IETF Logo Mail Archive

Re: [Curdle] AlgorithmIdentifier parameters in draft-ietf-curdle-pkix-03

David Benjamin <davidben@chromium.org> Tue, 14 March 2017 17:41 UTC

Return-Path: <davidben@google.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CDDF1298A8 for <curdle@ietfa.amsl.com>; Tue, 14 Mar 2017 10:41:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0SxDeiSLtmAg for <curdle@ietfa.amsl.com>; Tue, 14 Mar 2017 10:41:45 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 611D5129882 for <curdle@ietf.org>; Tue, 14 Mar 2017 10:41:45 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id b129so94011885pgc.2 for <curdle@ietf.org>; Tue, 14 Mar 2017 10:41:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=G84C522Pg12/Y0pBOZJnwQ7eul++GaAfWhNuLhlqPrA=; b=LaPQtXOxNxhO5tLPFAEiVGv7SSOp16nlNsnQwc9aBhg068WBC3us55/HA1heIe4Hx+ uGHgKqV6TV92AwLt5SYM9Yh9pANb9SxRBYuK6zXhd+jN3rr2HRjJPiAP+sOknRKVKxj4 PKqDxyZQbzJFThytGTJNtxJnU448TNIQmyIR8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=G84C522Pg12/Y0pBOZJnwQ7eul++GaAfWhNuLhlqPrA=; b=Ti4VEvR+SJfvA62PKHrJoZq67rZVNa1IUtHgq1pKt7ba8FtS8ms7mn67L065fV/45b B1PpWnt2io48WQ4S63gLu6yi19s5FdGGCgObFdccx4mGZt0J7gYwbQofFdxHHw6IZyAk R0pwN7SbE7gFa9JOECxok4mfxp1JFnudzjuBUfrw3ljYkaZ7PR0mLPQrp4ntcYPPrAcJ qkHQTTKmlIH/yNB45bNlE2KYltKwUv4Aep0WyvXDOSOjbIYyrC+FvNo5ZcSC4VzBV2Zl iv3Tmsvs+5c40HfbRudgHv4+GDNi5aFg1SI1/IZMXKl7O7mBbO1yvFQqeOQv8UHlV0rm TIkA==
X-Gm-Message-State: AMke39mEv6tIvRxr2dBV7F+xLx36/KWnZy4TbNMnoHBSr2qUXmvXhLg8WeFNAhxOTDHUPYvasJVPVyAF+9Y2T5Nm
X-Received: by 10.98.160.193 with SMTP id p62mr45337732pfl.67.1489513304799; Tue, 14 Mar 2017 10:41:44 -0700 (PDT)
MIME-Version: 1.0
References: <7d6cfe29-8d4c-436e-fe8a-0cbee915b29e@mail.i2p> <20170311061838.879BAADF28@smtp.postman.i2p> <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5C93@eusaamb107.ericsson.se>
In-Reply-To: <2DD56D786E600F45AC6BDE7DA4E8A8C118BA5C93@eusaamb107.ericsson.se>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 14 Mar 2017 17:41:33 +0000
Message-ID: <CAF8qwaBGFRcYvigThbcYSGqGYSESibMUfnB-XZ=dkwFshJkRMA@mail.gmail.com>
To: Daniel Migault <daniel.migault@ericsson.com>, str4d <str4d@i2pmail.org>, "curdle@ietf.org" <curdle@ietf.org>, Russ Housley <housley@vigilsec.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary="001a1140eed46c14aa054ab45773"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/ubKo_48Lsuf9haGU3QLDjyOcvwE>
Subject: Re: [Curdle] AlgorithmIdentifier parameters in draft-ietf-curdle-pkix-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 17:41:47 -0000

No, we should not relax the MUST NOT. We've learned from the previous
algorithms here that multiple options for encodings are an unnecessary
source of complexity and interop headaches. There should only be one
encoding and parsers need to enforce this to avoid an ecosystem mess.

On Tue, Mar 14, 2017 at 1:11 PM Daniel Migault <daniel.migault@ericsson.com>
wrote:

> Hi,
>
> We need to sort this out. Anyone from Oracle can provide feedbacks ?
>
> Please let us know if there is any consensus on relaxing the MUST NOT
> accept parameters even NULL ?
>
> Yours,
> Daniel
>
>
> -----Original Message-----
> From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of str4d
> Sent: Saturday, March 11, 2017 1:19 AM
> To: curdle@ietf.org; Russ Housley <housley@vigilsec.com>; Daniel Kahn
> Gillmor <dkg@fifthhorseman.net>; Peter Gutmann <pgut001@cs.auckland.ac.nz>
> Subject: Re: [Curdle] AlgorithmIdentifier parameters in
> draft-ietf-curdle-pkix-03
>
> On 02/19/2017 02:14 AM, str4d wrote:
> > Hi all,
> >
> > In draft-ietf-curdle-pkix-03 there is very clear language around the
> > expected behaviour of parser implementations regarding
> > AlgorithmIdentifier parameters:
> >
>
> [snip]
>
> > The problem is that the Sun AlgorithmId class always adds a NULL when
> > encoding if there are no parameters, for compatibility with Solaris [4].
> > So AFAICT it is presently impossible for me to write an implementation
> > that simultaneously:
> >
> > - follows draft-ietf-curdle-pkix-03 correctly
> > - can retrieve EdDSA keys from a default Java keystore
> >
> > Is anyone in the WG aware of a workaround for this, or have links to
> > past WG discussion on this point? I would think that Oracle should at
> > least be made aware of this issue, but even if they changes this in
> > Java 10, that doesn't help my implementation run on earlier Java
> versions.
> > The only alternatives I see at this point are:
> >
> > - Remove the NULL restriction from draft-ietf-curdle-pkix-03
> > - Require that my library not be used with incompatible keystores (but
> > a) I have yet to find a way to enforce this via the JCA, other than
> > just refusing to implement support for PKCS8EncodedKeySpec, which is
> > not particularly usable, and b) I don't yet know of a keystore that
> > *will* implement this properly)
>
> I have found the correspondence in the Curdle WG ML that added the NULL
> restriction; I have copied in the relevant members to hopefully jog this
> conversation. If there is no further discussion, then I will have no
> alternative but to be non-compliant with the eventual RFC, as I have been
> unable to find a way for my library to work with the default Java keystore
> :(
>
> Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> > Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> > >   Implementaions MUST NOT accept any of these OIDs with the
> > >   parameters field present, even if parameters has a value
> > >   of NULL.
> > >
> > >If we can convince the early implementations to hard-fail on that, we
> > >can discourage anyone from generating those values in newer
> > >implementations.
> >
> > +1.  For once there's no argument for supporting existing broken
> > implementations, we can get it right from the start
>
> I apologise for providing one :/
>
> Cheers(-ish),
> Jack
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>

v2.23.0 | Report a Bug | By Email