Re: NF* (Re: PKCS#11 URI slot attributes & last call)
Nico Williams <nico@cryptonector.com> Wed, 31 December 2014 09:19 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6788A1A8AA9; Wed, 31 Dec 2014 01:19:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.034
X-Spam-Level:
X-Spam-Status: No, score=0.034 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 602DgA5hQ8U8; Wed, 31 Dec 2014 01:19:12 -0800 (PST)
Received: from homiemail-a54.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 36E8B1A8768; Wed, 31 Dec 2014 01:19:12 -0800 (PST)
Received: from homiemail-a54.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTP id C25844012D694; Wed, 31 Dec 2014 01:19:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=ZSS0v1pOURfSEzKxCbjmEPJ5k6s=; b=po2kEdZfViu 7bUMp9u0oZ4JhDTJPuY30KK8hgW3A+lj7X+pP2HTYMA5v1yjhIZA7746kOgUgASg KTrivnEs0C2Ls+I7EaBCUWp6vFsFRtrWDugO23X+5IEiPHRNEDYcYKliV/5yP79f t67KYTonkg04zP9IVTWgDADEda3PFD5A=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTPA id 4F1354012D68E; Wed, 31 Dec 2014 01:19:11 -0800 (PST)
Date: Wed, 31 Dec 2014 03:19:10 -0600
From: Nico Williams <nico@cryptonector.com>
To: Patrik Fältström <paf@frobbit.se>
Subject: Re: NF* (Re: PKCS#11 URI slot attributes & last call)
Message-ID: <20141231091906.GO24442@localhost>
References: <CAK3OfOgm_ZYj-rY+4ExZzY8KY4G3rz2KLrZ8hQJi7ZUR4yiP0Q@mail.gmail.com> <alpine.GSO.2.00.1412300946340.4549@keflavik> <CAK3OfOha9qu=uDtqwDTdV78waLMaorYq0T6cq1YX3VzQn2OpKA@mail.gmail.com> <A4CC6CEC-D17E-4235-B615-9D2AD88096D4@frobbit.se> <20141231070328.GK24442@localhost> <B08B813F-B8B4-49F1-A0B9-60F322C8E9C7@frobbit.se> <20141231074641.GM24442@localhost> <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> <20141231082551.GN24442@localhost> <48A18B23-AAF9-44EA-8557-D25EBE398B56@frobbit.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <48A18B23-AAF9-44EA-8557-D25EBE398B56@frobbit.se>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/g-rCtURAQStfittozZVIzDa86Mo
Cc: Darren J Moffat <Darren.Moffat@oracle.com>, "saag@ietf.org" <saag@ietf.org>, Jan Pechanec <jan.pechanec@oracle.com>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Dec 2014 09:19:13 -0000
On Wed, Dec 31, 2014 at 10:09:39AM +0100, Patrik Fältström wrote: > > On 31 Dec 2014, at 09:25, Nico Williams <nico@cryptonector.com> wrote: > > Of course, the issues are the same, it's just that there's no "server" > > to consider. It's all as good as "clients". Unlike IDNA, it's all > > UTF-8, all the time, so that form-insensitive can work. > > Well, the definition of a URI like in this case in reality define a > protocol with a client and server, if we think about the case when the > URI is used. Someone create a URI (by typing, speaking, OCR:ing, > copying) and use it to reach a resource. As with filesystems, the "processes" creating and accessing the resource are all clients. There are no servers that can make right, therefore we might as well not speak of them :) (We're agreeing.) > Regarding "the PKCS#11 does not talk about the issue, so why would > IETF" is a question I think has a clear answer. IETF have in many > cases created profiles, or let me say "interpretations" of definitions > made elsewhere. Simply because IETF do not think the specification is > crisp enough. Yes. The question is whether we should in this case. I'm in favor of saying "do form-insensitive comparison". I'd settle for "always normalize to NFC when creating PKCS#11 resources" because, after all, that's what IRIs need anyways, it's just that a PKCS#11 URI-using app might not be in a position to make "normalize on create" happen. OTOH, I think this is a minor issue, so if reaching consensus is hard, then I say "say nothing", normatively anyways. However, you're right that as far as Security Considerations go, we can't say nothing. > Look at UTF-8 for example. Indeed. We make things better. > You also write: > > > IOW, what to do depends on the application. For filesystems I say: > > be form-preserving-form-insensitive. For IDNA there's no choice but > > to go with clients-must-normalize. Each app will be different. > > Sure, that is my point. Yes, we agree :) > What you say is that the IETF use of PKCS#11, without any > specification of normalisation, mapping or otherwise, will not have > any security implications what so ever regardless of what an > application do (i.e. one party participating using one normalisation > form, another do PRECIS mapping, a third do NFC,...)? No, it will have security considerations regardless. The only way to help that is to force normalization on create, but as I say, that's not something this spec can cause to happen or assume has happened. > That is what I see you write, and if either I understand you wrong, or > if that is not what you are saying, then a text must be created and > added that explain the pitfalls -- at least as part of the security > considerations section if not in the specification on how PKCS#11 is > to be used. Yes. Nico --
- Re: slot attributes & last call Nico Williams
- Re: PKCS#11 URI slot attributes & last call Nico Williams
- Re: slot attributes & last call Nico Williams
- Re: slot attributes & last call Nico Williams
- Re: slot attributes & last call Nico Williams
- Re: PKCS#11 URI slot attributes & last call Nikos Mavrogiannopoulos
- Re: [saag] PKCS#11 URI slot attributes & last call Stephen Farrell
- Re: slot attributes & last call Nico Williams
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: slot attributes & last call Darren J Moffat
- Re: PKCS#11 URI slot attributes & last call Darren J Moffat
- Re: slot attributes & last call Jan Pechanec
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: slot attributes & last call Jan Pechanec
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: slot attributes & last call Jaroslav Imrich
- Re: slot attributes & last call Jaroslav Imrich
- Re: slot attributes & last call Nikos Mavrogiannopoulos
- Re: slot attributes & last call Jan Pechanec
- Re: [saag] PKCS#11 URI slot attributes & last call Henry B (Hank) Hotz, CISSP
- Re: [saag] PKCS#11 URI slot attributes & last call Nico Williams
- Re: PKCS#11 URI slot attributes & last call Nico Williams
- Re: [saag] PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: PKCS#11 URI slot attributes & last call Nico Williams
- Re: PKCS#11 URI slot attributes & last call Nico Williams
- Re: [saag] PKCS#11 URI slot attributes & last call Nico Williams
- Re: PKCS#11 URI slot attributes & last call Patrik Fältström
- Re: PKCS#11 URI slot attributes & last call Nico Williams
- Re: PKCS#11 URI slot attributes & last call Patrik Fältström
- NF* (Re: PKCS#11 URI slot attributes & last call) Nico Williams
- Re: NF* (Re: PKCS#11 URI slot attributes & last c… Patrik Fältström
- Re: NF* (Re: PKCS#11 URI slot attributes & last c… Nico Williams
- Re: NF* (Re: PKCS#11 URI slot attributes & last c… Patrik Fältström
- Re: NF* (Re: PKCS#11 URI slot attributes & last c… Nico Williams
- i18n requirements (was: Re: NF* (Re: PKCS#11 URI … John C Klensin
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Nico Williams
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: [saag] PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: [saag] PKCS#11 URI slot attributes & last call Nico Williams
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: [saag] PKCS#11 URI slot attributes & last call Jan Pechanec
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Nico Williams
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Patrik Fältström
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … John C Klensin
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Patrik Fältström
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Nico Williams
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Jan Pechanec
- Re: NF* (Re: PKCS#11 URI slot attributes & last c… Jan Pechanec
- Re: NF* (Re: PKCS#11 URI slot attributes & last c… Nico Williams
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Jan Pechanec
- Re: [saag] i18n requirements (was: Re: NF* (Re: P… Jan Pechanec
- RE: [saag] i18n requirements (was: Re: NF* (Re: P… Christian Huitema
- RE: [saag] i18n requirements (was: Re: NF* (Re: P… Jan Pechanec
- Re: [saag] i18n requirements (was: Re: NF* (Re: P… Jaroslav Imrich
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Jan Pechanec
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … Jan Pechanec
- Re: i18n requirements (was: Re: NF* (Re: PKCS#11 … John C Klensin
- My IESG Eval for draft-pechanec-pkcs11uri-19 (Was… Pete Resnick
- Re: My IESG Eval for draft-pechanec-pkcs11uri-19 … John C Klensin