Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility-07 Re: now that I've volunteered....
Tom Yu <tlyu@mit.edu> Tue, 31 March 2015 21:36 UTC
Return-Path: <tlyu@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8571A87DB for <kitten@ietfa.amsl.com>; Tue, 31 Mar 2015 14:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyCaD9cNw4du for <kitten@ietfa.amsl.com>; Tue, 31 Mar 2015 14:36:39 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 657CB1A87D2 for <kitten@ietf.org>; Tue, 31 Mar 2015 14:36:39 -0700 (PDT)
X-AuditID: 1209190e-f79a76d000000d1b-21-551b1366138f
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 4F.23.03355.6631B155; Tue, 31 Mar 2015 17:36:38 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t2VLabk0014462; Tue, 31 Mar 2015 17:36:37 -0400
Received: from localhost (sarnath.mit.edu [18.18.1.190]) (authenticated bits=0) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2VLaa0s027279; Tue, 31 Mar 2015 17:36:37 -0400
From: Tom Yu <tlyu@mit.edu>
To: Bill Mills <wmills_92105@yahoo.com>
References: <alpine.GSO.1.10.1411192205490.19231@multics.mit.edu> <962591069.3713128.1427479391512.JavaMail.yahoo@mail.yahoo.com> <ldv1tkatgzr.fsf@sarnath.mit.edu>
Date: Tue, 31 Mar 2015 17:36:33 -0400
In-Reply-To: <ldv1tkatgzr.fsf@sarnath.mit.edu> (Tom Yu's message of "Fri, 27 Mar 2015 14:47:20 -0400")
Message-ID: <ldva8ysrgri.fsf@sarnath.mit.edu>
Lines: 69
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrHIsWRmVeSWpSXmKPExsUixCmqrZsmLB1qcPMEv8XRzatYLL51XWd2 YPJYsuQnk8esWYeZApiiuGxSUnMyy1KL9O0SuDK+ndrIUjBLpOLjjonMDYx/+LoYOTgkBEwk lk6y7GLkBDLFJC7cW8/WxcjFISSwmEni+cGPbCAJIYGNjBJT98hCJN4wSlze/pkVJMEmIC1x /PIuJpBBIgLqEs3fvUHCzALyEqfWPwXrFRaIlziw8RPU0OWMEq9O/2MEqWcRUJX498ERpIZT IEPixoLp7CA2r4CuxLNXl8FsHgFOiXlvX7NAxAUlTs58wgIxX0vixr+XTBMYBWYhSc1CklrA yLSKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI11gvN7NELzWldBMjOBgl+XYwfj2odIhRgINRiYf3 wj3JUCHWxLLiytxDjJIcTEqivAZC0qFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHi3H5EKFeJN SaysSi3Kh0lJc7AoifNu+sEXIiSQnliSmp2aWpBaBJOV4eBQkuAVABkqWJSanlqRlplTgpBm 4uAEGc4DNFwfpIa3uCAxtzgzHSJ/ilFRSpyXAyQhAJLIKM2D64Uli1eM4kCvCPMmgVTxABMN XPcroMFMQINPrxIHGVySiJCSamCsTNH/HLfpadFGkWtZvkalwnxzT//WnTdt1pVPGc4qN43C FCb8y793wdc7J8OunCeUf0nsrucN5h9WiV/xt8xkF+KzU06r/bpp+U6NbOsj3xb0S57O9r22 u+mPW6za4uvZe7YuKs41nTdxtYzY4ckhs5c0azD5mTiu7q7Tfh2/su+tZ2lR5AolluKMREMt 5qLiRACzS9cf8QIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/bjQ_d9GLOiEHQUZ3O_nWd_E5cDc>
Cc: Kitten WG <kitten@ietf.org>
Subject: Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility-07 Re: now that I've volunteered....
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 21:36:41 -0000
Here are the KDF OID related changes that I think should happen to the
algorithm agility draft.
Change the Appendix A ASN.1 module IMPORTS subclause that mentions
PK-INIT-SPEC from
PKAuthenticator, DHNonce
FROM KerberosV5-PK-INIT-SPEC {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2) modules(4) pkinit(5) };
-- as defined in RFC 4556.
to
PKAuthenticator, DHNonce, id-pkinit
FROM KerberosV5-PK-INIT-SPEC {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2) modules(4) pkinit(5) };
-- as defined in RFC 4556.
(This adds id-pkinit to the imports).
Change the OID list in Section 6 from
id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 }
-- PKINIT KDFs
id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 }
-- SP800 56A ASN.1 structured hash based KDF using SHA-1
id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
-- SP800 56A ASN.1 structured hash based KDF using SHA-256
id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
-- SP800 56A ASN.1 structured hash based KDF using SHA-512
id-pkinit-kdf-ah-sha384 OBJECT IDENTIFIER ::= { id-pkinit-kdf 4 }
-- SP800 56A ASN.1 structured hash based KDF using SHA-384
to
id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit kdf(6) }
-- PKINIT KDFs
id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER
::= { id-pkinit-kdf sha1(1) }
-- SP800-56A ASN.1 structured hash based KDF using SHA-1
id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER
::= { id-pkinit-kdf sha256(2) }
-- SP800-56A ASN.1 structured hash based KDF using SHA-256
id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER
::= { id-pkinit-kdf sha512(3) }
-- SP800-56A ASN.1 structured hash based KDF using SHA-512
id-pkinit-kdf-ah-sha384 OBJECT IDENTIFIER
::= { id-pkinit-kdf sha384(4) }
-- SP800-56A ASN.1 structured hash based KDF using SHA-384
and also duplicate that in the Appendix A ASN.1 module. Inserting it
right after the IMPORTS clause might be a good place.
We can debate whether the component identifiers for the KDF OIDs should
be just <hashname> or ah-<hashname>.
We might also want to duplicate the id-pkinit definition from RFC 4556
in Section 6 (but not the Appendix A ASN.1 module), to make the full OID
easier for a casual reader to derive.
Any comments?
-Tom
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Bill Mills
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Tom Yu
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Tom Yu
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Nico Williams
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Tom Yu
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Benjamin Kaduk
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Nico Williams
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Bill Mills
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Nico Williams
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Bill Mills
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Bill Mills
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Benjamin Kaduk
- [kitten] now that I've volunteered.... Bill Mills
- Re: [kitten] now that I've volunteered.... Benjamin Kaduk
- [kitten] draft-ietf-krb-wg-pkinit-alg-agility-07 … Bill Mills
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Greg Hudson
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Bill Mills
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Benjamin Kaduk
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Bill Mills
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Benjamin Kaduk
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Nico Williams
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Tom Yu
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Nico Williams
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Tom Yu
- Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility… Benjamin Kaduk