Re: [pkix] Possible new work item: additional methods for generating key identifiers
Rene Struik <rstruik.ext@gmail.com> Tue, 24 April 2012 16:45 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7BD921E8089 for <pkix@ietfa.amsl.com>; Tue, 24 Apr 2012 09:45:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.149
X-Spam-Level:
X-Spam-Status: No, score=-3.149 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, J_CHICKENPOX_63=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NvT4cx3B+4Q for <pkix@ietfa.amsl.com>; Tue, 24 Apr 2012 09:45:38 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id AA05821E8088 for <pkix@ietf.org>; Tue, 24 Apr 2012 09:45:38 -0700 (PDT)
Received: by iazz13 with SMTP id z13so1532447iaz.31 for <pkix@ietf.org>; Tue, 24 Apr 2012 09:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=HDrkRpPDG70XRiSNBBMNsMDm5imAhmZJEND+M18rc8k=; b=UjgZhm68q5XIwWvV2ifJHPgzLNNobqEeDUSPwXc4yp7S6UOtUftomtYMWGhF7aKrnY YcTW9LE02wCkQxJo0c8Pl8GSWaqjuRgLcO28UslmrtlJuux0rgWN5oc11l4ZVhk4T/+p s08ZWg4D9wgKttZRIHiTpeN15B8YGIz2Wpl03ssxc220hou+uUCX3ApDT1vdQnobNL02 Wdcl9jJ6+/JlFtY/u1RxoMxqH8JfBagYQTbnokbUPF1gS9eFxHw+X3rxgB0AdUa7N8lD D56jjpu8moz3XzMstOCC3rI24x8zZ8tO1vvFQohVWdXIy/fMCcV9DYFVjJcDYTyAq1G9 k6IQ==
Received: by 10.50.45.231 with SMTP id q7mr11044270igm.42.1335285938220; Tue, 24 Apr 2012 09:45:38 -0700 (PDT)
Received: from [192.168.1.101] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [72.138.34.10]) by mx.google.com with ESMTPS id hq3sm37738425igc.0.2012.04.24.09.45.36 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 24 Apr 2012 09:45:37 -0700 (PDT)
Message-ID: <4F96D8A9.8050109@gmail.com>
Date: Tue, 24 Apr 2012 12:45:29 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Sean Turner <turners@ieca.com>
References: <4C18DCF2.2030703@ieca.com> <4F95BB92.6080206@ieca.com> <4F95CDCE.4080109@gmail.com> <4F96897A.7020906@ieca.com> <4F96AB39.4060600@gmail.com> <4F96D35D.2060305@ieca.com>
In-Reply-To: <4F96D35D.2060305@ieca.com>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: pkix@ietf.org
Subject: Re: [pkix] Possible new work item: additional methods for generating key identifiers
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 16:45:39 -0000
Hi Sean: On 24/04/2012 12:22 PM, Sean Turner wrote: > On 4/24/12 9:31 AM, Rene Struik wrote: >> Hi Sean: >> >> Thanks for the feedback. Your feedback seems more procedural (since you >> refer to SHOULD language in RFC 5280. My comment was more technical >> (granted - it did not look at your write-up in the context of RFC5280). >> >> draft-turner-additional-methods-4kis-03, Section 1, first para suggests >> the following: >> >> These key identifiers are used by PKI-enabled security protocols, >> such as CMP (Certificate Management Protocol) [RFC4210] and CMS >> (Cryptographic Message Syntax) [RFC5652], >> to identify the certificate used to protect a message, a >> session, etc. >> >> If so, referring to the same public key in different policy context via >> the same identifier does not seem to serve the purpose. After all, if >> one has CertCA(IdA, Qa, Valid0) and CertCA(IdA,Qa,Valid1), how can one >> identify which of these two certificates to use if the key identifier >> only depends on the common part of both certs? > > Ah so if the entity that holds both of CertCA's certs is doing the > signing/encrypting - it usually includes the certificate in the > protocol. So, it's really just helping the recipient figure out which > one of the certs in the certs bag to start with. > > In the general case, if an EE only has one key and the CA has two > valid certificates, then the RP is going to use which ever path works > and it might have to check both. > RS>> Hence, my suggestion, which would avoid having to check more than one option. <<RS >> To me, a key identifier identifies a key and associated keying >> information that is bound to it. > > Isn't that a certificate? ;) But, I'm not trying to redefine what a > key identifier is. I'm just going with what RFC 5280 says in s4.2.1.1 > and s4.2.1.2. > RS>> Usually, keying material takes the form (key, associated keying info), where the associated keying info was not created in a vacuum: it supposedly stipulates something about the key itself: key validity period, key usage, key originator, key owner, etc. Thus, my reference to "bound to it" (maybe, I should have written "[supposedly] bound to it"). With certs, one has the CA vouching for the binding of the key to other attributes via a signature, but there could be other mechanisms to attest to a binding (including attesting to this via symmetric key techniques or by just imprinting the keying material onto a device). <<RS > spt > >> I do agree it is hard to enforce uniqueness of identifiers (but that is >> true for any requirement in a specification, even if one would use SHALL >> language). >> >> Best regards, Rene >> >> >> On 24/04/2012 7:07 AM, Sean Turner wrote: >>> Rene, >>> >>> Thanks for reviewing. Comments inline. >>> >>> spt >>> >>> On 4/23/12 5:46 PM, Rene Struik wrote: >>>> Hi Sean: >>>> >>>> You defined the key identifier to be the hash of the public key, >>>> truncated to 160 bits. >>> >>> There's two parts of this draft: >>> >>> - Describing methods for generating a key identifier that are the same >>> as one of the example methods in 5280 except they ones in the draft >>> use the SHA2 algs. >>> >>> - Defining an extension to allow CAs to indicate the alg used to >>> compute they key identifier, the input to the hash alg, and the output >>> length. >>> >>>> Shouldn't one have different key identifiers if >>>> the policy fields assoicated with the public key are different >>>> (e.g., if >>>> the same public key Qa associated with some entity A gets rolled over >>>> and assigned a new validity period)? >>> >>> If I'm reading RFC 5280 correctly, then I think it might go against it: >>> >>> Where a key identifier has been previously established, >>> the CA SHOULD use the previously established identifier. >>> >>>> Similarly, shouldn't one include >>>> the unique id of the presumed key holder (e.g.,so as to preclude >>>> people >>>> cloning a public/private key pair to another device [I am sure >>>> implementers contemplating this exist] without notice)? >>> >>> I'm certainly not precluding anybody from using whatever they want as >>> an input to hash alg used to generate the key identifiers. I'm just >>> listing some additional methods. >>> >>> To play devil's advocate here, I can already see the questions on this >>> one: how do you know the identifier for the key holder is unique. >>> >>>> Best regards, Rene >>>> >>>> On 23/04/2012 4:29 PM, Sean Turner wrote: >>>>> <no hat> >>>>> >>>>> I've resurrected this draft after making some changes/additions to it >>>>> based on mailing list comments. The latest version can be found at: >>>>> >>>>> http://datatracker.ietf.org/doc/draft-turner-additional-methods-4kis/ >>>>> >>>>> I'd like to ask the WG (again) to consider adopting this a WG item. >>>>> >>>>> spt >>>>> >>>>> </no hat> >>>>> >>>>> On 6/16/10 10:17 AM, Sean Turner wrote: >>>>>> Greetings. Steve and I have whipped up a short I-D that specifies >>>>>> additional methods for generating key identifiers from a public >>>>>> key. The >>>>>> draft can be found at: >>>>>> >>>>>> http://datatracker.ietf.org/doc/draft-turner-additional-methods-4kis/ >>>>>> >>>>>> >>>>>> I'd like to ask the WG to consider adopting this as a WG item. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> spt* >>>>>> >>>>>> * (with no hat on) >>>>>> _______________________________________________ >>>>>> pkix mailing list >>>>>> pkix@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/pkix >>>>>> >>>>> _______________________________________________ >>>>> pkix mailing list >>>>> pkix@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/pkix >>>> >>>> >> >> -- email: rstruik.ext@gmail.com Skype: rstruik cell: +1 (647) 867-5658 USA Google voice: +1 (415) 690-7363
- [pkix] Possible new work item: additional methods… Sean Turner
- Re: [pkix] Possible new work item: additional met… Henry B. Hotz
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Henry B. Hotz
- Re: [pkix] Possible new work item: additional met… Kemp, David P.
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Henry B. Hotz
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Jim Schaad
- Re: [pkix] Possible new work item: additional met… Tom Gindin
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Carl Wallace
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Carl Wallace
- Re: [pkix] Possible new work item: additional met… Michael StJohns
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Tom Gindin
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Carl Wallace
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Kemp, David P.
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Michael StJohns
- Re: [pkix] Possible new work item: additional met… koichi sugimoto
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Tom Gindin
- Re: [pkix] Possible new work item: additional met… koichi sugimoto
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… koichi sugimoto
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Rene Struik
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Rene Struik
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Rene Struik