IETF Logo Mail Archive

Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility-07 Re: now that I've volunteered....

Benjamin Kaduk <kaduk@MIT.EDU> Wed, 01 April 2015 16:30 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14A991ACEF3 for <kitten@ietfa.amsl.com>; Wed, 1 Apr 2015 09:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnhIdrgHayHL for <kitten@ietfa.amsl.com>; Wed, 1 Apr 2015 09:30:39 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B9011A90D2 for <kitten@ietf.org>; Wed, 1 Apr 2015 09:30:39 -0700 (PDT)
X-AuditID: 12074423-f79536d000000e74-fc-551c1d2d9427
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 69.F0.03700.D2D1C155; Wed, 1 Apr 2015 12:30:37 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t31GUa8a012339; Wed, 1 Apr 2015 12:30:37 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t31GUZdf009942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 1 Apr 2015 12:30:36 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t31GUYUg001934; Wed, 1 Apr 2015 12:30:34 -0400 (EDT)
Date: Wed, 01 Apr 2015 12:30:34 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Tom Yu <tlyu@MIT.EDU>
In-Reply-To: <ldva8ysrgri.fsf@sarnath.mit.edu>
Message-ID: <alpine.GSO.1.10.1504011229380.22210@multics.mit.edu>
References: <alpine.GSO.1.10.1411192205490.19231@multics.mit.edu> <962591069.3713128.1427479391512.JavaMail.yahoo@mail.yahoo.com> <ldv1tkatgzr.fsf@sarnath.mit.edu> <ldva8ysrgri.fsf@sarnath.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixG6noqsrKxNq0NhlYXF08yoWi29d15kd mDyWLPnJ5DFr1mGmAKYoLpuU1JzMstQifbsEroyHbUsZCyaJV+y9soylgbFbsIuRk0NCwERi Rct/RghbTOLCvfVsXYxcHEICi5kk1jy4C5YQEtjAKLHpujhE4iCTxM+DK5kgEvUSS272s4PY LAJaEm8+NrGB2GwCKhIz32wEs0UEJCWOPTnPDGIzC7hIrPzxFqxeWCBR4s2DbjCbU0BPoml2 M1gNr4CjxP2Vz1ghlh1llNjbfBSsSFRAR2L1/iksEEWCEidnPmGBGKolsXz6NpYJjIKzkKRm IUktYGRaxSibklulm5uYmVOcmqxbnJyYl5dapGuml5tZopeaUrqJERyqLso7GP8cVDrEKMDB qMTD2xAlHSrEmlhWXJl7iFGSg0lJlPempEyoEF9SfkplRmJxRnxRaU5q8SFGCQ5mJRFeSRGg HG9KYmVValE+TEqag0VJnHfTD74QIYH0xJLU7NTUgtQimKwMB4eSBK+wDFCjYFFqempFWmZO CUKaiYMTZDgP0PD90iDDiwsSc4sz0yHypxgVpcR5pUCaBUASGaV5cL2wVPKKURzoFWHeIyDt PMA0BNf9CmgwE9Bgh3nSIINLEhFSUg2MwpZWGrY1xu8m/5H7/sryRK5sya2cWRPPLtP9tPHt th0M3IHffu2uOe0c/X9tbhbPqoUsE1L8TZROn112OjLdRIrnXYDw//ny+85FvvBzFoj635pn aHIj47LXHOMLDQFRJeeWnWOsV7zGO/dPeqRKwiVnOWX77Dy++Y+W7LpQtn9KhM0TjtWJSizF GYmGWsxFxYkADfftIwADAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/wsumV5pNNuG58aHGIvBjDfqOw28>
Cc: Kitten WG <kitten@ietf.org>
Subject: Re: [kitten] draft-ietf-krb-wg-pkinit-alg-agility-07 Re: now that I've volunteered....
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 16:30:41 -0000

On Tue, 31 Mar 2015, Tom Yu wrote:

> Here are the KDF OID related changes that I think should happen to the
> algorithm agility draft.
>
> Change the Appendix A ASN.1 module IMPORTS subclause that mentions
> PK-INIT-SPEC from
>
>       PKAuthenticator, DHNonce
>           FROM KerberosV5-PK-INIT-SPEC {
>             iso(1) identified-organization(3) dod(6) internet(1)
>             security(5) kerberosV5(2) modules(4) pkinit(5) };
>             -- as defined in RFC 4556.
>
> to
>
>       PKAuthenticator, DHNonce, id-pkinit
>           FROM KerberosV5-PK-INIT-SPEC {
>             iso(1) identified-organization(3) dod(6) internet(1)
>             security(5) kerberosV5(2) modules(4) pkinit(5) };
>             -- as defined in RFC 4556.
>
> (This adds id-pkinit to the imports).
>
> Change the OID list in Section 6 from
>
>    id-pkinit-kdf OBJECT IDENTIFIER           ::= { id-pkinit 6 }
>        -- PKINIT KDFs
>    id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER   ::= { id-pkinit-kdf 1 }
>        -- SP800 56A ASN.1 structured hash based KDF using SHA-1
>    id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
>        -- SP800 56A ASN.1 structured hash based KDF using SHA-256
>    id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
>        -- SP800 56A ASN.1 structured hash based KDF using SHA-512
>    id-pkinit-kdf-ah-sha384 OBJECT IDENTIFIER ::= { id-pkinit-kdf 4 }
>        -- SP800 56A ASN.1 structured hash based KDF using SHA-384
>
> to
>
>    id-pkinit-kdf OBJECT IDENTIFIER      ::= { id-pkinit kdf(6) }
>         -- PKINIT KDFs
>
>    id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER
>         ::= { id-pkinit-kdf sha1(1) }
>         -- SP800-56A ASN.1 structured hash based KDF using SHA-1
>
>    id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER
>         ::= { id-pkinit-kdf sha256(2) }
>         -- SP800-56A ASN.1 structured hash based KDF using SHA-256
>
>    id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER
>         ::= { id-pkinit-kdf sha512(3) }
>         -- SP800-56A ASN.1 structured hash based KDF using SHA-512
>
>    id-pkinit-kdf-ah-sha384 OBJECT IDENTIFIER
>         ::= { id-pkinit-kdf sha384(4) }
>         -- SP800-56A ASN.1 structured hash based KDF using SHA-384
>
> and also duplicate that in the Appendix A ASN.1 module.  Inserting it
> right after the IMPORTS clause might be a good place.
>
> We can debate whether the component identifiers for the KDF OIDs should
> be just <hashname> or ah-<hashname>.
>
> We might also want to duplicate the id-pkinit definition from RFC 4556
> in Section 6 (but not the Appendix A ASN.1 module), to make the full OID
> easier for a casual reader to derive.
>
> Any comments?

These look generally good.

I don't presently have an opinion on <hashname> vs. ah-<hashname>, and
would support the duplication of id-pkinit in section 6 (but not Appendix
A).

Thanks for putting this together.

-Ben

v2.23.0 | Report a Bug | By Email