IETF Logo Mail Archive

Re: [Curdle] FW: New Version Notification for draft-ietf-curdle-pkix-04.txt

Brian Smith <brian@briansmith.org> Wed, 10 May 2017 23:02 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FD37129B71 for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 16:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Abh3HPG0yrhW for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 16:02:17 -0700 (PDT)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26D1212952E for <curdle@ietf.org>; Wed, 10 May 2017 16:02:17 -0700 (PDT)
Received: by mail-io0-x230.google.com with SMTP id k91so11264983ioi.1 for <curdle@ietf.org>; Wed, 10 May 2017 16:02:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MESlc8SERT9uw85z1D4D00pqY5xCs5Q4XOQh6w+DYdk=; b=TwYqSvZowz2EKxadQ01Un2Hna5jaBVYxsct4pRFfpDXTwxxwfA80yNtIB2+g8Dk7Tj Wy+2LjyLje8lpUGhy1kdYdZmxnekM9ZGGK75oHqFeSvKjNO9mV4GNHmNXx+NFYI60LnL StSrYkDWJ1OMvWzbIWRldzxSD+mDo1T/no4Q7/OGVkbNer3KZgEzY78GM/Gg42Ps0Kee QF8cE1E80JhiYM08yotgiC9WBIjw6sVNAWG/Tfl8Y2Glq0QLBwKkOwkqww/jcFd4xMis Qbp7WeXBXRN1wDWVfCBlK7de1Hed0TTu34BOnqHIhOvaTmTnCIGtAVwlTWQ3S3yfXzPy DS3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MESlc8SERT9uw85z1D4D00pqY5xCs5Q4XOQh6w+DYdk=; b=POP4xUzSfZ2WD4Lf1+1PbChYz9msvrGGlCs7sC+g4B5s8ntIRe2qSJaiXGcgy2/ANj +z4h5QRAmbUMBWW8wv0Z6cAPQE0Y4DP+S/q981wNKn4wdHR+hS+yY+1mNuHf1HVjlqXs vQSwcbl7Jjs9Cl+JhBs/DUnWG7blEJHtoX3DgrhzuVL2IpqwC3mG+qFPwSkouM4HyvRg WG4hr0/QHoY2TMLrk3YerZyQoUCixrOwpkpiN24thWyCQkJ20owIa7tY2TjKxytPQrgZ 3QOqAlcG2dflC1Mtq29DdQ1B1eyKSeFfibsmqi9JKCUZucgpBJ55GCWElDsgjzMF5fzA CY0w==
X-Gm-Message-State: AODbwcCvOFcrKWa81Y2hbhw+8/xCRnbfZdbRL4VGdsoI6nylnCw7Oh8I CAuWxz5DxDTHNWN54RhpwIMLsanHCw==
X-Received: by 10.107.50.136 with SMTP id y130mr6798863ioy.152.1494457336413; Wed, 10 May 2017 16:02:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.77.84 with HTTP; Wed, 10 May 2017 16:02:15 -0700 (PDT)
In-Reply-To: <CAF8qwaByALNz1=LSTtCg0PrqrDe7mN2da5gFqAp2dHA9Cjxbtg@mail.gmail.com>
References: <149073663013.1172.4888065212435317707.idtracker@ietfa.amsl.com> <051401d2a80b$e9bdea90$bd39bfb0$@augustcellars.com> <CAFewVt6-0WSqmwD7xVvKWDg3P9vNpFZDqB-n61hiU9qQp1c2cw@mail.gmail.com> <006d01d2c194$0e99b280$2bcd1780$@augustcellars.com> <CAFewVt7iuyzY-VkQn7V7PjEOWyk0k7-KLsmpEGjhSdTh7JW2Og@mail.gmail.com> <CAFewVt5v_bqQMo7ZpnnUWa2c41Xy-SkUWw63sh8Yn-UWskKdmw@mail.gmail.com> <CAFewVt4dv0Q2C_N+Cn2or6D+_CdZCDwfoe-g1sOTJqNSJON_nw@mail.gmail.com> <CAFewVt4sJE9+sdPAjtQKL0L+RqkgS9AXaa5ytGOK80Bcgua8sA@mail.gmail.com> <001c01d2c998$ba1f6f80$2e5e4e80$@augustcellars.com> <CAFewVt5nDnSLga7ZpyY8sZO2TNpn4cOC0oAhapKSkWV64cavDQ@mail.gmail.com> <CAF8qwaByALNz1=LSTtCg0PrqrDe7mN2da5gFqAp2dHA9Cjxbtg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
Date: Wed, 10 May 2017 13:02:15 -1000
Message-ID: <CAFewVt74hhvDwGrV32hZ-ZJGcWSNrWLSqEmhweHo56PxS6Vw1A@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: Jim Schaad <ietf@augustcellars.com>, curdle <curdle@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/zlIWRlXhHa4fr008BBDlpxtTKgw>
Subject: Re: [Curdle] FW: New Version Notification for draft-ietf-curdle-pkix-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 23:02:18 -0000

David Benjamin <davidben@chromium.org> wrote:
> I don't especially object to requiring the v2 form be accepted or fixing
> BoringSSL to accept it, but if the only use is a mandatory convoluted
> checksum check, then I would rather we throw v2 away and stick with the
> simple thing.

Besides being a checksum against corruption, here are the benefits
I've found to having the public key in the file:

* It protects against the case where the producer of the private key
miscalculated the public key (i.e. the producer's math is buggy).

* It protects against the case where the consumer of the private key
miscalculates the public key (i.e. the consumer's math is buggy).

* If you have (a lot of) PKCS#8 documents, you can look up a private
key by public key without having to compute the public key from the
private key for each one.

* If an implementation presents the public key as it is stored in the
PKCS#8 file, then the public key will always be present consistently.
That is, it provides a way to avoid implementation fingerprinting,
although it doesn't mandate implementations try to avoid
fingerprinting in this way.

Note that RFC 5915 (ECPrivateKey for traditional curves) doesn't
require publicKey to be present and it doesn't require the user to
check that the private key is consistent with the public key even when
it is present. And other standards for those curves also do provide
alternatives (see, for example, NIST SP 800-56A section 5.6.3.2). So I
agree that saying that the implementation MUST do the check is
excessive, but I do think it is a really good idea.

Cheers,
Brian
--
https://briansmith.org/

v2.23.0 | Report a Bug | By Email