IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

神明達哉 <jinmei@wide.ad.jp> Tue, 08 November 2016 17:19 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DED6129A44 for <dhcwg@ietfa.amsl.com>; Tue, 8 Nov 2016 09:19:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h46VfG0vrZN3 for <dhcwg@ietfa.amsl.com>; Tue, 8 Nov 2016 09:19:08 -0800 (PST)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70E83129A41 for <dhcwg@ietf.org>; Tue, 8 Nov 2016 09:18:12 -0800 (PST)
Received: by mail-qt0-x230.google.com with SMTP id p16so111215521qta.0 for <dhcwg@ietf.org>; Tue, 08 Nov 2016 09:18:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=pfvqIlyZYXENN1O5bnULUKCgUbykd4QNQOlYvFGJev0=; b=YCKzVNF3pE12o9wpuLHkAQPh8UJVASu6FBIEZIZ7Oo0XyFfTWpGwDH+kPM6EcLPz0M aIyxhMNB0V41ksELxsDm9t4LiMYbkYfziY2wyeLsW7FiAjNTfzOdOAi4HE+klJlIHrIz Y6wSSPZtgXmwQzMGLAP8CULmOZJN63XTeuH6hOAZdIsWWS11oawADeywXcXhlpNQSuk1 dszzTbOe9aEua+tsG3GG+9ZcW7v0ZyfP5+kbAMTGpH/X4F/60EGdiiCiVK1sD+AdS9zn nzW/VhoxCo5t+hIn88bw+745KK0Ggeu86x+rkI+gUA0UJtalyUsWVoL/HHgpsljLS+22 +Sgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=pfvqIlyZYXENN1O5bnULUKCgUbykd4QNQOlYvFGJev0=; b=Creuv38uSCrYVUbQPBY5V74lrIC6cdZzDoEkpKiFADvlHvdAZKbhpWqaGbc164vIDL 0D2j+AZA6uOG0VXCTFn7AvxUBOsbuP4mMul6XEPCrNaw/WmUxjHUYCIqoP1MJs9IyNVO mkWSoefrAw/gaEgvLz1Lvi+r8IscOSsagxC1QawpeW7L9Qg2KmoRiPMxVpcpAHgFmbf4 vsHAkYgBJSwyuWibigfdLv+efJPzBBJciky0AQCHnRvmPcMC5LyUpdob1gOYZzM3+hv5 CBdP6ccaNdiPPfS8czZRM0uM4Qwsu9ivCbPBeSkaDUEaFSsxBcNo93dz3cBXYEHAeOVD 7I+A==
X-Gm-Message-State: ABUngvdYnOJy9VHGAazcR0a6DZLrq+0PEslWPzSK2l4Dl2obx0ozNBcoHHI0LxKjycdrK3TDcEr52GtVsCHC5g==
X-Received: by 10.200.43.82 with SMTP id 18mr14132553qtv.63.1478625491469; Tue, 08 Nov 2016 09:18:11 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.58.101 with HTTP; Tue, 8 Nov 2016 09:18:10 -0800 (PST)
In-Reply-To: <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Tue, 08 Nov 2016 09:18:10 -0800
X-Google-Sender-Auth: GRwXGi2GGgxdpuCWS5dD8XIaw-U
Message-ID: <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com>
To: Lishan Li <lilishan48@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/JF8L5vIAEkuUOWaFzgrN5pO-X1Q>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 17:19:10 -0000

At Tue, 8 Nov 2016 22:02:21 +0800,
Lishan Li <lilishan48@gmail.com> wrote:

> > (Obviously) the former, but I guess your real question is how the
> > client can determine that.  If so, that's a good point...I wasn't
> > aware of the ambiguity at the time of my previous message.  I'm afraid
> > we need some more additional protocol stuff to resolve this, e.g., add
> > a new field for the certificate option to specify for which it's
> > supposed to be used: encryption, authentication, or both.
>
> [LS]: Another problem is that: whether all the certificates needed to be
> verified for authentication? In general, if the certificate is verified and
> then the public key can be used for encryption.
> So I think one certificate is enough for authentication and encryption,
> which is usually certificate for the public key for E1. There is no need
> to contain the certificate for the public key for signature algorithm.

It'll be possible (and probably quite common) to share the same
certificate (public key) for both encryption and signature.  For
example, if we use RSA for encryption and RSASSA, it's quite likely
that we can use the same public key.  But, unless we impose an
explicit relationship between these two algorithms as part of the
protocol specification we cannot always assume that, so the protocol
itself should be generic so that it will work even if encryption and
signature algorithms are totally independent.  That's why I stated the
above example: "add a new field for the certificate option to specify
for which it's supposed to be used: encryption, authentication, or
both."

Whether to impose such an "explicit relationship" is a different
question, btw.  I think that's certainly an option and can make the
spec simpler at the cost of making it less flexible, but that should
be discussed and described in the spec explicitly, instead of leaving
it as an implicit assumption.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email