Re: [Rats] Which Asymmetric algorithms for Charra?
"Eric Voit (evoit)" <evoit@cisco.com> Wed, 12 August 2020 19:20 UTC
Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE19A3A07F9 for <rats@ietfa.amsl.com>; Wed, 12 Aug 2020 12:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=fjMWCwkx; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=v9fsyROM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mN-VWElpdGOZ for <rats@ietfa.amsl.com>; Wed, 12 Aug 2020 12:20:35 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C24013A07F5 for <rats@ietf.org>; Wed, 12 Aug 2020 12:20:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=34622; q=dns/txt; s=iport; t=1597260034; x=1598469634; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=kWpoZcijlqGlkLtm+t8lQSBy0J6Fvk12traXOuDPhAE=; b=fjMWCwkxh7oi3D2K6IH+S/YIvNCibxJX+0UJShwqetcXlwo3bduBbRzb HjcYd+5OFnxG4ekyikp1bipBZsbJBL6opXvtrffn92k/T3gO8pf2DtEFD O9mCIDPnKSTRtic3sLIcfIFyftSK6MndPAy+yr7Qo3FOe8IZXgJPargjT M=;
X-Files: smime.p7s : 3975
IronPort-PHdr: 9a23:lK4gJh0wgjJ4kNFusmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxWGu6dtkVbWUISd4PVB2KLasKHlDGoH55vJ8HUPa4dFWBJNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YkhIEdnzZhvZpXjhpTIXEw/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B9CACcPzRf/49dJa1WCR0BAQEBCQESAQUFAUCBSoEjL1EHbystLywKh3IDixCCRYddjiKCZ4JTA1UEBwEBAQkDAQElCAIEAQGETAKCNgIkOBMCAwEBCwEBBQEBAQIBBgRthVwMhXEBAQECAhIbEwEBNwEPAgEIEQQBASEBBgcCMBQJCAEBBA4FCAYUgwU4gUZNAx8PAQ6nOgKBOYhhdIE0gwEBAQWBMwEDAgJKA4MSGIIHBwMGgTiBU4Eeih8agUE/gRFDgk0+gXlBIgIBgTIuKwmDFIItmgaBGZsNCoJihDiCXIFPkVeCfp0XlBuIUZR3AgQCBAUCDgEBBYFqI4FXcBU7gmlQFwINjh8MF4NOhRSFQnQSAiMCBggBAQMJfI5cAYEQAQE
X-IronPort-AV: E=Sophos;i="5.76,305,1592870400"; d="p7s'?scan'208,217";a="792558057"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Aug 2020 19:20:32 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 07CJKVY7030388 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 12 Aug 2020 19:20:31 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 12 Aug 2020 14:20:31 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 12 Aug 2020 14:20:30 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 12 Aug 2020 15:20:29 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ibVZwAOxddyxWc/RqZmUIyV5OgXuSAshXQs4KRpOdMyOLUE4yrp4+lKA8eYpC+JvN/VQYP6syArahmuXy6blGc0g2UkPs0L4063qcH+BdSni45FUL23BdMN4SHSDN7d20h+x/6FgOUoueBXmtC8yHdFL/P4Bv2/KeZUiaA8f+/O+PzpmdsevS/GBuhRWOqIeAIYJBQV98dYAcSAtrEYupdG+yORaTGG53RvvAbvsCQvcToX0Tc35SzAzfE52hJzU08iCgP98oXuBT6aLE9Z2Yv8koe5pNyWi+0pLeyplF2zUN5n56d1e2Hmz95IRNWwrd2tK1zs3vSKQHiw01PpGSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PQn++2j17nAWzxBCKrsumvu1ZwlmLtdYpdnOE5zq4G4=; b=dkLGCdvvBO+3WPFpNVaAmPEYXMjCM6nKj1BeBUcg9h3dyEiCo2hMPBcBSXHo+8+7KD8bPOCwE0lEk0X/1sMs0R/b0cDRFSxkMn4cGNXzUwe5T0ZYL+xHa1Q4sMbpHvDc7h/eaeDv/UCCaTqtdC6P5TozTyDk7j0pLdJcI+073X5wCSq5nCy60FrzciEd4DvgB9Y/6SUJBThtbss3Y8EAWO2XtKHidTXQcWcgjyhsdzEYM/kLaHkLA+32cn/6CtjjKAS09px8PcCI19KLtKbNjOMcjb7au853gO8BKql0BngAdqwKZmSzJIeC7ehmX2Y2HL3sGZqE8oTPcuSS8pQTsQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PQn++2j17nAWzxBCKrsumvu1ZwlmLtdYpdnOE5zq4G4=; b=v9fsyROM2l5SNuoR8aqWcegb+9DfVuqWn8azc04f+Nack9w2MieRdHMqw3u1/nUnfdSJXsR8tW4Gj3PMDW9CcdJsiEKdcNDZ5bUqnUlp5BCljrsbsE2A0uRMIeDG8fYdtedDAXXk7TndcgmTwSxKEqFRj7vA9YCmvM0XA57kHVk=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4174.namprd11.prod.outlook.com (2603:10b6:208:154::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.15; Wed, 12 Aug 2020 19:20:28 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::fcd5:b07d:e935:8956]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::fcd5:b07d:e935:8956%7]) with mapi id 15.20.3283.016; Wed, 12 Aug 2020 19:20:28 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Panwei (William)" <william.panwei@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Which Asymmetric algorithms for Charra?
Thread-Index: AdZwFfR0sMtRnzzORw2twimiOLxijgAX+PawABmh0rA=
Date: Wed, 12 Aug 2020 19:20:28 +0000
Message-ID: <BL0PR11MB3122D96A348E755D5384D032A1420@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <BL0PR11MB3122651915512C2D122B35A7A1450@BL0PR11MB3122.namprd11.prod.outlook.com> <d323dbd7a24c46f0bb5074f7aad4903d@huawei.com>
In-Reply-To: <d323dbd7a24c46f0bb5074f7aad4903d@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.78]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 406ccc19-6a10-40e4-a021-08d83ef4c5f1
x-ms-traffictypediagnostic: MN2PR11MB4174:
x-microsoft-antispam-prvs: <MN2PR11MB4174C5DA92C2A50B04FCF49FA1420@MN2PR11MB4174.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WsVZ2w+yInp7anTgDOxrJu8EvcbUx3A54tJIjpEHawzoSZgIP/cfIWd0gIfIRHWPwxUsuyL6Xs4ZUa6fQg9kqJh2M8oXrtOAimB4IYv3A+EPjBUGxFCbHxD+rwXxGdL8EQ3q8cegHwMOlxRAsuKj99gMlI2g/ik4Ut2zVa7pqec0tTqDmd53o1oE3dy+r7a+uxAtssnA2+z4K27VUVewVgADyL1hUwfPRsr+D86wlogKY/BH2RglOrN/O7rA1/2iC85r8sU+XfZU1Qcj2nlHk82nwsNah+ydii6u7+3+6Nk/X9zMn4atZE2HI9pGPKZtoj5/3q56qs127cSpviABVrsSEKBx15+biDWAt2d2nr+btH+AGngEEQAjwqnF0ocb4W2BHS4UmSC6iZhz1FF3NPf7ibq/crc1T9vQmkTo1i1/OfcumoCpFqN12atuvT73w+MqSw/K6/xGsQreGhSY6g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(346002)(136003)(396003)(376002)(478600001)(33656002)(966005)(4326008)(86362001)(6506007)(316002)(26005)(2906002)(53546011)(8676002)(7696005)(6916009)(55016002)(9686003)(186003)(83380400001)(5660300002)(66446008)(66476007)(66616009)(76116006)(71200400001)(99936003)(64756008)(66556008)(166002)(8936002)(52536014)(66946007)(15398625002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: JFIEpugX/iDRp4cR3F1D2ZClCa7TiQwU7L1U+uSEnwGj2ABjbzSHiMsmkjaLVwk7ff8GwGs7yDkZ7QzdlIArc/fFyPkXVvgEgp0R8QUvF8qYIx7Mrpt/Joj4oryE34n2dpofdQnvcy9jIZ3lHdd8Nrs25HxgVn9G4DNbgyPjBr5j1eh9CZjBUOLvtfxyOUhOPv3LCZE/G9BgWA8p9C3QnB8HK2qWy2TPkJfFit/6bcI1EnGf3QLyvPzP3XghF9KwZzcbVDJwjJE1ip4QBGBuyEdxB0YQaCX65J2Oizk9nQzJnX9BzGOWGS4S2+IlWnWVHwwwE0SYWLpV6Zuu16FbmFmLKblgPSG0pnQmKfIuzfYqxpmCOtby0AdjpFaqktXIiSltVYoDajp5T1mHBFhewHvCjJYCKHLEsmD3hr0mySziigqhoL5MJtMIbP4xTc5U5aA8VvXgVAS5x85QabSk6L3V8oCtTzBelGUkrhwhbqE51mF8Ls7kqAR9oh1yjjuY06cavd9128/6HuakNHKXW0czluqShYk0OwEstxftAtOcPGOAMiPlji4gb56KN5+/y0S0q+RCR49dS6vP3uTccPN+BS1KQviY5nTatc6mDFPoDb3aT3rZh1XjCXOUqM4U8OpcMV7O/dSUBFVwABDvEA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0169_01D670BC.18F28D80"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 406ccc19-6a10-40e4-a021-08d83ef4c5f1
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Aug 2020 19:20:28.6115 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TMsPWxV1bG9F+1YEU3VTCB+iA2E6aC8yBOzcTtWFcYty4/ONVOeQt0bAwuQWoSaf
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4174
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/dWbPjnOSD5iRZ_2qcozePwVBPTE>
Subject: Re: [Rats] Which Asymmetric algorithms for Charra?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 19:20:37 -0000
Hi Wei Pan, I don't think we need to define a key length for RSA. * None of our RPCs are involved with generating a new key. And we can always discover the length of the key by referencing the information from the keystore using known information (e.g., the certificate-name). * Looking at the various SHA algorithms, they are actually different algorithms (since they produce different digest sizes). * If we just match to what is in the TCG spec, we don't have to define/defend a different scoping than they have already made. Thanks, Eric From: RATS <rats-bounces@ietf.org> On Behalf Of Panwei (William) Sent: Wednesday, August 12, 2020 3:59 AM To: Eric Voit (evoit) <evoit@cisco.com> Cc: rats@ietf.org Subject: Re: [Rats] Which Asymmetric algorithms for Charra? Hi Eric, Generally, I'm fine with your proposal. I have only one question below. The TCG_Algorithm_Registry_r1p32_pub defines a variety of SHA algorithms named with key length as a suffix, it also defines the ID values for the different curves used for elliptic curve cryptography. But it seems like that the TCG_Algorithm_Registry_r1p32_pub doesn't specify the key length of the RSA algorithm. So do we need to define fine-granular RSA algorithms in the YANG module? Regards & Thanks! Wei Pan From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Eric Voit (evoit) Sent: Wednesday, August 12, 2020 6:52 AM To: rats@ietf.org <mailto:rats@ietf.org> Subject: [Rats] Which Asymmetric algorithms for Charra? During the charra presentation at IETF 108, we said we were going to ask the following question to the list: "Should the algorithm set defined in YANG be reduced to just those asymmetric algorithms currently exposed in the current TPM 1.2 and 2 specifications?" This is reflected seen in https://www.ietf.org/proceedings/108/slides/slides-108-rats-sessb-charra-upd ate-00, Slide 7. The proposal I would like to make is as follows: * The TCG tracked algorithms supportable by a TPM should be the only ones included in a charra maintained list of YANG identities. * This identity set needs to be extendable to new algorithms for any YANG models which augment charra. * TCG Algorithm Registry Revision 01.32, Table 3 at https://trustedcomputinggroup.org/wp-content/uploads/TCG-_Algorithm_Registry _r1p32_pub.pdf contains the algorithms we should encode. * There are other types of information within this table, and we might as well encode the full table within a YANG model. That way we can explicitly make the scope of a "ietf-tcg-algs.yang" model the contents this TCG table encoded in YANG. * The YANG model will indicate what TCG algorithms are deprecated by the IETF. However identities for these deprecated algorithms from the TCG table will be assigned. (e.g., SHA-1) Are there any objections/questions/comments on this proposal? I have a strawman YANG file posted at: https://github.com/ietf-rats-wg/basic-yang-module/compare/master...ericvoit: patch-4 <https://github.com/ietf-rats-wg/basic-yang-module/compare/master....ericvoi t:patch-4> Henk also is thinking of encoding this same Table information within CDDL. That could be inserted as an additional informational element of the document for where people prefer CDDL. Eric Eric Voit Principal Engineer .:|:.:|:. Cisco Systems, Inc.
- [Rats] Which Asymmetric algorithms for Charra? Eric Voit (evoit)
- Re: [Rats] Which Asymmetric algorithms for Charra? Michael Richardson
- Re: [Rats] Which Asymmetric algorithms for Charra? Eric Voit (evoit)
- Re: [Rats] Which Asymmetric algorithms for Charra? Panwei (William)
- Re: [Rats] Which Asymmetric algorithms for Charra? Eric Voit (evoit)
- Re: [Rats] Which Asymmetric algorithms for Charra? Panwei (William)