Re: [pkix] draft-turner-additional-methods-4kis to ISE - SKISemantics
"Manger, James H" <James.H.Manger@team.telstra.com> Fri, 22 June 2012 05:46 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BE2F21F85F4 for <pkix@ietfa.amsl.com>; Thu, 21 Jun 2012 22:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.214
X-Spam-Level:
X-Spam-Status: No, score=-1.214 tagged_above=-999 required=5 tests=[AWL=-0.313, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bD1YrjaDDQR for <pkix@ietfa.amsl.com>; Thu, 21 Jun 2012 22:46:35 -0700 (PDT)
Received: from ipxano.tcif.telstra.com.au (ipxano.tcif.telstra.com.au [203.35.82.200]) by ietfa.amsl.com (Postfix) with ESMTP id A863421F85F1 for <pkix@ietf.org>; Thu, 21 Jun 2012 22:46:34 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.77,455,1336312800"; d="scan'208";a="83988366"
Received: from unknown (HELO ipccni.tcif.telstra.com.au) ([10.97.216.208]) by ipoani.tcif.telstra.com.au with ESMTP; 22 Jun 2012 15:46:32 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6749"; a="72676846"
Received: from wsmsg3706.srv.dir.telstra.com ([172.49.40.80]) by ipccni.tcif.telstra.com.au with ESMTP; 22 Jun 2012 15:46:32 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3706.srv.dir.telstra.com ([172.49.40.80]) with mapi; Fri, 22 Jun 2012 15:46:32 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Sean Turner <turners@ieca.com>
Date: Fri, 22 Jun 2012 15:46:30 +1000
Thread-Topic: [pkix] draft-turner-additional-methods-4kis to ISE - SKISemantics
Thread-Index: Ac1Py8Hw+gN8MQ4mQvyKYz98uFJaLgAW/F/w
Message-ID: <255B9BB34FB7D647A506DC292726F6E114F59AB022@WSMSG3153V.srv.dir.telstra.com>
References: <20120530193526.22578.94157.idtracker@ietfa.amsl.com> <4FC6775F.3070206@ieca.com> <4FE09FA0.7070006@ieca.com> <255B9BB34FB7D647A506DC292726F6E114F593B71D@WSMSG3153V.srv.dir.telstra.com> <4FE34D1C.1040704@ieca.com>
In-Reply-To: <4FE34D1C.1040704@ieca.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] draft-turner-additional-methods-4kis to ISE - SKISemantics
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2012 05:46:35 -0000
>> The ext-skiSemantics extension would be better if it held a single
>> AlgorithmIdentifier -- identifying the algorithm used to generate the
>> subject key id. Then the spec can define two such algorithms.
>>
>> ext-skiSemantics EXTENSION ::= {
>> SYNTAX AlgorithmIdentifier
>> IDENTIFIED BY id-pe-skiSemantics }
>>
>> alg-keyHash ALGORITHM ::=
>> { AlgorithmIdentifier IDENTIFIER id-keyHash }
>>
>> alg-keyInfoHash ALGORITHM ::=
>> { AlgorithmIdentifier IDENTIFIER id-keyInfoHash }
> My objection to the proposed syntax is that the predominant use case I
> see is where a CA only wants to indicate that it used SHA-256/512
> instead of SHA-1 to make the SKI. With the current syntax it collapses
> to one oid: id-sha256/512 in skiAlgorithm, skiInput and skiOutput are
> omitted. With the proposed syntax we'd need to carry two oids.
Yes. You need 2 OIDs. It adds, say, 5 bytes to the cert for a less hacky design. That is worth it.
The current syntax assumes the only way to generate a key id is to munge the hash of something. Three OIDs identify the munging (skiOutput), the hash (skiAlgorithm), and the something (skiInput). Defaults are given for the munging (optionally truncate) and the something (public key value) so only 1 OID is needed in the "common" case (which isn't actually common since SKISemantics seems likely to be a niche extension).
If, for instance, the CA randomly generates the key id it cannot indicate that -- it doesn't fit the munged-hash-of-something model. The CA would need to lie, making up fake hash and input OIDs and including 3 OIDs in the extension.
>> If the spec is going to define alg-keyInfoHash (which it currently
>> does under the name id-subjectPublicKeyInfo) for the extension
>> (section 3) it really needs to define it as additional methods
>> for generating key ids (section 2).
> There's only one there because only one was asked for. I'm willing to
> add more - got any in mind?
The methods for generating key ids (section 2 and RFC5280), and the ways to identify those methods in an extension (section 3), need to be consistent. At the moment they are not consistent since id-subjectPublicKeyInfo is defined in section 3 with nothing corresponding to it anywhere else.
P.S. In the current ASN.1 for SKISemantics the skiInput and skiOutput fields are both OIDs and both OPTIONAL so they need tags to distinguish them (eg [0] and [1]).
--
James Manger
- Re: [pkix] I-D Action: draft-turner-additional-me… Sean Turner
- [pkix] draft-turner-additional-methods-4kis to ISE Sean Turner
- Re: [pkix] draft-turner-additional-methods-4kis t… Manger, James H
- Re: [pkix] draft-turner-additional-methods-4kis t… Sean Turner
- Re: [pkix] draft-turner-additional-methods-4kis t… Martin Rex
- Re: [pkix] draft-turner-additional-methods-4kis t… Manger, James H
- Re: [pkix] draft-turner-additional-methods-4kis t… Manger, James H
- Re: [pkix] draft-turner-additional-methods-4kis t… Manger, James H