Re: [pkix] Possible new work item: additional methods for generating key identifiers
Rene Struik <rstruik.ext@gmail.com> Tue, 24 April 2012 13:31 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB8121F8802 for <pkix@ietfa.amsl.com>; Tue, 24 Apr 2012 06:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_63=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dsy3e7lbxiaA for <pkix@ietfa.amsl.com>; Tue, 24 Apr 2012 06:31:45 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id B329221F87EE for <pkix@ietf.org>; Tue, 24 Apr 2012 06:31:42 -0700 (PDT)
Received: by iazz13 with SMTP id z13so1282661iaz.31 for <pkix@ietf.org>; Tue, 24 Apr 2012 06:31:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=nSAkNJWK5oUMOf1+SNDu67ghPxl1VywSy0N48c5dl3U=; b=oqP6uFPmsmBvzBxd74G8eYrjrnyt0jUa7nh2+8KxLtFj0kvls7nKI/gF3HHfQJVmHq yJd4h9XpaziFNP2xU09Rd/sbiJbIHrlP+gSwrL7CHSpF4xhxVz/lvDfekrZW+MIi1jD3 FtV8I+eENBZd2X5doCXLbY5xC0TRKDoXLC6kh0nvhG29mLKhZDQDmYUoSBGZSmOtdztd oASM4MURUUaK12+HnpTpJfWljeUy/eqliJyUTaDYKY5YNSrKEZjAANnRwr7v2B56G5qV bZujNoUBFUYcxqxJwXS/4cRPDeIGrAnZeY5RqYtxVPzFHRzKjAHBPv5F7XTPdBRMISao T4kA==
Received: by 10.50.51.134 with SMTP id k6mr10153970igo.47.1335274301617; Tue, 24 Apr 2012 06:31:41 -0700 (PDT)
Received: from [192.168.1.101] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [72.138.34.10]) by mx.google.com with ESMTPS id gb4sm3544628igc.1.2012.04.24.06.31.39 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 24 Apr 2012 06:31:40 -0700 (PDT)
Message-ID: <4F96AB39.4060600@gmail.com>
Date: Tue, 24 Apr 2012 09:31:37 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Sean Turner <turners@ieca.com>
References: <4C18DCF2.2030703@ieca.com> <4F95BB92.6080206@ieca.com> <4F95CDCE.4080109@gmail.com> <4F96897A.7020906@ieca.com>
In-Reply-To: <4F96897A.7020906@ieca.com>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: pkix@ietf.org
Subject: Re: [pkix] Possible new work item: additional methods for generating key identifiers
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 13:31:46 -0000
Hi Sean: Thanks for the feedback. Your feedback seems more procedural (since you refer to SHOULD language in RFC 5280. My comment was more technical (granted - it did not look at your write-up in the context of RFC5280). draft-turner-additional-methods-4kis-03, Section 1, first para suggests the following: These key identifiers are used by PKI-enabled security protocols, such as CMP (Certificate Management Protocol) [RFC4210] and CMS (Cryptographic Message Syntax) [RFC5652], to identify the certificate used to protect a message, a session, etc. If so, referring to the same public key in different policy context via the same identifier does not seem to serve the purpose. After all, if one has CertCA(IdA, Qa, Valid0) and CertCA(IdA,Qa,Valid1), how can one identify which of these two certificates to use if the key identifier only depends on the common part of both certs? To me, a key identifier identifies a key and associated keying information that is bound to it. I do agree it is hard to enforce uniqueness of identifiers (but that is true for any requirement in a specification, even if one would use SHALL language). Best regards, Rene On 24/04/2012 7:07 AM, Sean Turner wrote: > Rene, > > Thanks for reviewing. Comments inline. > > spt > > On 4/23/12 5:46 PM, Rene Struik wrote: >> Hi Sean: >> >> You defined the key identifier to be the hash of the public key, >> truncated to 160 bits. > > There's two parts of this draft: > > - Describing methods for generating a key identifier that are the same > as one of the example methods in 5280 except they ones in the draft > use the SHA2 algs. > > - Defining an extension to allow CAs to indicate the alg used to > compute they key identifier, the input to the hash alg, and the output > length. > >> Shouldn't one have different key identifiers if >> the policy fields assoicated with the public key are different (e.g., if >> the same public key Qa associated with some entity A gets rolled over >> and assigned a new validity period)? > > If I'm reading RFC 5280 correctly, then I think it might go against it: > > Where a key identifier has been previously established, > the CA SHOULD use the previously established identifier. > >> Similarly, shouldn't one include >> the unique id of the presumed key holder (e.g.,so as to preclude people >> cloning a public/private key pair to another device [I am sure >> implementers contemplating this exist] without notice)? > > I'm certainly not precluding anybody from using whatever they want as > an input to hash alg used to generate the key identifiers. I'm just > listing some additional methods. > > To play devil's advocate here, I can already see the questions on this > one: how do you know the identifier for the key holder is unique. > >> Best regards, Rene >> >> On 23/04/2012 4:29 PM, Sean Turner wrote: >>> <no hat> >>> >>> I've resurrected this draft after making some changes/additions to it >>> based on mailing list comments. The latest version can be found at: >>> >>> http://datatracker.ietf.org/doc/draft-turner-additional-methods-4kis/ >>> >>> I'd like to ask the WG (again) to consider adopting this a WG item. >>> >>> spt >>> >>> </no hat> >>> >>> On 6/16/10 10:17 AM, Sean Turner wrote: >>>> Greetings. Steve and I have whipped up a short I-D that specifies >>>> additional methods for generating key identifiers from a public >>>> key. The >>>> draft can be found at: >>>> >>>> http://datatracker.ietf.org/doc/draft-turner-additional-methods-4kis/ >>>> >>>> I'd like to ask the WG to consider adopting this as a WG item. >>>> >>>> Cheers, >>>> >>>> spt* >>>> >>>> * (with no hat on) >>>> _______________________________________________ >>>> pkix mailing list >>>> pkix@ietf.org >>>> https://www.ietf.org/mailman/listinfo/pkix >>>> >>> _______________________________________________ >>> pkix mailing list >>> pkix@ietf.org >>> https://www.ietf.org/mailman/listinfo/pkix >> >> -- email: rstruik.ext@gmail.com Skype: rstruik cell: +1 (647) 867-5658 USA Google voice: +1 (415) 690-7363
- [pkix] Possible new work item: additional methods… Sean Turner
- Re: [pkix] Possible new work item: additional met… Henry B. Hotz
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Henry B. Hotz
- Re: [pkix] Possible new work item: additional met… Kemp, David P.
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Henry B. Hotz
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Jim Schaad
- Re: [pkix] Possible new work item: additional met… Tom Gindin
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Carl Wallace
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Carl Wallace
- Re: [pkix] Possible new work item: additional met… Michael StJohns
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Tom Gindin
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Carl Wallace
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Santosh Chokhani
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Miller, Timothy J.
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Kemp, David P.
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… Michael StJohns
- Re: [pkix] Possible new work item: additional met… koichi sugimoto
- Re: [pkix] Possible new work item: additional met… Peter Gutmann
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Tom Gindin
- Re: [pkix] Possible new work item: additional met… koichi sugimoto
- Re: [pkix] Possible new work item: additional met… Stephen Kent
- Re: [pkix] Possible new work item: additional met… Stefan Santesson
- Re: [pkix] Possible new work item: additional met… koichi sugimoto
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Rene Struik
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Rene Struik
- Re: [pkix] Possible new work item: additional met… Sean Turner
- Re: [pkix] Possible new work item: additional met… Rene Struik