Re: [media-types] Internet media type application/pkcs8-encrypted; request review
Sean Leonard <dev+ietf@seantek.com> Sun, 25 October 2015 10:34 UTC
Return-Path: <dev+ietf@seantek.com>
X-Original-To: media-types@ietfa.amsl.com
Delivered-To: media-types@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86FB11B2AA1 for <media-types@ietfa.amsl.com>; Sun, 25 Oct 2015 03:34:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpBC32VAm_kA for <media-types@ietfa.amsl.com>; Sun, 25 Oct 2015 03:34:11 -0700 (PDT)
Received: from pechora7.dc.icann.org (pechora7.icann.org [IPv6:2620:0:2830:201::1:73]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 467991B2A9E for <media-types@ietf.org>; Sun, 25 Oct 2015 03:34:10 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by pechora7.dc.icann.org (8.13.8/8.13.8) with ESMTP id t9PAXmKD012239 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <media-types@iana.org>; Sun, 25 Oct 2015 10:34:09 GMT
Received: from [192.168.123.7] (unknown [75.83.2.34]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id C958E509BB; Sun, 25 Oct 2015 06:33:26 -0400 (EDT)
References: <56211935.10006@seantek.com> <91C56926-432E-414E-94A7-9947C7F50FCF@ieca.com>
From: Sean Leonard <dev+ietf@seantek.com>
To: "media-types@iana.org" <media-types@iana.org>
Message-ID: <562CAFA7.4010402@seantek.com>
Date: Sun, 25 Oct 2015 03:32:07 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <91C56926-432E-414E-94A7-9947C7F50FCF@ieca.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060904010600040905060602"
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (pechora7.dc.icann.org [192.0.46.73]); Sun, 25 Oct 2015 10:34:09 +0000 (UTC)
Archived-At: <http://mailarchive.ietf.org/arch/msg/media-types/Z6SC7eNaYC5h8GEj6BLL5PEK56U>
Cc: Sean Turner <turners@ieca.com>, Russ Housley <housley@vigilsec.com>, "Kaliski, Burt" <bkaliski@verisign.com>, draft-moriarty-pkcs12v1-1.all@tools.ietf.org
Subject: Re: [media-types] Internet media type application/pkcs8-encrypted; request review
X-BeenThere: media-types@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IANA mailing list for reviewing Media Type \(MIME Type, Content Type\) registration requests." <media-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/media-types>, <mailto:media-types-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/media-types/>
List-Post: <mailto:media-types@ietf.org>
List-Help: <mailto:media-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/media-types>, <mailto:media-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Oct 2015 10:34:12 -0000
Hello media-types reviewers: spt and seantek had a conversation off-list. While we did not reach agreement on it, the TL;DR version is: The registration for the X.690 (DER, BER) encoding of the EncryptedPrivateKeyInfo PDU could be: application/pkcs8-encrypted with suggested file extension .p8e OR application/pkcs8; encrypted=true (or 1 or some such) with suggested file extension...probably still .p8. maybe .p8e too, maybe not I guess it's worth asking the media-types folks here: what are the factors that weigh in for adding parameters to an existing media type, versus registering a new media type? Ancillary issue: are we in agreement about what magic numbers are vs. are not? RFC 6838 Section 4.12 says that they "are byte sequences that are always present at a given place in the file and thus can be used to identify entities..." So they must be at a fixed place in the file, not "3 bytes away from that other byte that is n bytes away from the first byte that says how much n is", and the magic bytes must be sufficiently specific (not just '30h', for example, which is the start of most ASN.1/X.690-based serializations)? Sean On 10/17/2015 12:34 PM, Sean Turner wrote: > Sean, > > I guess I’m confused by this request because I thought we’d agreed was an editorial errata for RFC5958 to address this issue: > > OLD: > > .p8 files are sometimes PEM-encoded. When .p8 files are PEM encoded > they use the .pem file extension. PEM encoding is either the Base64 > encoding, from Section 4 of [RFC4648], of the DER-encoded > EncryptedPrivateKeyInfo sandwiched between: > > -----BEGIN ENCRYPTED PRIVATE KEY----- > -----END ENCRYPTED PRIVATE KEY----- > > NEW: > > The data in .p8 files is sometimes PEM-encoded. When the data in > .p8 files is PEM encoded, the files use the .pem file extension. PEM > encoding is either the Base64 encoding, from Section 4 of [RFC4648], > of the DER-encoded EncryptedPrivateKeyInfo sandwiched between: > > -----BEGIN ENCRYPTED PRIVATE KEY----- > -----END ENCRYPTED PRIVATE KEY----- > > spt > > On Oct 16, 2015, at 11:35, Sean Leonard <dev+ietf@seantek.com> wrote: > >> To Media Types reviewers (and to relevant security folks): >> >> This is a first draft of a registration request for the Internet media type application/pkcs8-encrypted, for PKCS #8 EncryptedPrivateKeyInfo content. >> >> Feedback is appreciated. >> >> This registration is consistent with the recent application/pkcs8, application/pkcs10, and application/pkcs12 registrations. The relevant standard, RFC 5958, is primarily a republication of PKCS #8, and does not have its own media type registration in the text. >> >> Regards, >> >> Sean >> >> ***** >> >> Type name: application >> >> Subtype name: pkcs8-encrypted >> >> Required parameters: N/A >> >> Optional parameters: N/A >> >> Encoding considerations: binary >> >> Security considerations: >> Carries a cryptographic private key. See Section 6 of RFC 5958. >> EncryptedPrivateKeyInfo PKCS #8 data contains exactly one private key. Poor password choices, weak algorithms, or improper parameter selections (e.g., insufficient salting rounds) will make the confidential payloads much easier to compromise. >> >> Interoperability considerations: >> PKCS #8 is a widely recognized format for private key information on all modern cryptographic stacks. The encrypted variation in this registration, EncryptedPrivateKeyInfo (Section 3, Encrypted Private Key Info, of RFC 5958, and Section 6 of PKCS #8), is less widely used for exchange than PKCS #12, but it is much simpler to implement. The contents are exactly one private key (with optional attributes), so the possibility for hidden "easter eggs" in the payload such as unexpected certificates or miscellaneous secrets is drastically reduced. >> >> Published specification: >> PKCS #8 v1.2, November 1993 (republished as RFC 5208, May 2008); RFC 5958, August 2010 >> >> Applications that use this media type: >> Machines, applications, browsers, Internet kiosks, and so on, that support this standard allow a user to import, export, and exercise a single private key. >> >> Fragment identifier considerations: N/A >> >> Additional information: >> >> Deprecated alias names for this type: N/A >> Magic number(s): None. >> File extension(s): .p8e >> Macintosh file type code(s): N/A >> >> Person & email address to contact for further information: >> Sean Leonard <dev+ietf&seantek.com> >> >> Intended usage: COMMON >> >> Restrictions on usage: None. >> >> Author: >> RSA, EMC, IETF >> >> Change controller: The IETF >> >> Provisional registration? (standards tree only): No >> >> > _______________________________________________ > media-types mailing list > media-types@ietf.org > https://www.ietf.org/mailman/listinfo/media-types
- [media-types] Internet media type application/pkc… Sean Leonard
- Re: [media-types] Internet media type application… Sean Turner
- Re: [media-types] Internet media type application… Sean Leonard
- Re: [media-types] Internet media type application… Sean Leonard
- Re: [media-types] Internet media type application… Henrik Andersson