Re: [dane] New I-D on Authenticating Raw Public Keys with DANE TLSA
Sean Turner <TurnerS@ieca.com> Wed, 02 July 2014 17:26 UTC
Return-Path: <TurnerS@ieca.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15B2D1B291D for <dane@ietfa.amsl.com>; Wed, 2 Jul 2014 10:26:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.557
X-Spam-Level:
X-Spam-Status: No, score=-1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FSL_HELO_BARE_IP_2=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-Y63n-hvXiO for <dane@ietfa.amsl.com>; Wed, 2 Jul 2014 10:26:51 -0700 (PDT)
Received: from gateway06.websitewelcome.com (gateway06.websitewelcome.com [69.93.243.29]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B8DE1B2846 for <dane@ietf.org>; Wed, 2 Jul 2014 10:26:51 -0700 (PDT)
Received: by gateway06.websitewelcome.com (Postfix, from userid 5007) id 69E21D7D991D2; Wed, 2 Jul 2014 12:26:48 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway06.websitewelcome.com (Postfix) with ESMTP id A267DD7D1C78E for <dane@ietf.org>; Wed, 2 Jul 2014 12:18:47 -0500 (CDT)
Received: from [173.73.128.252] (port=52144 helo=192.168.1.10) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <TurnerS@ieca.com>) id 1X2O9I-00045x-R8; Wed, 02 Jul 2014 12:16:54 -0500
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <TurnerS@ieca.com>
In-Reply-To: <201406210425.s5L4P2eo001257@new.toad.com>
Date: Wed, 02 Jul 2014 13:16:44 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E325436-B2BE-40A4-A8D5-80407622222E@ieca.com>
References: <201406210425.s5L4P2eo001257@new.toad.com>
To: John Gilmore <gnu@toad.com>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 173.73.128.252
X-Exim-ID: 1X2O9I-00045x-R8
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (192.168.1.10) [173.73.128.252]:52144
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/_zRoaOAmirTkhVmHxr2dC_siLQA
Cc: dane@ietf.org
Subject: Re: [dane] New I-D on Authenticating Raw Public Keys with DANE TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jul 2014 17:26:53 -0000
Two nits:
0) s3 contains the following:
This SubjectPublicKeyInfo structure MUST be encoded in DER encoding
[X.660] of Abstract Syntax Notation One (ASN.1) [X.208].
r/X.660/X.690 or just:
This SubjectPublicKeyInfo structure MUST be encoded in DER encoding
of Abstract Syntax Notation One (ASN.1) [X.690].
Personally, I think that’s not referring to the X.680/208 is fine because that’s what RFC 6898 did, but for completeness I could see using X.680 instead of X.208:
This SubjectPublicKeyInfo structure MUST be encoded in DER encoding
[X.690] of Abstract Syntax Notation One (ASN.1) [X.680].
If you decide to go with the X.680 reference (from PKIX):
[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
Information technology - Abstract Syntax Notation One
(ASN.1): Specification of basic notation.
1) s3: r/(from RFC 6699 section 2.1.1)/(from RFC 6698 section 2.1.1)
spt
On Jun 21, 2014, at 00:25, John Gilmore <gnu@toad.com> wrote:
> In an effort to nudge along the process of standardizing the use of
> DANE with TLS's use of raw public keys, I have written a short
> Internet-Draft that defines how these keys can be authenticated by using
> TLSA records.
>
> Name: draft-gilmore-dane-rawkeys
> Revision: 00
> Title: Authenticating Raw Public Keys with DANE TLSA
> Document date: 2014-06-20
> Group: Individual Submission
> Pages: 7
> URL: http://www.ietf.org/internet-drafts/draft-gilmore-dane-rawkeys-00.txt
> Status: https://datatracker.ietf.org/doc/draft-gilmore-dane-rawkeys/
> Htmlized: http://tools.ietf.org/html/draft-gilmore-dane-rawkeys-00
> Abstract:
> This document standardizes how the Domain Name System can
> authenticate Raw Public Keys. Transport Level Security now has the
> option to use Raw Public Keys, but they require some form of external
> authentication. The document updates RFC 6698 to allow the Domain
> Name System to standardize the authentication of more types of keying
> material.
>
> The TLS extension for raw public keys, which inspired this work, is
> currently very late in the IETF publication process, but not quite
> published, here:
>
> "Using Raw Public Keys in Transport Layer Security (TLS)
> and Datagram Transport Layer Security (DTLS)"
> https://www.rfc-editor.org/authors/rfc7250.txt
>
> John
>
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
- [dane] New I-D on Authenticating Raw Public Keys … John Gilmore
- Re: [dane] New I-D on Authenticating Raw Public K… Sean Turner