IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 19 February 2011 01:24 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43BB93A6F52 for <keyassure@core3.amsl.com>; Fri, 18 Feb 2011 17:24:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tUnGV0h8-QLH for <keyassure@core3.amsl.com>; Fri, 18 Feb 2011 17:24:01 -0800 (PST)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id EFDDD3A6EDE for <keyassure@ietf.org>; Fri, 18 Feb 2011 17:24:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1298078676; x=1329614676; h=from:to:subject:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20keyassure@ietf.org|Subject:=20Re:=20[keyassure]=20 publishing=20the=20public=20key|Message-Id:=20<E1PqbYp-00 08EI-Dx@login01.fos.auckland.ac.nz>|Date:=20Sat,=2019=20F eb=202011=2014:24:35=20+1300; bh=mjF1W3gMfrsKhVGgIWhvKXLAyDaPO06qqxhUIdez8ug=; b=kR57CqoH1ms1i2C5pWOxe18Ybj4FLmaWTfBnpSQF0bOLHthAZiR1liBL Dc5WE5yIobQ6MB2vQNBO0uJUPH4CSul3oJQvrHzGPQ7ULrYU6dAGjTzVY Y4Nrx+4FMxiXX1G8exr0nqCqYf6r9XBRPVKRnJxuhA065er7amCddyp+5 4=;
X-IronPort-AV: E=Sophos;i="4.62,190,1296990000"; d="scan'208";a="46881848"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 19 Feb 2011 14:24:35 +1300
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1PqbYp-0003lx-Hg for keyassure@ietf.org; Sat, 19 Feb 2011 14:24:35 +1300
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1PqbYp-0008EI-Dx for keyassure@ietf.org; Sat, 19 Feb 2011 14:24:35 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: keyassure@ietf.org
Message-Id: <E1PqbYp-0008EI-Dx@login01.fos.auckland.ac.nz>
Date: Sat, 19 Feb 2011 14:24:35 +1300
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2011 01:24:02 -0000

[Several of my posts didn't make it to the list, these are re-posts of earlier
 messages]

Paul Wouters <paul@xelerance.com> writes:
>On Tue, 15 Feb 2011, Peter Gutmann wrote:
>>> The public key's type and raw blob will be obtained from DNSSEC, so this is
>>> no longer required to be conveyed to the client from the server via a PKIX
>>> certificate or other ASN.1 structures.
>>
>> But what format is the "type and raw blob" in?  You need some way of encoding
>> it, and if it's not the standard ASN.1 format what are you going to use?
>
>I'm not sure I understand your question.

A public key contains a number of components and options. For example for ECC
there are the basic key values p, a, b, G, n, h (or m, f, a, b, G, n, h for
binary curves), an indication of the underlying field (prime or binary), the
point format, whether point compression is used, polynomial vs. normal basis,
whether fixed domain parameters are used, and probably some other stuff I've
forgotten.  How is all this stuff communicated?

>The key would encoded in DNS, likely in a format similar to DNSKEY.

DNSKEY (RFC 3757) just specifies an opaque value labelled "public key".  If
you mean RFC 4034:

  RSA/MD5 [RSAMD5]         n      [RFC2537]  NOT RECOMMENDED
  Diffie-Hellman [DH]      n      [RFC2539]   -
  DSA/SHA-1 [DSA]          y      [RFC2536]  OPTIONAL
  Elliptic Curve [ECC]              TBA       -
  RSA/SHA-1 [RSASHA1]      y      [RFC3110]  MANDATORY

this (a) ain't gonna cut it because it doesn't cover what's required by TLS
and (b) requires that your TLS implementation speak DNSSEC (or at least the
DNSKEY part of DNSSEC) just to get a key. I can't see TLS implementors being
too enthusiastic about this.

Peter.

v2.23.0 | Report a Bug | By Email