Re: [keyassure] publishing the public key
Henry Story <henry.story@bblfish.net> Sat, 19 February 2011 09:50 UTC
Return-Path: <henry.story@bblfish.net>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CEF823A6FD5 for <keyassure@core3.amsl.com>; Sat, 19 Feb 2011 01:50:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kty4XihGC4W8 for <keyassure@core3.amsl.com>; Sat, 19 Feb 2011 01:50:42 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id E7B5D3A6EAA for <keyassure@ietf.org>; Sat, 19 Feb 2011 01:50:41 -0800 (PST)
Received: by bwz13 with SMTP id 13so1064898bwz.31 for <keyassure@ietf.org>; Sat, 19 Feb 2011 01:51:17 -0800 (PST)
Received: by 10.204.126.138 with SMTP id c10mr1581427bks.156.1298109075284; Sat, 19 Feb 2011 01:51:15 -0800 (PST)
Received: from bblfish.home (ALagny-751-1-8-99.w86-218.abo.wanadoo.fr [86.218.107.99]) by mx.google.com with ESMTPS id x38sm2090097bkj.13.2011.02.19.01.51.13 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 19 Feb 2011 01:51:14 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1082)
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <E1PqbYp-0008EI-Dx@login01.fos.auckland.ac.nz>
Date: Sat, 19 Feb 2011 10:51:11 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <A2CF8378-6577-4AF2-9CD5-4992EE9B13B8@bblfish.net>
References: <E1PqbYp-0008EI-Dx@login01.fos.auckland.ac.nz>
To: keyassure@ietf.org
X-Mailer: Apple Mail (2.1082)
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2011 09:50:44 -0000
I had received your mails Peter. Your mail is also available in the archives. http://www.ietf.org/mail-archive/web/keyassure/current/msg01846.html Ilari Liusvaara came up with a format for raw keys in what seems to be C http://www.ietf.org/mail-archive/web/keyassure/current/msg01803.html (though I am not sure that C is progress over ASN.1 for such a specification) My question is: what do people use now to pass public keys? I know an X509 cert contains the public key, though I don't know if it can contain ECC keys. If it does then there is another simple answer: extract the part of that document that contains both the type of the key and the details of it, and use that. So in the XML world the xmldsig spec defines the KeyInfo element http://www.w3.org/TR/xmldsig-core/#sec-KeyInfo which specified the following keys * http://www.w3.org/2000/09/xmldsig#DSAKeyValue * http://www.w3.org/2000/09/xmldsig#RSAKeyValue * http://www.w3.org/2000/09/xmldsig#X509Data * http://www.w3.org/2000/09/xmldsig#PGPData * http://www.w3.org/2000/09/xmldsig#SPKIData * http://www.w3.org/2000/09/xmldsig#MgmtData So there one could just take the KeyInfo Element, and use that as a document format to place the keys in. Of course one would remove X509, PGP keys, and one would have to define an xml structure for elliptic curve keys. I am not recomending this option So essentially there has to be a way of having a structure a bit more general than the following that can encode all the needed keys and that is extensible RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER -- e } So there does not seem to be a lack of solutions. The trick I suppose is finding the one that is the most likely to be adopted. I suppose some ASN.1 DER encoding is the one most tools are ready for. Henry On 19 Feb 2011, at 02:24, Peter Gutmann wrote: > [Several of my posts didn't make it to the list, these are re-posts of earlier > messages] > > Paul Wouters <paul@xelerance.com> writes: >> On Tue, 15 Feb 2011, Peter Gutmann wrote: >>>> The public key's type and raw blob will be obtained from DNSSEC, so this is >>>> no longer required to be conveyed to the client from the server via a PKIX >>>> certificate or other ASN.1 structures. >>> >>> But what format is the "type and raw blob" in? You need some way of encoding >>> it, and if it's not the standard ASN.1 format what are you going to use? >> >> I'm not sure I understand your question. > > A public key contains a number of components and options. For example for ECC > there are the basic key values p, a, b, G, n, h (or m, f, a, b, G, n, h for > binary curves), an indication of the underlying field (prime or binary), the > point format, whether point compression is used, polynomial vs. normal basis, > whether fixed domain parameters are used, and probably some other stuff I've > forgotten. How is all this stuff communicated? > >> The key would encoded in DNS, likely in a format similar to DNSKEY. > > DNSKEY (RFC 3757) just specifies an opaque value labelled "public key". If > you mean RFC 4034: > > RSA/MD5 [RSAMD5] n [RFC2537] NOT RECOMMENDED > Diffie-Hellman [DH] n [RFC2539] - > DSA/SHA-1 [DSA] y [RFC2536] OPTIONAL > Elliptic Curve [ECC] TBA - > RSA/SHA-1 [RSASHA1] y [RFC3110] MANDATORY > > this (a) ain't gonna cut it because it doesn't cover what's required by TLS > and (b) requires that your TLS implementation speak DNSSEC (or at least the > DNSKEY part of DNSSEC) just to get a key. I can't see TLS implementors being > too enthusiastic about this. > > Peter. > _______________________________________________ > keyassure mailing list > keyassure@ietf.org > https://www.ietf.org/mailman/listinfo/keyassure Social Web Architect http://bblfish.net/
- Re: [keyassure] publishing the public key Henry Story
- [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Ilari Liusvaara
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Martin Rex
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Martin Rex
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Scott Schmit
- Re: [keyassure] Issue #14 - publishing the public… Warren Kumari
- Re: [keyassure] Issue #14 - publishing the public… Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Ilari Liusvaara
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Yaron Sheffer
- Re: [keyassure] publishing the public key Ilari Liusvaara
- Re: [keyassure] publishing the public key Yaron Sheffer
- Re: [keyassure] publishing the public key John Gilmore
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Phillip Hallam-Baker
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Phillip Hallam-Baker
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Phillip Hallam-Baker
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Paul Wouters
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Phillip Hallam-Baker
- Re: [keyassure] publishing the public key Peter Gutmann
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Stephen Kent
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Stephen Kent
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Paul Hoffman
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Henry Story
- Re: [keyassure] publishing the public key Stephen Kent
- Re: [keyassure] publishing the public key Henry Story