Re: [IPsec] Signature authentication in IKEv2

Johannes Merkle <johannes.merkle@secunet.com> Mon, 15 April 2013 12:01 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4838A21F900D for <ipsec@ietfa.amsl.com>; Mon, 15 Apr 2013 05:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.74
X-Spam-Level:
X-Spam-Status: No, score=-1.74 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7eivhuKelTs for <ipsec@ietfa.amsl.com>; Mon, 15 Apr 2013 05:01:52 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id A3A2C21F8F7F for <ipsec@ietf.org>; Mon, 15 Apr 2013 05:01:52 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 706201A0139; Mon, 15 Apr 2013 14:01:49 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id pIbouigutkNv; Mon, 15 Apr 2013 14:01:47 +0200 (CEST)
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id CA5751A008E; Mon, 15 Apr 2013 14:01:47 +0200 (CEST)
Received: from [10.208.1.73] ([10.208.1.73]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Mon, 15 Apr 2013 14:01:47 +0200
Message-ID: <516BEC2B.6010707@secunet.com>
Date: Mon, 15 Apr 2013 14:01:47 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: ipsec@ietf.org, kivinen@iki.fi
References: <20799.34918.969821.935296@fireball.kivinen.iki.fi>
In-Reply-To: <20799.34918.969821.935296@fireball.kivinen.iki.fi>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Apr 2013 12:01:47.0892 (UTC) FILETIME=[01A5E340:01CE39D1]
Subject: Re: [IPsec] Signature authentication in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 12:01:53 -0000

Tero Kivinen wrote on 12.03.2013 20:56:
> In the meeting I did not remember what was the name the PKIX had for
> the signature blob, and in my slides written at midnight Sunday
> evening, I said SubjectPublicKeyInfo, so here I am to provide some
> correct information...
> 
> So the thing is what is both in the signatureAlgorithm and
> SubjectPublicKeyInfo, i.e. the AlgorithmI?dentifier:
> 
>    AlgorithmIdentifier  ::=  SEQUENCE  {
>         algorithm               OBJECT IDENTIFIER,
>         parameters              ANY DEFINED BY algorithm OPTIONAL  }
> 
> 
> I.e where there algorithm is the OID we currently have in the
> draft-kivinen-ipsecme-signature-auth, and the parameters is the one is
> required to get the RSASSA-PSS to work.
> 
> Anybody has objection to do it this way?
> 

I agree with your proposal.

It has become quiet around this draft. I really think, it is an important simplification of IKEv2 in the long tun. When
can we expect the new revision?

-- 
Johannes