IETF Logo Mail Archive

Re: [Curdle] Key examples in draft-ietf-curdle-pkix-03

str4d <str4d@i2pmail.org> Sat, 17 December 2016 07:14 UTC

Return-Path: <str4d@i2pmail.org>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEBCF1294E9 for <curdle@ietfa.amsl.com>; Fri, 16 Dec 2016 23:14:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.091
X-Spam-Level: *
X-Spam-Status: No, score=1.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, RCVD_IN_BRBL_LASTEXT=1.449, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqUSztwkHnLe for <curdle@ietfa.amsl.com>; Fri, 16 Dec 2016 23:14:00 -0800 (PST)
Received: from mail01.sigterm.no (mail01.sigterm.no [193.150.121.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24AD129452 for <curdle@ietf.org>; Fri, 16 Dec 2016 23:13:59 -0800 (PST)
Received: from smtp.postman.i2p (unknown [193.150.121.26]) by postman.meeh.i2p (Postfix) with ESMTP id CA0FF2E52A6 for <curdle@ietf.org>; Sat, 17 Dec 2016 08:13:49 +0100 (CET)
X-Virus-Scanned: clamav-milter 0.97 on milter.postman.i2p
To: David Benjamin <davidben@chromium.org>, Ilari Liusvaara <ilariliusvaara@welho.com>
References: <20161214105434.418FAADD1C@smtp.postman.i2p> <20161214121515.GA10791@LK-Perkele-V2.elisa-laajakaista.fi> <20161214132326.29D3BADD12@smtp.postman.i2p> <20161215043852.11033ADD1E@smtp.postman.i2p> <20161215132709.4AB57ADD11@smtp.postman.i2p>
X-Mailer: smtp.postman.i2p - Official I2P Mailer
From: str4d <str4d@i2pmail.org>
MIME-Version: 1.0
In-Reply-To: <20161215132709.4AB57ADD11@smtp.postman.i2p>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="9xneOBRkcDIHw7G3noto2qVvh476G7R3c"
Message-Id: <20161216212834.B138DADD20@smtp.postman.i2p>
Date: Fri, 16 Dec 2016 21:28:34 +0000
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/wvoWKxrtzAJp9Sjj2kwfwHIsyTg>
Cc: curdle@ietf.org
Subject: Re: [Curdle] Key examples in draft-ietf-curdle-pkix-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2016 07:14:02 -0000

On 12/16/2016 02:27 AM, David Benjamin wrote:
> On Thu, Dec 15, 2016 at 1:42 AM str4d <str4d@i2pmail.org> wrote:
> 
>> On 12/15/2016 02:23 AM, David Benjamin wrote:
>>> On Wed, Dec 14, 2016 at 7:15 AM Ilari Liusvaara <
>> ilariliusvaara@welho.com>
>>> wrote:
>>>
>>>> On Wed, Dec 14, 2016 at 10:54:34AM +0000, str4d wrote:
>>>>> Hello,
>>>>>
>>>>> I am currently updating my EdDSA Java library to implement the current
>>>>> spec for key encoding [0] (previously I used
>>>>> draft-josefsson-pkix-eddsa-04 for public keys, and the equivalent in
>>>>> PKCS#8 format for private keys). The example public key given in
>>>>> draft-ietf-curdle-pkix-03 [1] passes my tests, however the example
>>>>> private key [2] does not.
>>>>>
>>>>> It appears that the private key material within the example is 34
>> bytes,
>>>>> but according to Section 3.2 of draft-irtf-cfrg-eddsa-08 [3] (which
>>>>> AFAICT the present draft defers to for encoding), the private key is
>> the
>>>>> b-bit seed k, which is 32 bytes.
>>>>>
>>>>> Am I missing something? If the example keys in the present draft are
>>>>> correct, it would be helpful to add a reference that clarifies their
>>>>> exact encoding.
>>>>
>>>> Apparently the key is wrapped in OCTET STRING twice for some reason,
>>>> so the length is actually 32 bytes (the first 2 are second OCTET STRING
>>>> header).
>>>>
>>>
>>> Is it too late to change that / was there any particular reason for this?
>>> Not that saving or using two bytes really matters, but it seems
>> unnecessary
>>> when we already have an OCTET-STRING-shaped hole to put our octet string
>> in.
>>>
>>
>> Additionally, it is somewhat strange that the same document
>> (draft-irtf-cfrg-eddsa-08) would define that the public key requires no
>> additional OCTET STRING wrapping, while the private key does. I
>> personally don't have a problem implementing it this way if that is what
>> the WG decides, but one of the two documents needs to be updated
>> regardless of whether or not this is changed (either to change it or to
>> clarify the encoding).
>>
> 
> Even if it stays as-is, I do not think draft-irtf-cfrg-eddsa should be
> changed to mention the OCTET STRING wrapping. EdDSA public and private keys
> are encoded as specified by draft-irtf-cfrg-eddsa-08. If you just need to
> store one of those, you use it. Neither use ASN.1 at that layer since
> there's no need. Serialization asks for a byte string, and we already have
> a way to return a byte string.
> 
> If you need to store them in an SPKI or PKCS#8 blob, you then follow
> draft-ietf-curdle-pkix which calls into that serialization and adds a bunch
> of ASN.1. The PKCS#8 wrapping, for some reason, prescribes two layers of
> OCTET STRING wrapping right now. This, though odd, is still self-consistent.

I've figured out the source of my confusion (and you're right, it wasn't
related to draft-irtf-cfrg-eddsa, that was my mis-remembering): section
7 of draft-ietf-curdle-pkix is somewhat obtuse (to someone not
well-versed in IETF lingo) as to how the various ASN.1 types are
stacked. Specifically, on my first read of that section it seemed that
the EdPrivateKey type took the place of the PrivateKey type in
OneAsymmetricKey. But reading it again now, I can see that the intent of
the section is:

OneAsymmetricKey ::= SEQUENCE {
    ...,
    privateKey PrivateKey(EdPrivateKey(byte sequence))
    ...
}

I think the confusing language is the use of "wrapped in" followed by
"placed in", which implied to me that these were different actions, when
in fact they both refer to the same action of wrapping in OCTET STRING
(resulting in the aforementioned two layers).

Perhaps a clarification in this section might be pertinent? Or maybe I'm
an outlier, and everyone who normally reads these specs will be
completely familiar with the intended usage constraints of ASN.1 types
*shrug*

In any case, thanks for clearing up my confusion! Should I wait around
for consensus on whether the layering is likely to change, or go ahead
with implementing as-is? I don't really want to implement a second
backwards-compatibility handler later ^_^;

Cheers,
str4d

v2.23.0 | Report a Bug | By Email