Re: [Mathmesh] pkix-keyinfo content type

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 16 August 2019 00:24 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mathmesh@ietfa.amsl.com
Delivered-To: mathmesh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E708F120103; Thu, 15 Aug 2019 17:24:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDHDAWoQK-cz; Thu, 15 Aug 2019 17:24:07 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 509B41200F3; Thu, 15 Aug 2019 17:24:06 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id E2E563818C; Thu, 15 Aug 2019 20:23:14 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8C852788; Thu, 15 Aug 2019 20:24:04 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Phillip Hallam-Baker <phill@hallambaker.com>
cc: SPASM <SPASM@ietf.org>, mathmesh@ietf.org
In-Reply-To: <CAMm+LwihsbxErHC5MWWxP9zH71HmYCTDRaJaa1K_cEHT-XoP3A@mail.gmail.com>
References: <CAMm+LwihsbxErHC5MWWxP9zH71HmYCTDRaJaa1K_cEHT-XoP3A@mail.gmail.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Thu, 15 Aug 2019 20:24:04 -0400
Message-ID: <14510.1565915044@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mathmesh/rKNslGguHSjLt7ezC9AD14Q4nJM>
Subject: Re: [Mathmesh] pkix-keyinfo content type
X-BeenThere: mathmesh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <mathmesh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mathmesh/>
List-Post: <mailto:mathmesh@ietf.org>
List-Help: <mailto:mathmesh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2019 00:24:10 -0000

Phillip Hallam-Baker <phill@hallambaker.com>; wrote:
    > In brief, the idea is to allow a single fingerprint format to be used
    > to encode any content type without semantic substitution attacks. So to
    > take the digest of a public key, we first generate the PKIX
    > SubjectPublicKeyInfo :

    >    SubjectPublicKeyInfo ::= SEQUENCE {

    >         algorithm AlgorithmIdentifier,

    >         subjectPublicKey BIT STRING }

    > Then we take this octet stream <SubjectPublicKeyInfo> and calculate:

    > H ( "application/pkix-keyinfo:" + H(<SubjectPublicKeyInfo>) )

    > Where + is concatenation.

This is not consistent with rfc5280 suggestion on how to create SubjectKeyIdentifier.
I've just been through how to specify a non-SHA-1 bound version of that, and
RFC7469 section 2.4 has suggestions.

As SubjectKeyIdentifier can be calculated by any suitable way and used if it
is present, it's only for the case that it is not present that is a problem.
Typically only CA:TRUE certificates are supposed to have it present.  I'd
like it to be present for all certificates.

So your construction would be:
   H ( "application/pkix-keyinfo:" + SubjectKeyIdentifier )

and I think that is fine, as long as it does not cause confusion.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [