IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Henry Story <henry.story@bblfish.net> Sat, 19 February 2011 21:24 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BE383A6FBE for <keyassure@core3.amsl.com>; Sat, 19 Feb 2011 13:24:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vp82mW3wxn2H for <keyassure@core3.amsl.com>; Sat, 19 Feb 2011 13:24:41 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id C489C3A6F39 for <keyassure@ietf.org>; Sat, 19 Feb 2011 13:24:40 -0800 (PST)
Received: by bwz13 with SMTP id 13so1411887bwz.31 for <keyassure@ietf.org>; Sat, 19 Feb 2011 13:25:17 -0800 (PST)
Received: by 10.204.32.216 with SMTP id e24mr1971854bkd.204.1298150714857; Sat, 19 Feb 2011 13:25:14 -0800 (PST)
Received: from bblfish.home (ALagny-751-1-8-99.w86-218.abo.wanadoo.fr [86.218.107.99]) by mx.google.com with ESMTPS id v25sm2540317bkt.6.2011.02.19.13.25.12 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 19 Feb 2011 13:25:13 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <E1Pqskq-0004pb-JY@login01.fos.auckland.ac.nz>
Date: Sat, 19 Feb 2011 22:25:10 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <EDBE4E64-37F2-497E-80C5-3E271B52516A@bblfish.net>
References: <E1Pqskq-0004pb-JY@login01.fos.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.1082)
Cc: keyassure@ietf.org
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2011 21:24:45 -0000

On 19 Feb 2011, at 20:46, Peter Gutmann wrote:

> Henry Story <henry.story@bblfish.net> writes:
> 
>> My question is: what do people use now to pass public keys?
> 
> X.509 key bags

Is that the same as X509? If not is there a specification one can look that up on?

> 
>> I know an X509 cert contains the public key, though I don't know if it can
>> contain ECC keys.
> 
> It can contain any kind of key for any algorithm likely to be used with TLS.

great! So we at least no longer have the problem of the encoding.

> 
>> If it does then there is another simple answer: extract the part of that
>> document that contains both the type of the key and the details of it, and
>> use that.
> 
> In that case why not just stick with X.509?  This is bizarre, you have a
> universally-agreed-on, universally-supported format, and you're proposing to
> extract a subset of that requiring custom coding in each implementation to
> support and use that?

If the parsers for X509 are already written, then parsers for a subset
of X509 are already written. It's going to be easy to use the same tools.
At least I think one should not dismiss that possibility. The code to select
the subset is going to be at most a few lines.

> Another reason to stick with X.509 as key bags is that eventually you're going
> to want to put policy in the DNS ("must connect with TLS", "must use EV
> certs", "must use a PFS algorithm like DH/ECDH", "cannot use non-FIPS
> algorithms", and so on).  Guess what X.509v3 key bags were specifically
> designed for?

That is a reason for the argument to allowing the current options that enable the DNS to also send full X509 documents. Btw. I have not really looked at policy that much, can you point  me to a human readable document I can understand this part of X.509 more? (use cases and such)

> The end result is that you'll end up reinventing X.509 as a container format,

Not at all, since we are selecting a piece of it.

It would be as if you had a parser for atom <feed> documents [1] which contain <entry> elements. The someone comes along and says that they have a use case for documents containing <entry> documents only. The problem of parsing those documents is not going to be an issue, neither is the semantics of entry, at least for anyone who already has a parser for <feed>

> only it'll be some homebrew parallel format that needs custom code to support
> and endless kludging as things get bolted on that'd be automatically supported
> in the X.509 key bag format.  It's reinventing the wheel, but making it square
> just to be different.

There is no re-inventing the wheel here at all. 

The advantage would bet that you are giving a format where you express the key (so to speak) information. So that is why initially I was asking what the benefits in terms of packets sent on the wire would be between just sending the key in this subset of X509 and sending the full X509. For sites like Google this could make an important difference. That is something that is measurable, and could let us know if there is an advantage at all of considering this. 

Currently we are not asking to remove the other options. Just to see if this option is possible, and to work out what the advantages and disadvantages would be.

Henry


[1] http://www.ietf.org/rfc/rfc4287.txt


> 
> Peter.

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email