not be practical for *parsing* (as opposed to writing) in
some legacy instances (hopefully only the Java standard libraries), to
provide context to future readers instead of hoping they stumble upon
this mailing list thread, or upon the explanatory comment in my code.

I'll admit I'm a little surprised at my cynicism, but I don't think it
is misplaced. However, I am clearly the only person to have raised this
issue here, so perhaps I'm wrong, and RFC readers will interpret the
MUST NOT in a sensible way. I'd like to hope so.

Jack

v2.23.0 | Report a Bug | By Email