IETF Logo Mail Archive

Re: [pkix] Possible new work item: additional methods for generating key identifiers

Sean Turner <turners@ieca.com> Tue, 24 April 2012 11:07 UTC

Return-Path: <turners@ieca.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D976821F86C5 for <pkix@ietfa.amsl.com>; Tue, 24 Apr 2012 04:07:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.188
X-Spam-Level:
X-Spam-Status: No, score=-102.188 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Zy9lFHPXFU7 for <pkix@ietfa.amsl.com>; Tue, 24 Apr 2012 04:07:41 -0700 (PDT)
Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [69.41.248.18]) by ietfa.amsl.com (Postfix) with ESMTP id 46BB321F86B8 for <pkix@ietf.org>; Tue, 24 Apr 2012 04:07:41 -0700 (PDT)
Received: by gateway08.websitewelcome.com (Postfix, from userid 5007) id E1D1046D33882; Tue, 24 Apr 2012 06:07:40 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway08.websitewelcome.com (Postfix) with ESMTP id D79E046D33862 for <pkix@ietf.org>; Tue, 24 Apr 2012 06:07:40 -0500 (CDT)
Received: from [96.231.123.106] (port=33334 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <turners@ieca.com>) id 1SMdat-0001BZ-UY; Tue, 24 Apr 2012 06:07:40 -0500
Message-ID: <4F96897A.7020906@ieca.com>
Date: Tue, 24 Apr 2012 07:07:38 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>
References: <4C18DCF2.2030703@ieca.com> <4F95BB92.6080206@ieca.com> <4F95CDCE.4080109@gmail.com>
In-Reply-To: <4F95CDCE.4080109@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-96-231-123-106.washdc.east.verizon.net (thunderfish.local) [96.231.123.106]:33334
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: pkix@ietf.org
Subject: Re: [pkix] Possible new work item: additional methods for generating key identifiers
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 11:07:42 -0000

Rene,

Thanks for reviewing.  Comments inline.

spt

On 4/23/12 5:46 PM, Rene Struik wrote:
> Hi Sean:
>
> You defined the key identifier to be the hash of the public key,
> truncated to 160 bits.

There's two parts of this draft:

- Describing methods for generating a key identifier that are the same 
as one of the example methods in 5280 except they ones in the draft use 
the SHA2 algs.

- Defining an extension to allow CAs to indicate the alg used to compute 
they key identifier, the input to the hash alg, and the output length.

> Shouldn't one have different key identifiers if
> the policy fields assoicated with the public key are different (e.g., if
> the same public key Qa associated with some entity A gets rolled over
> and assigned a new validity period)?

If I'm reading RFC 5280 correctly, then I think it might go against it:

  Where a key identifier has been previously established,
  the CA SHOULD use the previously established identifier.

> Similarly, shouldn't one include
> the unique id of the presumed key holder (e.g.,so as to preclude people
> cloning a public/private key pair to another device [I am sure
> implementers contemplating this exist] without notice)?

I'm certainly not precluding anybody from using whatever they want as an 
input to hash alg used to generate the key identifiers.  I'm just 
listing some additional methods.

To play devil's advocate here, I can already see the questions on this 
one: how do you know the identifier for the key holder is unique.

> Best regards, Rene
>
> On 23/04/2012 4:29 PM, Sean Turner wrote:
>> <no hat>
>>
>> I've resurrected this draft after making some changes/additions to it
>> based on mailing list comments. The latest version can be found at:
>>
>> http://datatracker.ietf.org/doc/draft-turner-additional-methods-4kis/
>>
>> I'd like to ask the WG (again) to consider adopting this a WG item.
>>
>> spt
>>
>> </no hat>
>>
>> On 6/16/10 10:17 AM, Sean Turner wrote:
>>> Greetings. Steve and I have whipped up a short I-D that specifies
>>> additional methods for generating key identifiers from a public key. The
>>> draft can be found at:
>>>
>>> http://datatracker.ietf.org/doc/draft-turner-additional-methods-4kis/
>>>
>>> I'd like to ask the WG to consider adopting this as a WG item.
>>>
>>> Cheers,
>>>
>>> spt*
>>>
>>> * (with no hat on)
>>> _______________________________________________
>>> pkix mailing list
>>> pkix@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pkix
>>>
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix
>
>

v2.23.0 | Report a Bug | By Email