Re: [IPsec] WG Last Call on draft-ietf-ipsecme-oob-pubkey

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 09 April 2013 02:48 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E781C21F8EC1 for <ipsec@ietfa.amsl.com>; Mon, 8 Apr 2013 19:48:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOiqH5Ml3ukB for <ipsec@ietfa.amsl.com>; Mon, 8 Apr 2013 19:48:16 -0700 (PDT)
Received: from tuna.sandelman.ca (unknown [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) by ietfa.amsl.com (Postfix) with ESMTP id 5925221F8EB2 for <ipsec@ietf.org>; Mon, 8 Apr 2013 19:48:15 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id EE2982016F for <ipsec@ietf.org>; Mon, 8 Apr 2013 22:57:48 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id C5EC8638F7; Mon, 8 Apr 2013 22:47:55 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id B79C8638E8 for <ipsec@ietf.org>; Mon, 8 Apr 2013 22:47:55 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: IPsecme WG <ipsec@ietf.org>
In-Reply-To: <D05A8680-CFD7-4A3E-B679-62060D41946B@vpnc.org>
References: <D05A8680-CFD7-4A3E-B679-62060D41946B@vpnc.org>
X-Mailer: MH-E 8.3; nmh 1.3-dev; XEmacs 21.4 (patch 22)
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Mon, 08 Apr 2013 22:47:55 -0400
Message-ID: <3164.1365475675@sandelman.ca>
Sender: mcr@sandelman.ca
Subject: Re: [IPsec] WG Last Call on draft-ietf-ipsecme-oob-pubkey
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 02:48:17 -0000

>>>>> "Paul" == Paul Hoffman <paul.hoffman@vpnc.org> writes:
    Paul> http://tools.ietf.org/html/draft-ietf-ipsecme-oob-pubkey 

I have read this document anew.

I found the jump in section 3 to:

   When the certificate encoding type 'Raw Public Key' is used then the
   Certificate Data only contains the SubjectPublicKeyInfo part of the
   PKIX certificate.

to be confusing on first read.  Perhaps this is because I attempt to be
as ignorant of PKCS/PKIX stuff as possible. (I admit that I'm a failure
at this).

I think that it is telling me that it's not just a raw RSA key, which is
really the whole point of this exercise, but rather just the
SubjectPublicKeyInfo part.   I think that this paragraph could be made
clearer to people who are trying to avoid knowing anything about PKIX.

I followed the reference to draft-ietf-tls-oob-pubkey-07, which I read.
I would like to suggest that section 3 more quickly refers to the
tls-oob-pubkey Appendix A, and that it say something like:

   In order to provide a simple and standard way to indicate the key
   type when the encoding type is 'Raw Public Key', the 
   SubjectPublicKeyInfo structure of the PKIX certificate is used.
   This is a a very simple encoding, as most of the ASN.1 part can be
   included literally, and recognized by block comparison.  See 
   [draft-ietf-tls-oob-pubkey] Appendix A for a detailed breakdown.
   In addition, Appendix A has a few examples.

(Yes, add a second example... an RSA example.)















-- 
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works