Re: [saag] PKIX and related RFCs - definition of Key Packages
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 17 June 2021 06:20 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 62D223A0CCE
for <saag@ietfa.amsl.com>; Wed, 16 Jun 2021 23:20:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id j9xwoMvYkWJv for <saag@ietfa.amsl.com>;
Wed, 16 Jun 2021 23:20:01 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com
(au-smtp-delivery-117.mimecast.com [103.96.23.117])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id B97A73A0CCB
for <saag@ietf.org>; Wed, 16 Jun 2021 23:20:00 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com
(mail-sy4aus01lp2170.outbound.protection.outlook.com [104.47.71.170])
(Using TLS) by relay.mimecast.com with ESMTP id
au-mta-70--0tQjnidOd6vSOpnGf2P_A-1; Thu, 17 Jun 2021 16:19:53 +1000
X-MC-Unique: -0tQjnidOd6vSOpnGf2P_A-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10)
by SYBPR01MB6208.ausprd01.prod.outlook.com (2603:10c6:10:101::9) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.19; Thu, 17 Jun
2021 06:19:52 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com
([fe80::51a7:5858:c7ef:880f]) by SY4PR01MB6251.ausprd01.prod.outlook.com
([fe80::51a7:5858:c7ef:880f%6]) with mapi id 15.20.4242.019; Thu, 17 Jun 2021
06:19:52 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "saag@ietf.org"
<saag@ietf.org>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: PKIX and related RFCs - definition of Key Packages
Thread-Index: AQHXYvGmnmRPUPebfEy9d3ZvsQ8nLqsXun25
Date: Thu, 17 Jun 2021 06:19:51 +0000
Message-ID: <SY4PR01MB62511B1911DD23ADF0169307EE0E9@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <B8006164-51AD-4B3B-9CE7-83B0574294F8@ll.mit.edu>
In-Reply-To: <B8006164-51AD-4B3B-9CE7-83B0574294F8@ll.mit.edu>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [14.1.79.251]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c03853f6-2fbc-4e6f-5b5d-08d93157eac3
x-ms-traffictypediagnostic: SYBPR01MB6208:
x-microsoft-antispam-prvs: <SYBPR01MB62083C7BE0D93B6A276834A1EE0E9@SYBPR01MB6208.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:1201
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: /jd2qpErQKDUHICQ9AVqipFVkeifOISFu49FhYoa131WWwaZ8P/WxRmUguGaFpojH3+B/SV+XDUUm8PUORWx81oCTJcYrFeJ7WdH7fUsyBx10RraGvLQySokUNtOLesPcO7SAlsMs8pwHvUWwK7cvecINbdlpv9xfFb3PJozl4vH5KStt01RACZyAaeDwAqsum2mX/l9EYyLoALvi2bNZ7kvjwnzL9qlw1r8zE0nDCQEhneK4PyqU2lL++d6jlew4pcEZI220aMKz3HvKRLJxHTRB5W1Ba1QSZ9s4ALLLGzT538NpyD0SvADzQQXdTNkXYnFI7FkJULpQ3MQGRwN4sM2l5UdHitVwXit4PIuk0vnqgxlVm9D+j/JfzxUOTFNwezEjWQKTym2JpjMWp8q3fsaJt/bbHJ38nVvslmoq9SFC27Eeu7it8DEzVK4n/z9NGxmIGFmjwXfaRRNtNyf3GlX8LfIpJVurJPbpXrXr37ZtnJx7QQE7zuY8a64WPag22U1W+c7ha9hBMzcabeSpXfo71HLSkMDH7wOmkcUirAxqzULmd6ccWmKHjygwy9Qackrcg6PLen7IxQPDpbB9ACqa0jOZyFuY1qgezyeVAc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE;
SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(38100700002)(122000001)(55016002)(2906002)(5660300002)(478600001)(8676002)(33656002)(8936002)(4326008)(52536014)(66556008)(186003)(66446008)(6506007)(86362001)(9686003)(7696005)(71200400001)(66946007)(76116006)(316002)(26005)(64756008)(66476007)(110136005)(786003);
DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?owRRSFdXkztd6XblTzIpZcTAG62SLyHUjwCSBrIwqgdTipn3wDiSssZp?=
=?Windows-1252?Q?Rbw+oambqJAAXBADO/1B1bINlxznjbEfZ5SGjTFBf7AG6XsGPi5VeSNn?=
=?Windows-1252?Q?1IDvyghbrwCxSwTPJw6KLGUCgGwC+KYOEkL2zar6yfn2FPsAHnuGh0Df?=
=?Windows-1252?Q?hUHqk++X1Ibxt9VX8IRNlxmv5dBN8hslnFfxTEEh5a7HGFa6+ORkFsRt?=
=?Windows-1252?Q?vmgg2ddIPENCFGIu6e5RqF6oKGxyHFeySruZiCn/qgkc86bsqB6dGpo/?=
=?Windows-1252?Q?H6vP+tEhaGBmh59llrUf/UvGj7245o4hq6gSQmWUOto1NRZ7vOjCskus?=
=?Windows-1252?Q?0Lhd1c6aUrwwMuK8zrv+EULWL+59KKT7lEWDtcojMIZdIm4jn+GJw6ui?=
=?Windows-1252?Q?OaVfCSw8kkXzdWlCJk/TruPk3BRZC3qXtZoXseV/KuVQ3xQ0f2eWQXK0?=
=?Windows-1252?Q?tcDAS5QtljLXRQWKMnC9x5sW+Oh0R8j2ANSu7+FBxYWI8W8bGAABsDEN?=
=?Windows-1252?Q?YAE6qkNoZloh7e+JLAUSBHoxra42Apg/TKsArgAQk/NgudEpX26kyzti?=
=?Windows-1252?Q?X0tDjqLn7Wwj3XHE+i6csaoifE5Je6bmvZK79TuwLcJ7nGM1OGMiAMyz?=
=?Windows-1252?Q?G2wGyqxosk/XN54O594txFytUETJblg54MsI3gVDTu0ZW8HVi+r+EsSW?=
=?Windows-1252?Q?F0ioQkT0kRaYAuk+VvIG5au9SNLyKxfOWhKJOaDat4rBGPuE8NxGYpUY?=
=?Windows-1252?Q?jvohC7P0Ug+Kkkz9UrdYUurqUzoEdgvNjRbJQJWzCjHmE5AhzNun/eyV?=
=?Windows-1252?Q?/MpLhAv62miUjvFAnbJg1JrOPzWIr4SjAhykXlUDNuTdft3TQRrlDmUJ?=
=?Windows-1252?Q?abV0btCIR3nxK0OqICs+7RCxiaSTNv0TvYUdAAPhWUu/vjiYr4A/rnuh?=
=?Windows-1252?Q?0DdVcS2/C5NWAOCcuPzUs5HdJDaeZawTmtAMnqsgQqKgDFefo9yzg7vq?=
=?Windows-1252?Q?OuDzKX/2PXT7d/jgI0Mr9h4E1CnBL5u++HwjbBOv+u0KtVSf+vbgODyh?=
=?Windows-1252?Q?lfiMQnRukK8KGu06iQd/h6UqosTuapH3qYIp9bfwcXafe6YCGIt+GJT4?=
=?Windows-1252?Q?OqI5uapqmkzXXLzzo5XvzexObtnLYDimiJ2QoE5ytu7BQnfuKLYdwsvr?=
=?Windows-1252?Q?i0V5wIOVj2/lx3q2RcIuTKmUxk/97unIB/EKm1wvDfhAL+16dklo8pjC?=
=?Windows-1252?Q?U9hBszyBVNeoEQV6rSCHbkbpti7VNYhseGW+khip6Jf9naYu1Kk4EBMw?=
=?Windows-1252?Q?AdstK9891CzmXRiH77GDNjUciWGK+Qn8grBEibC1/yHYNbSpILC0LuZ/?=
=?Windows-1252?Q?YO/j4FXtCfEjNQcH9qf6gM9OuOR9Pz4Vo6E=3D?=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c03853f6-2fbc-4e6f-5b5d-08d93157eac3
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2021 06:19:51.6957 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5yWDTJVv9DMXvYZIvxqD19w+yEwGdx7OEWHITD4eTNJltNq3LwQDoIUTiU/8FmM0o+oEscKmILu08S7V0EghiEI968je3QR4J26bHuKcSiA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB6208
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/yAWWsZSd4WK4FLjhK8VZcH0lYn0>
Subject: Re: [saag] PKIX and related RFCs - definition of Key Packages
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jun 2021 06:20:04 -0000
Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> writes: >Yet the definitions invest in the details of the private keys, leaving the >public key as “BIT STRING OPTIONAL”. Why is it so? Cargo cult protocol design. Back in the late 1980s someone decided that holes containing keys had to be BIT STRINGs. So today, thirty-plus years later, holes containing keys are still (mostly) BIT STRINGs even though what's present in the hole is always an OCTET STRING. >A lot of the ASN.1 definitions seem to describe how to package private keys. >Considering that interoperability in the majority of cases is about >applications communicating “over the wire” using S/MIME, CMS, TLS or IKE key >exchange, etc. – the predominant need appears to be exchanging public (not >private) keys? More cargo cult protocol design. PKCS #8 specified the format for RSA private keys but nothing else, for the simple reason that there was nothing else at the time. Then when people needed to store something other than RSA keys they invented their own formats extending PKCS #8, principally led by OpenSSL (who had the most need for it) but occasionally other vendors as well, whoever got the most mindshare first. The issue was resolved by PKCS #15 which specified a general format for public and private keys, but everyone ignored that and invented their own new format for each new public-key algorithm. As a result, when you write an RFC specifying the format for public keys for algorithm X for, for example, S/MIME, you also need to specify the private-key format even though it has nothing to do with S/MIME. Rot bilong kago. (And as a general note, a lot of the WTF?!!? stuff in PKIX is explainable through cargo cult protocol design, it's not just these two). Peter.
- [saag] PKIX and related RFCs - definition of Key … Blumenthal, Uri - 0553 - MITLL
- Re: [saag] PKIX and related RFCs - definition of … Peter Gutmann
- Re: [saag] PKIX and related RFCs - definition of … Blumenthal, Uri - 0553 - MITLL
- Re: [saag] PKIX and related RFCs - definition of … Peter Gutmann
- Re: [saag] PKIX and related RFCs - definition of … Russ Housley
- [saag] META Re: PKIX and related RFCs - definitio… Phillip Hallam-Baker
- Re: [saag] [lamps] META Re: PKIX and related RFCs… Blumenthal, Uri - 0553 - MITLL