[IPsec] Raw ECDSA keys and IKEv2
Tero Kivinen <kivinen@iki.fi> Thu, 21 July 2011 23:53 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1539421F85D9 for <ipsec@ietfa.amsl.com>; Thu, 21 Jul 2011 16:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBBNP7xVpimb for <ipsec@ietfa.amsl.com>; Thu, 21 Jul 2011 16:53:40 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31C2F21F85B8 for <ipsec@ietf.org>; Thu, 21 Jul 2011 16:53:39 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id p6LNrZio024042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Fri, 22 Jul 2011 02:53:35 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id p6LNrYMm008591; Fri, 22 Jul 2011 02:53:34 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20008.48126.941062.723271@fireball.kivinen.iki.fi>
Date: Fri, 22 Jul 2011 02:53:34 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 17 min
X-Total-Time: 55 min
Subject: [IPsec] Raw ECDSA keys and IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2011 23:53:41 -0000
In the RFC5996 we have format for Raw RSA keys (using PKCS1 format). The current buzzword compatible mantra seems to be ECDSA or Elliptic Curve keys in general, so perhaps we should also allow Raw ECDSA keys to be used in the IKEv2? For the format we could either use one of the following: 1) RFC5480 2) Draft-hoffman-dnssec-ecdsa-04 3) Roll our own 4) Combination of few above The RFC5480 has the problem that it uses ASN.1, and many of the people want to use Raw Public Keys just because they do not want to use Self signed certificates because of ASN.1 requirement. Draft-hoffman-dnssec-ecdsa-04 uses DNSSec registries, do we want to reuse them? The case 4 would most likely be best, meaning we create own wrapper format where we have the curve information using our own registry (or reuse IKEv2 Authentication Method registry, as the key to be used will be used to create the Authentication Payload anyways), and then attach to that either the format from draft-hoffman-dnssec-ecdsa-04 section 4, or from RFC 5480 section 2.2. -- kivinen@iki.fi
- [IPsec] Raw ECDSA keys and IKEv2 Tero Kivinen