[Hipsec] Making some sample Hierarchical HITs
Robert Moskowitz <rgm@htt-consult.com> Wed, 14 August 2019 13:00 UTC
Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 934DA12081E for <hipsec@ietfa.amsl.com>; Wed, 14 Aug 2019 06:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DtvSjJj7mZY4 for <hipsec@ietfa.amsl.com>; Wed, 14 Aug 2019 06:00:30 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EED712081D for <hipsec@ietf.org>; Wed, 14 Aug 2019 06:00:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 05839615E6 for <hipsec@ietf.org>; Wed, 14 Aug 2019 09:00:29 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qB-TlmGp2PSy for <hipsec@ietf.org>; Wed, 14 Aug 2019 09:00:22 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id F133460964 for <hipsec@ietf.org>; Wed, 14 Aug 2019 09:00:19 -0400 (EDT)
To: HIP <hipsec@ietf.org>
From: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <58cfb098-e007-ae40-7c1a-69cd49f90271@htt-consult.com>
Date: Wed, 14 Aug 2019 09:00:10 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------BFD13B20CD8FA287FF6E8F9A"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/NaapKpl1UfIMp4ZVMZakPu8W9Xk>
Subject: [Hipsec] Making some sample Hierarchical HITs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2019 13:00:33 -0000
This is connected to the Trustworthy Multipurpose Remote IDs (tm-rid@ietf.org) Right now I am working on what a eddsa pki would be that would back up the proposed HHITs and various repositories. For this I want to generate some testing HHITs. These HHITs will be used in x.509 certs as in rfc 8002, but also as subjectName in the signing cert. This causes some challenges as to how to present an IPv6 value in subjectName (this is a separate question from this missive). I will use openssl from my draft-moskowitz-eddsa-pki and HHIT format from draft-moskowitz-hierarchical-hip (sec 4). Note about current HHIT draft and sec 4. When I did this, I was using ecdsa. The revised version of this draft (soon to be published) uses eddsa and I am a bit unsure as to what hash I will recommend. But for this stage, use ed25519/sha256. I make the ed25519 keypair with: openssl genpkey -aes256 -algorithm ed25519 -outform pem -out entity.key.pem Note the keypair is encrypted; it contains the private key. This can be viewed with: openssl pkey -inform pem -in entity.key.pem -text -noout The public key can be extracted in DER format with: openssl pkey -in entity.key.pem -out entity.pub.der -outform DER -pubout For the HHIT: HIT SUITE ID = 4 RAA = 10 HDA = 20 It would be great to have this as a python or perl script. That way I may learn something along the way. Inputs are: key file name key password HIT Suite ID RRA HDA Output should be: the HHIT in 128bit binary to some file the HHIT in ipv6 : display format Thanks on any help. Bob
- [Hipsec] Making some sample Hierarchical HITs Robert Moskowitz