IETF Logo Mail Archive

Re: [KEYPROV] PSKC-07 submitted

Phillip Hallam-Baker <hallam@gmail.com> Mon, 28 June 2010 13:26 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D13CE28C106; Mon, 28 Jun 2010 06:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.061
X-Spam-Level:
X-Spam-Status: No, score=0.061 tagged_above=-999 required=5 tests=[AWL=-1.141, BAYES_50=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_101=0.6, J_CHICKENPOX_34=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTieVRwOKzAO; Mon, 28 Jun 2010 06:26:16 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id CE7C528C124; Mon, 28 Jun 2010 06:26:15 -0700 (PDT)
Received: by iwn35 with SMTP id 35so888757iwn.31 for <multiple recipients>; Mon, 28 Jun 2010 06:26:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=ujstmOZhYFdAkhHbTC+jOmW3BdfE6/UbqjDU310wQJY=; b=gcX4fz4o3D/jr6bBAmmKaGLA3vsKzdNdH+gSOjLKA7ZA7wtJLeUWzudYhPCFaGFWRR e/SWivUqFogfIoS7LYvFG5ZfQSMmMYJIx1crJm1sBcMXLipILaQPxdspkuAKZ1FtWJIR 68w6jjWGR/JfMD2g62B/h3krHJA/tqJVybQJQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rgEWEBTWasXhTvWjxBvNeP6EAJh32lGWWhmxQKCbeF1ZbT27ahZLHrMlCcpm1v8hBU 5GqF/wNMBi7PmkA0C+SKHzabRP8xa2DK50/l/Kgbuw+s330UsJPBXVFP8AbTWmFQlwmX Tmv1jvP1jU4ODeyMgSW4Ux+3vQGUlhKoffJME=
MIME-Version: 1.0
Received: by 10.231.149.12 with SMTP id r12mr5554200ibv.57.1277731585684; Mon, 28 Jun 2010 06:26:25 -0700 (PDT)
Received: by 10.231.36.5 with HTTP; Mon, 28 Jun 2010 06:26:25 -0700 (PDT)
In-Reply-To: <5BFE9E473DBFC24CA87F18F29B3F0AC406890A8F@sur-corp-ex-02.corp.ad.activcard.com>
References: <5BFE9E473DBFC24CA87F18F29B3F0AC4068909DA@sur-corp-ex-02.corp.ad.activcard.com> <5BFE9E473DBFC24CA87F18F29B3F0AC406890A8F@sur-corp-ex-02.corp.ad.activcard.com>
Date: Mon, 28 Jun 2010 09:26:25 -0400
Message-ID: <AANLkTilYAuF11PHmMXZe8yN3I-H2HXlR7cWSLDh9OQyd@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Philip Hoyer <phoyer@actividentity.com>
Content-Type: multipart/alternative; boundary=0016e645b9424875fe048a171164
Cc: Salah Machani <SMachani@diversinet.com>, KEYPROV <keyprov@ietf.org>, iesg@ietf.org, "Tschofenig, Hannes \(NSN - FI/Espoo\)" <hannes.tschofenig@nsn.com>
Subject: Re: [KEYPROV] PSKC-07 submitted
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2010 13:26:18 -0000

Congrats and thanks to everyone for all the work they have put into this.



On Mon, Jun 28, 2010 at 9:20 AM, Philip Hoyer <phoyer@actividentity.com>wrote;wrote:

>  Ladies and Gentlemen,
>
>
>
> A new version of PSKC as been submitted (-07) this addresses:
>
>
>
> Keyprov mailing list discussion for Additional Algorithm Suite parameter.
>
> –         Added the Suite element under AlgorithmParameter: (please note
> that this is a schema change but it is an optional additional element so old
> messages will work)
>
>
>
> “
>
> <Suite>:
>
>
>
>       The optional <Suite> element defines additional characteristics of
>
>       the algorithm used, which are algorithm specific.  For example in
>
>       HMAC based OTP algorithm it could designate the strength of the
>
>       hash algorithm used (SHA1, SHA256, etc).  Please refer to
>
>       algorithm profile specification Section 10 for the exact semantic
>
>       of the value for each algorithm profile.
>
> “
>
>
>
> Discussion about use of # in the URN
>
> Changed the algorithm URNs to use ‘:’ instead of ‘#’ (*Please note that
> this makes ALL current implementations incompatible)*
>
> –         Added the PIN comparison algorithm definition
>
> “
>
> 5.1.  PIN Algorithm definition
>
>
>
>    The PIN algorithm is defined as:
>
>
>
>    boolean = comparePIN(K,P)
>
>
>
>    Where:
>
>
>
>    'K':  Is the stored symmetric credential (PIN) in binary format.
>
>
>
>    'P':  Is the proposed PIN to be compared in binary format.
>
>
>
>    The function comparePIN is a straight octet comparison of K and P.
>
>    Such comparison MUST yield TRUE (credentials matched) when the the
>
>    octet length of K is the same as the octet length of P and all octets
>
>    comprising K are the same as the octets comprising P.
>
> ”
>
>
>
>
>
> *Official COMMENT and DISCUSS items addressed:*
>
>
>
> *Russ Housley*’s comment 2010-05-06 has already been corrected in -06
>
>
>
> *Alexey Melnikov*:
>
>
>
> 2) Changed for version 7 to be either coming from OATH manufacturer prefix
> or IANA Private Enterprise Number registry.
>
> “
>
> <Manufacturer>:  This element indicates the manufacturer of the
>
>       device.  Values for Manufacturer SHOULD be taken from either
>
>       [OATHMAN] prefixes (i.e., the left column) or they SHOULD be taken
>
>       from IANA Private Enterprise Number Registry [IANAPENREG], using
>
>       the Organisation value.
>
> “
>
>
>
> 4) Changed for version 7 to “Specification Required” for both section 12.4
> and 12.6
>
>
>
> 6) Changed in version 7 to have a xml:lang attribute:
>
> “
>
>    <FriendlyName>:  A human readable name for the secret key for easier
>
>       reference.  This element serves informational purposes only.  This
>
>       element is a language dependent string hence it SHOULD have an
>
>       attribute xml:lang="xx" where xx is the language identifier as
>
>       specified in [RFC4646] .  If no xml:lang attribute is present
>
>       implementations MUST assume the language to be English as defined
>
>       by setting the attribute value to "en" (e.g. xml:lang="en").
>
> “
>
> Comment:
>
> 13.1  This was already addressed in version -06
>
>
>
> *Peter Saint-Andre*
>
>
>
>
>
> 2) Key Id, not globally unique anymore:
>
> “
>
> 'Id':  This attribute carries a unique identifier for the symmetric
>
>       key in the context of key provisioning exchanges between two
>
>       parties.  This means that if PSKC is used in multiple interactions
>
>       between a sending and receiving party, using different containers
>
>       referencing the same keys, the KeyId MUST use the same KeyId
>
>       values (e.g. after initial provisioning, if a system wants to
>
>       update key meta data values in the other system the KeyId value of
>
>       the key where the meta data is to be updates MUST be the same of
>
>       the original KeyId value provisioned).  The identifier is defined
>
>       as a string of alphanumeric characters.
>
> “
>
>
>
>
>
> 3) I believe this has been addressed as the description states:
>
> “
>
>       <Time>:  This element contains the time for time based OTP
>
>          algorithms.  (If time interval is used, this element carries
>
>          the number of time intervals passed from a specific start
>
>          point, normally algorithm dependent).
>
> “
>
>
>
> 6)       Added new test in section 1.2 changed title from Version to
> Version Support::
>
> “
>
>    There is a provision made in the syntax for an explicit version
>
>    number.  Only version "1.0" is currently specified.
>
>
>
>    The numbering scheme for PSKC versions is "<major>.<minor>".  The
>
>    major and minor numbers MUST be treated as separate integers and each
>
>    number MAY be incremented higher than a single digit.  Thus, "PSKC
>
>    2.4" would be a lower version than "PSKC 2.13", which in turn would
>
>    be lower than "PSKC 12.3".  Leading zeros (e.g., "PSKC 6.01") MUST be
>
>    ignored by recipients and MUST NOT be sent.
>
>
>
>    The major version number should be incremented only if the message
>
>    format (E.g.  Element structure) has changed so dramatically that an
>
>    older version implementation would not be able to interoperate with a
>
>    newer version.  The minor version number indicates new capabilities,
>
>    and MUST be ignored by an entity with a smaller minor version number,
>
>    but used for informational purposes by the entity with the larger
>
>    minor version number.
>
> “
>
>
>
> 9) Addressed in version -07
>
> “
>
>    The second approach to protecting the confidentiality of the key data
>
>    is based on using lower layer security mechanisms (e.g., [TLS],
>
>    [IPSec]).  The secure connection established between the source
>
>    secure perimeter (the provisioning server from the example above) and
>
>    the target perimeter (the device attached to the end-user computer)
>
>    utilizes encryption to protect the messages that travel across that
>
>    connection.  No key data payload encryption is required in this mode.
>
>    Secure connections that encrypt and digest each message provide an
>
>    extra measure of security.
>
> “
>
>
>
>
>
>
>
>
>
>
>
>
>
> ________________________________
>
>
>
> Philip Hoyer
>
>
>
> Senior Architect - Office of CTO
>
>
>
> ActivIdentity (UK)
>
> 117 Waterloo Road
>
> London SE1 8UL
>
>
>
> Telephone: +44 (0) 20 7960 0220
>
> Fax: +44 (0) 20 7902 1985
>
>
>
> Private and confidential: This message and any attachments may contain
>
> privileged / confidential information. If you are not an intended
> recipient,
>
> you must not copy, distribute, discuss or take any action in reliance on
> it.
>
> If you have received this communication in error, please notify the sender
>
> and delete this message immediately.
>
>
>



-- 
Website: http://hallambaker.com/

v2.8.7 | Report a Bug | By Email