[IPsec] [Editorial Errata Reported] RFC7427 (4296)
Tero Kivinen <kivinen@iki.fi> Tue, 24 March 2015 16:06 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531C21A907B for <ipsec@ietfa.amsl.com>; Tue, 24 Mar 2015 09:06:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HloLrFI8eFnA for <ipsec@ietfa.amsl.com>; Tue, 24 Mar 2015 09:06:55 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9744A1A9029 for <ipsec@ietf.org>; Tue, 24 Mar 2015 09:04:45 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t2OG4eKb029285 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 24 Mar 2015 18:04:40 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t2OG4dwd014374; Tue, 24 Mar 2015 18:04:39 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21777.35607.852024.161621@fireball.kivinen.iki.fi>
Date: Tue, 24 Mar 2015 18:04:39 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: RFC Errata System <rfc-editor@rfc-editor.org>
In-Reply-To: <20150310101551.4237E180207@rfc-editor.org>
References: <20150310101551.4237E180207@rfc-editor.org>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 6 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/OiFSEQaHKCZT5wnnFlQf2x6knQw>
Cc: a.yousar@informatik.hu-berlin.de, paul.hoffman@vpnc.org, ipsec@ietf.org, Kathleen.Moriarty.ietf@gmail.com, jms@opus1.com, stephen.farrell@cs.tcd.ie
Subject: [IPsec] [Editorial Errata Reported] RFC7427 (4296)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 16:06:57 -0000
RFC Errata System writes: > The following errata report has been submitted for RFC7427, > "Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=7427&eid=4296 > > -------------------------------------- > Type: Editorial > Reported by: Annie Yousar <a.yousar@informatik.hu-berlin.de> > > Section: A.4.3 > > Original Text > ------------- > Here the parameters are present and contain hashAlgorithm of SHA-256, > | maskGenAlgorithm of SHA-256, saltLength of 32, and trailerField of 1. > > 0000 : SEQUENCE > 0002 : OBJECT IDENTIFIER RSASSA-PSS (1.2.840.113549.1.1.10) > 000d : SEQUENCE > 000f : CONTEXT 0 > 0011 : SEQUENCE > 0013 : OBJECT IDENTIFIER id-sha256 (2.16.840.1.101.3.4.2.1) > 001e : NULL > 0020 : CONTEXT 1 > 0022 : SEQUENCE > | 0024 : OBJECT IDENTIFIER 1.2.840.113549.1.1.8 > 002f : SEQUENCE > 0031 : OBJECT IDENTIFIER id-sha256 (2.16.840.1.101.3.4.2.1) > 003c : NULL > 003e : CONTEXT 2 > 0040 : INTEGER 0x20 (6 bits) > | 0043 : CONTEXT 3 > | 0045 : INTEGER 0x1 (1 bits) > > Name = RSASSA-PSS with sha-256, oid = 1.2.840.113549.1.1.10 > | Length = 72 > 0000: 3046 0609 2a86 4886 f70d 0101 0a30 39a0 > 0010: 0f30 0d06 0960 8648 0165 0304 0201 0500 > 0020: a11c 301a 0609 2a86 4886 f70d 0101 0830 > 0030: 0d06 0960 8648 0165 0304 0201 0500 a203 > | 0040: 0201 20a3 0302 0101 > > > Corrected Text > -------------- > Here the parameters are present and contain hashAlgorithm of SHA-256, > | maskGenAlgorithm of MGF1 with SHA-256, saltLength of 32, and > | trailerField of 1. > | Note that since the trailerField has the default value it MUST NOT be > | encoded according to the Distiguished Encoding Rules (DER) of ASN.1. > > 0000 : SEQUENCE > 0002 : OBJECT IDENTIFIER RSASSA-PSS (1.2.840.113549.1.1.10) > 000d : SEQUENCE > 000f : CONTEXT 0 > 0011 : SEQUENCE > 0013 : OBJECT IDENTIFIER id-sha256 (2.16.840.1.101.3.4.2.1) > 001e : NULL > 0020 : CONTEXT 1 > 0022 : SEQUENCE > | 0024 : OBJECT IDENTIFIER id-mgf1 (1.2.840.113549.1.1.8) > 002f : SEQUENCE > 0031 : OBJECT IDENTIFIER id-sha256 (2.16.840.1.101.3.4.2.1) > 003c : NULL > 003e : CONTEXT 2 > 0040 : INTEGER 0x20 (6 bits) > > Name = RSASSA-PSS with sha-256, oid = 1.2.840.113549.1.1.10 > | Length = 67 > 0000: 3046 0609 2a86 4886 f70d 0101 0a30 39a0 > 0010: 0f30 0d06 0960 8648 0165 0304 0201 0500 > 0020: a11c 301a 0609 2a86 4886 f70d 0101 0830 > 0030: 0d06 0960 8648 0165 0304 0201 0500 a203 > | 0040: 0201 20 > > > Notes > ----- > 1. The maskGenAlgorithm is in fact not SHA-256 > (2.16.840.1.101.3.4.2.1), but MGF1 (1.2.840.113549.1.1.8) based on > SHA-256 (2.16.840.1.101.3.4.2.1). The id-mgf1 oid is there in the example, the tool I used didn't know the name for it thus it just printed out the oid. As this does not affect the binary object at all there is no problem in here. > 2. Section 3 requires the use of DER: > The ASN.1 used here is the same ASN.1 used in the > AlgorithmIdentifier of PKIX (see Section 4.1.1.2 of [RFC5280]), > encoded using distinguished encoding rules (DER) [CCITT.X690.2002]. Yes, but RFC4055 says that: trailerField The trailerField field is an integer. It provides compatibility with IEEE Std 1363a-2004 [P1363A]. The value MUST be 1, which represents the trailer field with hexadecimal value 0xBC. Other trailer fields, including the trailer field composed of HashID concatenated with 0xCC that is specified in IEEE Std 1363a, are not supported. Implementations that perform signature generation MUST omit the trailerField field, indicating that the default trailer field value was used. Implementations that perform signature validation MUST recognize both a present trailerField field with value 1 and an absent trailerField field. I.e. you should recognize both formats. Yes, we could have another example also showing the object value to used when generating these and when omitting the default values (like we do have for SHA-1). > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC7427 (draft-kivinen-ipsecme-signature-auth-07) > -------------------------------------- > Title : Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) > Publication Date : January 2015 > Author(s) : T. Kivinen, J. Snyder > Category : PROPOSED STANDARD > Source : IP Security Maintenance and Extensions > Area : Security > Stream : IETF > Verifying Party : IESG -- kivinen@iki.fi
- [IPsec] [Editorial Errata Reported] RFC7427 (4296) Tero Kivinen
- Re: [IPsec] [Editorial Errata Reported] RFC7427 (… Kathleen Moriarty
- [IPsec] [Errata Rejected] RFC7427 (4296) RFC Errata System
- [IPsec] [Editorial Errata Reported] RFC7427 (4296) RFC Errata System