IETF Logo Mail Archive

Re: [pkix] Possible new work item: additional methods for generating key identifiers

Sean Turner <turners@ieca.com> Tue, 24 April 2012 16:22 UTC

Return-Path: <turners@ieca.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F156421E804A for <pkix@ietfa.amsl.com>; Tue, 24 Apr 2012 09:22:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.897
X-Spam-Level:
X-Spam-Status: No, score=-101.897 tagged_above=-999 required=5 tests=[AWL=-0.232, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_63=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fMCB955YDmG for <pkix@ietfa.amsl.com>; Tue, 24 Apr 2012 09:22:57 -0700 (PDT)
Received: from gateway07.websitewelcome.com (gateway07.websitewelcome.com [67.18.81.23]) by ietfa.amsl.com (Postfix) with ESMTP id 0A50921E8048 for <pkix@ietf.org>; Tue, 24 Apr 2012 09:22:57 -0700 (PDT)
Received: by gateway07.websitewelcome.com (Postfix, from userid 5007) id 6CDB84652B38E; Tue, 24 Apr 2012 11:22:56 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway07.websitewelcome.com (Postfix) with ESMTP id 57FAE4652B334 for <pkix@ietf.org>; Tue, 24 Apr 2012 11:22:56 -0500 (CDT)
Received: from [96.231.123.106] (port=43677 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <turners@ieca.com>) id 1SMiVy-00065Z-U7; Tue, 24 Apr 2012 11:22:56 -0500
Message-ID: <4F96D35D.2060305@ieca.com>
Date: Tue, 24 Apr 2012 12:22:53 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>
References: <4C18DCF2.2030703@ieca.com> <4F95BB92.6080206@ieca.com> <4F95CDCE.4080109@gmail.com> <4F96897A.7020906@ieca.com> <4F96AB39.4060600@gmail.com>
In-Reply-To: <4F96AB39.4060600@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-96-231-123-106.washdc.east.verizon.net (thunderfish.local) [96.231.123.106]:43677
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 4
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: pkix@ietf.org
Subject: Re: [pkix] Possible new work item: additional methods for generating key identifiers
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 16:22:58 -0000

On 4/24/12 9:31 AM, Rene Struik wrote:
> Hi Sean:
>
> Thanks for the feedback. Your feedback seems more procedural (since you
> refer to SHOULD language in RFC 5280. My comment was more technical
> (granted - it did  not look at your write-up in the context of RFC5280).
>
> draft-turner-additional-methods-4kis-03, Section 1, first para suggests
> the following:
>
>      These key identifiers are used by PKI-enabled security protocols,
> such as CMP (Certificate Management Protocol) [RFC4210] and CMS
> (Cryptographic Message Syntax) [RFC5652],
>      to identify the certificate used to protect a message, a session, etc.
>
> If so, referring to the same public key in different policy context via
> the same identifier does not seem to serve the purpose. After all, if
> one has CertCA(IdA, Qa, Valid0) and CertCA(IdA,Qa,Valid1), how can one
> identify which of these two certificates to use if the key identifier
> only depends on the common part of both certs?

Ah so if the entity that holds both of CertCA's certs is doing the 
signing/encrypting - it usually includes the certificate in the 
protocol.  So, it's really just helping the recipient figure out which 
one of the certs in the certs bag to start with.

In the general case, if an EE only has one key and the CA has two valid 
certificates, then the RP is going to use which ever path works and it 
might have to check both.

> To me, a key identifier identifies a key and associated keying
> information that is bound to it.

Isn't that a certificate? ;)  But, I'm not trying to redefine what a key 
identifier is.  I'm just going with what RFC 5280 says in s4.2.1.1 and 
s4.2.1.2.

spt

> I do agree it is hard to enforce uniqueness of identifiers (but that is
> true for any requirement in a specification, even if one would use SHALL
> language).
>
> Best regards, Rene
>
>
> On 24/04/2012 7:07 AM, Sean Turner wrote:
>> Rene,
>>
>> Thanks for reviewing.  Comments inline.
>>
>> spt
>>
>> On 4/23/12 5:46 PM, Rene Struik wrote:
>>> Hi Sean:
>>>
>>> You defined the key identifier to be the hash of the public key,
>>> truncated to 160 bits.
>>
>> There's two parts of this draft:
>>
>> - Describing methods for generating a key identifier that are the same
>> as one of the example methods in 5280 except they ones in the draft
>> use the SHA2 algs.
>>
>> - Defining an extension to allow CAs to indicate the alg used to
>> compute they key identifier, the input to the hash alg, and the output
>> length.
>>
>>> Shouldn't one have different key identifiers if
>>> the policy fields assoicated with the public key are different (e.g., if
>>> the same public key Qa associated with some entity A gets rolled over
>>> and assigned a new validity period)?
>>
>> If I'm reading RFC 5280 correctly, then I think it might go against it:
>>
>>   Where a key identifier has been previously established,
>>   the CA SHOULD use the previously established identifier.
>>
>>> Similarly, shouldn't one include
>>> the unique id of the presumed key holder (e.g.,so as to preclude people
>>> cloning a public/private key pair to another device [I am sure
>>> implementers contemplating this exist] without notice)?
>>
>> I'm certainly not precluding anybody from using whatever they want as
>> an input to hash alg used to generate the key identifiers.  I'm just
>> listing some additional methods.
>>
>> To play devil's advocate here, I can already see the questions on this
>> one: how do you know the identifier for the key holder is unique.
>>
>>> Best regards, Rene
>>>
>>> On 23/04/2012 4:29 PM, Sean Turner wrote:
>>>> <no hat>
>>>>
>>>> I've resurrected this draft after making some changes/additions to it
>>>> based on mailing list comments. The latest version can be found at:
>>>>
>>>> http://datatracker.ietf.org/doc/draft-turner-additional-methods-4kis/
>>>>
>>>> I'd like to ask the WG (again) to consider adopting this a WG item.
>>>>
>>>> spt
>>>>
>>>> </no hat>
>>>>
>>>> On 6/16/10 10:17 AM, Sean Turner wrote:
>>>>> Greetings. Steve and I have whipped up a short I-D that specifies
>>>>> additional methods for generating key identifiers from a public
>>>>> key. The
>>>>> draft can be found at:
>>>>>
>>>>> http://datatracker.ietf.org/doc/draft-turner-additional-methods-4kis/
>>>>>
>>>>> I'd like to ask the WG to consider adopting this as a WG item.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> spt*
>>>>>
>>>>> * (with no hat on)
>>>>> _______________________________________________
>>>>> pkix mailing list
>>>>> pkix@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/pkix
>>>>>
>>>> _______________________________________________
>>>> pkix mailing list
>>>> pkix@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/pkix
>>>
>>>
>
>

v2.23.0 | Report a Bug | By Email