IETF Logo Mail Archive

Re: [Curdle] FW: New Version Notification for draft-ietf-curdle-pkix-04.txt

David Benjamin <davidben@chromium.org> Mon, 01 May 2017 16:17 UTC

Return-Path: <davidben@google.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA461294F8 for <curdle@ietfa.amsl.com>; Mon, 1 May 2017 09:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBx9aCJYu8ZC for <curdle@ietfa.amsl.com>; Mon, 1 May 2017 09:17:20 -0700 (PDT)
Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36B2812D0C3 for <curdle@ietf.org>; Mon, 1 May 2017 09:15:10 -0700 (PDT)
Received: by mail-pf0-x22e.google.com with SMTP id v14so76368234pfd.2 for <curdle@ietf.org>; Mon, 01 May 2017 09:15:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oUJ6hWxRNSfmk+2dZRywanYQW7Yuju8TzcMdP6X57mg=; b=ALnuv9/4ctYMym2yzZxQZF4AhLVElrP4+WwwuTIJfSv2+a4JZCkyLXA0fN5/gnXhMj 4ocaSpZjsLRLEta5ic4H85/r7EcIOKXNs+eYP3GNC/6y2vxI8Sr1IwisrWVhpLlL/Isb Dk4A9aD0o5qZuq9nJnzoR2ab0TpThYbLX6qQ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oUJ6hWxRNSfmk+2dZRywanYQW7Yuju8TzcMdP6X57mg=; b=M5KfUxal4f6ofJ3Mu9TAjzjqaHfZwnDivTl/Si8R1/xWVqGKZK4AI+dNKYog/eNmYC HGM1jkyfZzcVyqs+1dAV+K6aXJJ5Rur5Fzi5cdZBUay4tU5JmT1HQBZ2C4/MO5NFiiWq avpXCwfv4U5OLHPzkWlYA1nz11bpD4kUS0Hslxwdjadvu7MMZAIlgQFkzrtgOq3U/Sxr iqOkETBoepbaKjLH/rEuAdD3J7USZbzIlB+9CG6nmOs+/SMqQxdcvdtDki4WNrOP0MIq d32yG4+lC1onU6fYBVbxf3g7Vx5NIflAEFJh8NpsEI5Zb/dz5ksESILbqY8djLty/pOe kl/w==
X-Gm-Message-State: AN3rC/6XXRVNF/ssAVecq389mkxjlAoRmnW0XRjQZTGleNTcCzuYTLV4 Wpwk+CiG65SA1eSu0hLtpx+g+1a3376o
X-Received: by 10.84.142.133 with SMTP id 5mr35249297plx.52.1493655309728; Mon, 01 May 2017 09:15:09 -0700 (PDT)
MIME-Version: 1.0
References: <149073663013.1172.4888065212435317707.idtracker@ietfa.amsl.com> <051401d2a80b$e9bdea90$bd39bfb0$@augustcellars.com> <CAFewVt6-0WSqmwD7xVvKWDg3P9vNpFZDqB-n61hiU9qQp1c2cw@mail.gmail.com> <006d01d2c194$0e99b280$2bcd1780$@augustcellars.com> <CAFewVt4Lj7DMuVszGD6eht-3CJY6twaOao4J6KBTq4mTnYVFUQ@mail.gmail.com>
In-Reply-To: <CAFewVt4Lj7DMuVszGD6eht-3CJY6twaOao4J6KBTq4mTnYVFUQ@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 01 May 2017 16:14:58 +0000
Message-ID: <CAF8qwaCSVLJZMfy1eZ4hF4B3TUZyEdrL3VkkeiQ6TT=5mawUNg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>, Jim Schaad <ietf@augustcellars.com>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c11ac2a278ace054e78bac7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/mDmybmrxHQnlQlVDkxpSPxGc_Fk>
Subject: Re: [Curdle] FW: New Version Notification for draft-ietf-curdle-pkix-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 May 2017 16:17:22 -0000

On Sun, Apr 30, 2017 at 8:17 PM Brian Smith <brian@briansmith.org> wrote:

> Jim Schaad <ietf@augustcellars.com> wrote:
> > It is not always possible to detect corruption when you store in an
> unencrypted form.
>
> What kind of corruption would we not be able to detect? It is possible
> that somehow the private key could get corrupted and that there could
> be a corresponding corruption to the public key such that they match
> again, but this seems extremely unlikely unless somebody simply
> replaced the key pair with another key pair.
>
> > It would also not be possible to know if it was the private key or the
> public key that has been corrupted, just that the two values do not match.
>
> This is the case with any kind of cryptographic check, including HMAC
> or whatnot.
>

(Not that it matters, but, to that end, would detecting corruption not be
just as easily served by stashing a checksum somewhere? If not external to
the serialization, there is already that attributes field.)


> > > However, unless this is documented in the draft one way or
> > another as a MUST accept or a MUST NOT generate, I think
> > it will be an interop nightmare. In particular, we should avoid
> > the situation where some implementations produce v2 keys
> > so they can add the publicKey field, and where other
> > implementations reject v2 keys because they only parse v1,
> > where the publicKey field isn't allowed.
> >
> > I have not heard that this is an issue today with DH keys.  This
> > makes me think that this is not going to be a big issue.  I expect
> > that most implementations would all for parsing v2 keys even if
> > they then ignore the public key field.
>
> If that's the expectation then let's enshrine that in the spec by
> saying that implementations MUST accept v2 keys for these types of
> keys.
>
> In particular, I have seen PKCS#8 implementations that reject any v2
> PKCS#8 file instead of ignoring the extra fields.
>

As the author of one such PKCS#8 implementation, I'd simply missed that v2
PKCS#8 existed. Happy to add support (by way of ignoring the field
probably, yeah). Lacking any useful text about what to do, I interpreted
the version field to be analogous to RSAPrivateKey, another PKCS spec.
There, an RFC 2437 implementation that attempted to be forwards-compatible
(by accepting unknown versions and ignoring appended fields) would have
been confused come RFC 3447, which decided v1 meant a
semantically-incompatible otherPrimeInfos field.

RFC 5958 continues this. It does use ASN.1 extension markers, but X.680
merely says "The action that is taken in each situation is determined by
the ASN.1 specifier", and RFC 5958 does not appear to say anything.

Is the intent that OneAsymmetricKey parsers accept a hypothetical v3 with
further appended fields, or should they reject those to allow for
RFC-3447-like changes? If so, how do they handle the version <=> extra
field correspondence? A numerical comparison? Assume all unknown values are
newer? The version number used in the ASN.1 tags corresponds to the
symbolic name of the version constants, rather than the numerical value, so
it's not obvious whether, say, defining v3(-1) would be acceptable.

David

v2.23.0 | Report a Bug | By Email