IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

Lishan Li <lilishan48@gmail.com> Wed, 09 November 2016 16:48 UTC

Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C0F312949A for <dhcwg@ietfa.amsl.com>; Wed, 9 Nov 2016 08:48:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ANg_ZUpLIgiA for <dhcwg@ietfa.amsl.com>; Wed, 9 Nov 2016 08:48:55 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95DA41294A1 for <dhcwg@ietf.org>; Wed, 9 Nov 2016 08:48:54 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id n21so152034346qka.3 for <dhcwg@ietf.org>; Wed, 09 Nov 2016 08:48:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=l2680JNhApbHmj6z7PrsTNkYC3giREfG2sKBAdxVJyE=; b=rSJSy/JTzy1q0RTPmhFeocEcAwhZMbXwV3AwZ/cw5N9G7Q9raBE0Mipv+oNAuqHceX M1LVxrgSf8W8xcymZB21WKPYKIPrDoIjJbdcw/5gddlGr0ov6VNPrlJ3ZCKykqu0FLtx hftl74DPlKlUhB5ugW/lawX53waqbkDYcpXQ6/q/XW0pxB2QqOSExUQbs/wI/CxVuYFq ocPf9NlNI7ZaPXR8b06BHEPlNy/Y/jEYrF+c5BhYr+rcMJkDQU5f5z9AR1joOmOB4Znb rhV2VrKuA/4ak+zi/Y7S8/5RGqKYDTgq64IyoIBoQ40sBSKA5Uz+ORUHxXZeluf0pBEa Zcpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=l2680JNhApbHmj6z7PrsTNkYC3giREfG2sKBAdxVJyE=; b=biSEOLbXU1PFghWlh9nIxDRh5GgR+VPN+Yrs4ePEXpJAZBvnG/WYTKeb8CdwhpAv5X GxxdlV/HNByTEEUwET6/XqU+aJmjLXt+YnMNdolp2nMEQjda3whs8Yqmdu11+k18oYlu U+43GQtTwgl4qRYwpx1Ck17YaBoSKVdNORmB8Nck/WV4eZ08K2Qkwa3ww/hTb8kpdIT2 S5HzsF52R5ZlZA9Iz58ZY4jKotasEPQIqpN6Z1yypEOFnQxt+j0LIWaHNNT3ogTQ9RDG WfnU9xoV6DqfcaqWoSY8SEcGOGjcCNbAcEqVKa8nJqskBjUNGmjUrO6aJkhkEb1zCpGW 9QaA==
X-Gm-Message-State: ABUngvfy9sTEoumz1fB1KbQZvmc4EzVwG8z8cB/26bztRboNXt5t5PP/TONQDRNZyBH2zs6iMrxCiTBU1d+2Eg==
X-Received: by 10.55.48.72 with SMTP id w69mr677750qkw.320.1478710133790; Wed, 09 Nov 2016 08:48:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.237.62.242 with HTTP; Wed, 9 Nov 2016 08:48:53 -0800 (PST)
In-Reply-To: <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com> <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com>
From: Lishan Li <lilishan48@gmail.com>
Date: Thu, 10 Nov 2016 00:48:53 +0800
Message-ID: <CAJ3w4NfU9PrC9a+MGnJ=Es1yir_asHB3p1=9GfxZZ0iSe+At+Q@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a114908be4020460540e10840"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/Uz7o3BxNAA5u5Ny_3ST4kqBnrjI>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2016 16:48:56 -0000

2016-11-09 1:18 GMT+08:00 神明達哉 <jinmei@wide.ad.jp>:

> At Tue, 8 Nov 2016 22:02:21 +0800,
> Lishan Li <lilishan48@gmail.com> wrote:
>
> > > (Obviously) the former, but I guess your real question is how the
> > > client can determine that.  If so, that's a good point...I wasn't
> > > aware of the ambiguity at the time of my previous message.  I'm afraid
> > > we need some more additional protocol stuff to resolve this, e.g., add
> > > a new field for the certificate option to specify for which it's
> > > supposed to be used: encryption, authentication, or both.
> >
> > [LS]: Another problem is that: whether all the certificates needed to be
> > verified for authentication? In general, if the certificate is verified
> and
> > then the public key can be used for encryption.
> > So I think one certificate is enough for authentication and encryption,
> > which is usually certificate for the public key for E1. There is no need
> > to contain the certificate for the public key for signature algorithm.
>
> It'll be possible (and probably quite common) to share the same
> certificate (public key) for both encryption and signature.  For
> example, if we use RSA for encryption and RSASSA, it's quite likely
> that we can use the same public key.  But, unless we impose an
> explicit relationship between these two algorithms as part of the
> protocol specification we cannot always assume that, so the protocol
> itself should be generic so that it will work even if encryption and
> signature algorithms are totally independent.  That's why I stated the
> above example: "add a new field for the certificate option to specify
> for which it's supposed to be used: encryption, authentication, or
> both."
>
> Whether to impose such an "explicit relationship" is a different
> question, btw.  I think that's certainly an option and can make the
> spec simpler at the cost of making it less flexible, but that should
> be discussed and described in the spec explicitly, instead of leaving
> it as an implicit assumption.
>
[LS]: There are two types of certificate: one type is used for encryption
and authentication, which contains the public key for encryption algorithm;
another type is used for signature versification, which contains the public
key for signature algorithm. We can set one field for this. If the field is
zero, then it indicates the first type. If the field is 1, then it
indicates the
second type. Looking forward to your further guidance.

Best Regards,
Lishan

v2.23.0 | Report a Bug | By Email