IETF Logo Mail Archive

Re: [Gen-art] draft-ietf-lamps-5480-ku-clarifications-01

Sean Turner <sean@sn3rd.com> Wed, 04 March 2020 17:23 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D76B93A1307 for <gen-art@ietfa.amsl.com>; Wed, 4 Mar 2020 09:23:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZS7It21RGz9b for <gen-art@ietfa.amsl.com>; Wed, 4 Mar 2020 09:23:46 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 055A03A130B for <gen-art@ietf.org>; Wed, 4 Mar 2020 09:23:46 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id f198so2381000qke.11 for <gen-art@ietf.org>; Wed, 04 Mar 2020 09:23:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6s+uopJy5xYMt3/5XA/ouS7zTcQoP6dtRzY5HlqH08w=; b=XG0G6xapZfZ6hLhVQbgyx89mL6et8tMC0/OcyKoL9HFBFmZUze0/ktrwvkVXbqzqud oWLEVur+Vtls3vp2iAAjcqMjShrbXGy9P9nXwRiCvYENNN0BNOmsrJ1/4619Irxtx0D/ 0if1i2y+K6+EPxfXwMVujtabc1wS+3gwuf/DU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6s+uopJy5xYMt3/5XA/ouS7zTcQoP6dtRzY5HlqH08w=; b=sMU3/qaPH80kgQMP8N95dV5TCl1nwIN7z1aHNPW/78cYSSU7txMVehei5vqOk/U5+S OyvTDOgBwc+z5tAkp44ly8tzEzX2MaePhNPFlxbg63VZpt9HMtrL/Lt9HuylcjirbT2j 3xDYsKq7Hj3S2NK2wrFJeyswR0H1JY7yQyiSKfYqP6dhM+UpW7/wgsAmsLf/PIt52IkU pDkhCgXDVoKoQYZ0jD1AKffH/rBmXadfTmUdONr7Ub6fNiXDjOthmtyN2Enafz990i2z r8O5GL+ozfWdRmr1miOxL23Q8uY2MOtbxFV1TQxEDCiu9BZflI6xSMjljVY98KElniHQ cXQw==
X-Gm-Message-State: ANhLgQ2I/JYkoKFsi30/K9qbMc9aBCZ7ahENdXnykrDyVMoFMvtq68Ka GxLIpZw0GsH2qvj0Aufzf7RVlJfYuu8=
X-Google-Smtp-Source: ADFU+vuuMRklV3ACmi9o8I5ivOtkPXhc4fF/70bHWqxgt8G669GYo/o/qfOuJDqe+XW49ahTt0E4aQ==
X-Received: by 2002:a37:4351:: with SMTP id q78mr3951498qka.409.1583342625158; Wed, 04 Mar 2020 09:23:45 -0800 (PST)
Received: from sn3rd.lan ([75.102.131.34]) by smtp.gmail.com with ESMTPSA id t3sm12605661qkt.114.2020.03.04.09.23.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Mar 2020 09:23:44 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <54001CEE-1D17-46CB-9314-D9AF45452D63@cooperw.in>
Date: Wed, 04 Mar 2020 12:23:43 -0500
Cc: draft-ietf-lamps-5480-ku-clarifications.all@ietf.org, last-call@ietf.org, gen-art@ietf.org, LAMPS WG <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6426AD1D-5D15-4BAC-814C-0F7626AA804A@sn3rd.com>
References: <878skjcso5.fsf@hobgoblin.ariadne.com> <54001CEE-1D17-46CB-9314-D9AF45452D63@cooperw.in>
To: "Dale R. Worley" <worley@ariadne.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/fScv22Q778QLEGIpXhVNLk6d1Jo>
Subject: Re: [Gen-art] draft-ietf-lamps-5480-ku-clarifications-01
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 17:23:49 -0000


> On Mar 3, 2020, at 16:09, Alissa Cooper <alissa@cooperw.in> wrote:
> 
> Dale, thanks for your reviews. Sean, thanks for your responses. I entered a No Objection ballot. If Dale’s questions can be clarified for non-expert readers, I think that would be good.
> 
> Alissa
> 
> 
>> On Mar 1, 2020, at 11:00 PM, Dale R. Worley <worley@ariadne.com> wrote:
>> 
>> Looking at draft-ietf-lamps-5480-ku-clarifications-01, these points
>> occur to me:
>> 
>>  1.  Introduction
>> 
>>  This document corrects this omission, by updating Section 3 of
>>  [RFC5480] to make it clear that neither keyEncipherment nor the
>>  dataEncipherment key usage bits are set for key agreement algorithms.
>> 
>> I think it would be more accurate to say something like "neither ... are
>> set in certificates that specify key agreement algorithms" -- usage bits
>> are logically a component of a certificate rather than a feature of an
>> algorithm.
>> 
>> But it's unclear to me whether id-ecPublicKey is only used in key
>> agreement certificates.  RFC 5480 states that if the cert uses id-ecDH
>> or id-ecMQV and provides keyUsage, then keyAgreement must be set.  So
>> it's clear that certs with id-ecDH or id-ecMQV are key agreement certs.
>> But RFC 5480 says that if the cert lists id-ecPublicKey, then
>> keyAgreement is optional.  That suggests to me that some certs can use
>> id-ecPublicKey without being key agreement certs.  In turn, section 1 of
>> this I-D suggests the I-D is not intended to apply to those certs, but
>> section 3 seems to apply to them anyway.
>> 
>> To try to distill it to one sentence:  Can id-ecPublicKey appear in
>> certs that are not for key agreement, and if so, are keyEncipherment and
>> dataEncipherment allowed in the keyUsage of those certs?
>> 
>>  3.  Updates to Section 3
>> 
>>  If the keyUsage extension is present in a certificate that indicates
>>  in SubjectPublicKeyInfo, then following values MUST NOT be present:
>> ---^
>> 
>> Is "id-ecPublicKey" missing here?

Yes - The OPSDIR review noted my took quick to submit.  It’s fixed in this version:

https://datatracker.ietf.org/doc/draft-ietf-lamps-5480-ku-clarifications/

>>  If the keyUsage extension is present in a certificate that indicates
>>  id-ecDH or id-ecMQV in SubjectPublicKeyInfo, then the following
>>  values also MUST NOT be present:
>> 
>> Is it a fact that all certificates with these three algorithms are
>> certificates for key agreement?  If so, it would be nice to state that
>> either in section 3 or section 1, to show how section 3 is connected
>> with "for key agreement algorithms" in section 1.  Otherwise, the
>> connection between the two requires information that is stated
>> elsewhere.

To address this, I ended up making the following tweaks in s1:

 This document corrects this omission, by updating Section 3 of
 [RFC5480] to make it clear that neither keyEncipherment nor the
 dataEncipherment key usage bits are set for key agreement algorithms
 defined therein.  The additions are to be made to the end of
 Section 3.

So, there’s a link from 5480 s3 where the three algorithms are defined to this document’s s3.

spt

>> Dale
>> 
>> _______________________________________________
>> Gen-art mailing list
>> Gen-art@ietf.org
>> https://www.ietf.org/mailman/listinfo/gen-art
>

v2.23.0 | Report a Bug | By Email