IETF Logo Mail Archive

Re: [saag] [lamps] META Re: PKIX and related RFCs - definition of Key Packages

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 17 June 2021 22:08 UTC

Return-Path: <prvs=58025a035a=uri@ll.mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822823A3066; Thu, 17 Jun 2021 15:08:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNex2PgOtEdt; Thu, 17 Jun 2021 15:08:11 -0700 (PDT)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2859A3A3063; Thu, 17 Jun 2021 15:08:10 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (LLE2K16-HYBRD02.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 15HM85qh041416; Thu, 17 Jun 2021 18:08:05 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=rSx396oQLyNq5uvzmMoUf/HKbkpOG2kSQvBilfFvg8EsdI/NSh35bPWhwul2kHufn9R8dV01XVwP4KIP7V21G5hoOBfxGW9iB9JFFTsGW750orhJvb0uWuqjM+n9BuAgrVuY0hjuUwL1pdWAF60rktufYQh2EUU5xGzykekiKzFgr0v3NieAArlQeBplZ2Fa9S5S8e1/Iam8d8DNJk9lyBFY7plh5JN9lmOjowIvUWcQ0+upS2KkNt9eqnv28pPfVqi5Ukn+LupP0NZKxhIeTSyBxy/ykuzBC7r4zRt0Lt1mUmraNLMtiqQ22wPhwLGeW19tTatJUuCQiK8scTeNFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KrfPscqhMrTiw1NFButoAAfld5zNvaHngIKudFz59KQ=; b=B3EV236mOQxvUzkY+TA75VWWPr1qILfuKObYdXxxVIsAwKVkc8OT0ZvUkAgQ5oiMOaQA0M+p971SciFamssuY6xSetzym5E16inZ9WdZUP9DTkQQ//450kII4y2yi+eIMFMjWazXUvT96XpardDsaUy38F23G13EO/zmSt3WAqwbLhkd9WPmc27JU7nHZwcDwwU0Xop6PncMANuvNE0JbeW3lqf3tCfeFpmqy9lq05QzvKEttYwTP00csTqDafsBncHfQA6zQLw+C9aJavRHdeexh+D6PGIXoa2HaQFuhoYtTf3YMd5PVL6o9P/ngD0jjVjA7YGFbDhVGrWpn0Wp7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Phillip Hallam-Baker <phill@hallambaker.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [lamps] META Re: [saag] PKIX and related RFCs - definition of Key Packages
Thread-Index: AQHXYvGmnmRPUPebfEy9d3ZvsQ8nLqsYtwwA///KMoA=
Date: Thu, 17 Jun 2021 22:06:59 +0000
Message-ID: <9E283165-E2BF-4719-8BB7-BCA6B70C356E@ll.mit.edu>
References: <B8006164-51AD-4B3B-9CE7-83B0574294F8@ll.mit.edu> <CAMm+LwiLHWzzva=yhJ-=b9b4rUBC1oa5HPyAAm5qkv1jPgf-FQ@mail.gmail.com>
In-Reply-To: <CAMm+LwiLHWzzva=yhJ-=b9b4rUBC1oa5HPyAAm5qkv1jPgf-FQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: hallambaker.com; dkim=none (message not signed) header.d=none; hallambaker.com; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 11e0a032-6d22-4dc4-895b-08d931dc3af4
x-ms-traffictypediagnostic: SN5P110MB0528:
x-microsoft-antispam-prvs: <SN5P110MB052807CC94A8201BD79557AF900E9@SN5P110MB0528.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xDwLDhEm67qQ5kxPmm94+V1gA1G5ykimq/0pZRwQsaq53RJHKPCEse5bmXjgexnjSPCu/p61c0UbBcLv82oMe3f+QRCf7ABm+csqnkhMT3HLyUnm1xcRA3H4ibXoQkY7R2AvmY0BefBtEtbAZoYsT+q3CJWkVo9AV5gC3efji4Slrr+wURwINwm7u1rP1KdMSPy1Y6ezfA36hVFelB1+hIjmCOnCfLX9tiIypB9IN7d7914BlKk4FmgBMSpDKYoO+zT/rNGYRSz8LFm9D4H3jB0j4KM59DS7fYOt6iQbhsOxzk0/jPU6rGCFQnPC6CATsyc4d+9NeMR7rHgw5TLH31QCDrJZF+LD64wjzDiJwxnWMlW/8sD3mj7OawdVml1wMAbWDXmzGzBPOlQh1N308WFidGBBidb8ci/KuQQ/J5aGITU5toD77intTgbnkl1NY/EWjmdFut5l5ybrcHjNfbLKU9OPOBOVEJuDQefbFr4qxg30xLzb0VeV9RKFive9eL3S169TAAfNsDjoT4oM2q3+pa8bQ+VcDcAYTfYxuxlKbAswD1L9mOCo+GJk5yNf83r6U69N7SrntZpg0hdu7g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN5P110MB0560.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(396003)(39860400002)(366004)(136003)(71200400001)(38100700002)(4326008)(6512007)(8676002)(6506007)(6486002)(8936002)(122000001)(54906003)(86362001)(83380400001)(6916009)(2906002)(99936003)(5660300002)(2616005)(478600001)(66476007)(33656002)(26005)(66946007)(66446008)(64756008)(316002)(66556008)(186003)(76116006)(75432002)(66616009)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: /OCWC9LXjxGM5dPFXvsxb+WrARVay3srE9rQSSJjCCZjnkVZt05xWoC1KbFtV9TFE1ulHT4jpVbxgPFJOOgwerS/zAIwZeU3Zs31s8TWV7KKUtM2YpGVWwAZD2jCxZ3bzYerqAeb4fX6xlPVo27SKmkS3pggIZcK5MBGV+mDV78NmD17CtSHQPACCqFb4Zht7Sp3NQDQIGcCE+V3+musV5zG2z5pSzbSi6ldnEzoe1PR4cmstbgVvxC4OSK+WzlFRoksNyMMZVXVu6zRtlDSfXkjqXrRtC9XOkffWt99B5ZJvhW+BkBoqA6dzK8iRpPWOxxtP5rxBZCZnH2ejFhqt1uhaIJyn2knzfpx6vrgAZvSVqVWILd0Ke9ffgJW+Tu3bA1OedX0pP+O2CvAyiZMgKs2WCVG/lpz1gYZ1iQ/ko0VRQvPfbcnAI1B143JUDgH6Bd2ruPo+Lj7B55e5rw+TegXYzrbZt1aERHntwvOoOz2hdvHUKhOLJtQNP6xirXfflOPhBZtMa5qrr6CyjBcPtenKFQxe79gJ8lwAeQv/7mFJyFtGns/bMklVF9aB8UgWtQxDNcUi60fzZVHz/N6K4C3NNiVn6YFYJiTSwsYH2ot1xjxssox4uvhyngF8L6MytncQut0TQ94vxM8kYijYULJ0lVgZbkaJf/vQyJif/vEUmIZ6siIcdpwOOYhr2UQslMpf8cJkLgx036zu+OoVQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3706798019_329015571"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN5P110MB0560.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 11e0a032-6d22-4dc4-895b-08d931dc3af4
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2021 22:07:00.0156 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN5P110MB0528
X-OriginatorOrg: ll.mit.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-17_16:2021-06-15, 2021-06-17 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=897 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2106170134
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/5DcF-bNcKXhP4aSBXMB0lyE3Jew>
Subject: Re: [saag] [lamps] META Re: PKIX and related RFCs - definition of Key Packages
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jun 2021 22:08:17 -0000

Thank you, and I concur.

 

--

Regards,

Uri

 

There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: Spasm <spasm-bounces@ietf.org> on behalf of Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thursday, June 17, 2021 at 17:20
Cc: "spasm@ietf.org" <spasm@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Subject: [lamps] META Re: [saag] PKIX and related RFCs - definition of Key Packages

 

I agree with much of Uri's frustration here. My concern is the meta level. If LAMPS is going to ever close, we have to make sure we are not going to need something similar in future. Which means that we need to define what is required to specify a cryptographic algorithm so it is available for use with IETF protocols.

 

Note that adding an algorithm to a registry does not mean it is approved for use by a particular protocol. 

 

CMS serves a much wider audience than S/MIME. PKIX, a wider audience than either the WebPKI or PKI in general. Same for JOSE, XML Signature and Encryption, etc. etc.

 

So I conclude that one of the exit criteria for LAMPS should be a document describing the list of things that need to be specified so that an algorithm can be used in various specific IETF protocols and conversely, what applications using the IETF maintained IANA registries can expect.

 

I do not want to get into discussions of why the decisions of some working group ten years ago on algorithm requirements should bind some other group doing something different today. HTTP is not based on MIME but it uses the same IANA registry. That is the correct approach in my view.

 

Going forward, I see no reason why it should be necessary to specify separate identifiers for the use of a particular algorithm in every different application protocol. The ASN.1 world is going to need OIDs for quite some time and the JOSE world is going to be needing text based labels. The XML world consumes URIs but there is no reason we couldn't specify a URN prefix to the JOSE labels and use that to avoid further maintenance issues.

 

TLS and IPSEC both operate at a layer that is sufficiently deep that we should just let them do their own thing. And PEM probably isn't much of a concern going forward.

v2.23.0 | Report a Bug | By Email