Re: [secdir] secdir review of draft-ietf-csi-send-name-type-registry-03

Roque Gagliano <roque.lacnic@gmail.com> Sun, 16 May 2010 17:37 UTC

Return-Path: <roque.lacnic@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E4023A68E1; Sun, 16 May 2010 10:37:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.721
X-Spam-Level:
X-Spam-Status: No, score=-0.721 tagged_above=-999 required=5 tests=[AWL=-0.722, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pFRUdLvzzBgd; Sun, 16 May 2010 10:37:12 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 16B2A3A67A6; Sun, 16 May 2010 10:37:11 -0700 (PDT)
Received: by wwb28 with SMTP id 28so1900220wwb.31 for <multiple recipients>; Sun, 16 May 2010 10:37:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9URZcsQUCj1bJm2MUeaR9VYD0HR9/Y9CRLdOKRAbgSE=; b=cF2XftDdW/psB9PGHhZRN40LrDmQyYWXPKa+ZLk9pPEaRiptXFc9UJUDfZ1m3orIIu F//Yz07LMnhEH0t6ijBPVMIF8hY/fRulcv99rYRkk+K6Lvu7inVgTHGy5v6Kgjbkp2xf fQipPenP8bloEtANl+QtBFZTyfi6BRMiXQCdc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=e1P7mj6dB2pmXUtZ0zZKo1491ZZE7H4aeay+OIPKiIJXjtMN19r/XadLaWI5K0lLEq k9MmeDBlXRWsRENdfnJ6hYjpxYGyc/ql3YUp6s3Sya8vj8pYbUkcPT9/zxPaL2istQkm UPBtAxq0cL1NqhM/tvDfYICSVDOUpjLnYZ2o4=
MIME-Version: 1.0
Received: by 10.216.89.207 with SMTP id c57mr2481518wef.60.1274031420225; Sun, 16 May 2010 10:37:00 -0700 (PDT)
Received: by 10.216.185.143 with HTTP; Sun, 16 May 2010 10:37:00 -0700 (PDT)
In-Reply-To: <p06240804c8109ae33406@192.168.1.5>
References: <020001caeebe$ffdcd560$ff968020$@com> <AANLkTikBkBWm8hY9Jyj7PxciFc8FRrnbII_OajwD7Gt2@mail.gmail.com> <p06240804c8109ae33406@192.168.1.5>
Date: Sun, 16 May 2010 19:37:00 +0200
Message-ID: <AANLkTin41WmwxOsbvHD4IwzQ4za9D8dmZLGwHJhWO5bE@mail.gmail.com>
From: Roque Gagliano <roque.lacnic@gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Mon, 17 May 2010 10:40:52 -0700
Cc: secdir@ietf.org, iesg@ietf.org, draft-ietf-csi-send-name-type-registry.all@tools.ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-csi-send-name-type-registry-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 May 2010 17:37:13 -0000

Stephen/ Patrick/Sean,

Thank you for your comments. What about adding the following extra
numbers to the registry?:

  +---------+----------------------------------------------------+
     | Value   | Description                                        |
     +---------+----------------------------------------------------+
     | 0       | Reserved                                           |
     |         |                                                    |
     | 1       | DER Encoded X.501 Name (RFC 3971)                  |
     |         |                                                    |
     | 2       | FQDN (RFC 3971)                                    |
     |         |                                                    |
     | 3       | SHA-1 Subject Key Identifier (SKI) ( Section 3 )   |
     |         |                                                    |
     | 4       | SHA-224 Subject Key Identifier (SKI) ( Section 3 ) |
     |         |                                                    |
     | 5       | SHA-256 Subject Key Identifier (SKI) ( Section 3 ) |
     |         |                                                    |
     | 6       | SHA-384 Subject Key Identifier (SKI) ( Section 3 ) |
     |         |                                                    |
     | 7       | SHA-512 Subject Key Identifier (SKI) ( Section 3 ) |
     |         |                                                    |
     | 253-254 | Experimental use                                   |
     |         |                                                    |
     | 255     | Reserved                                           |
     +---------+----------------------------------------------------+

This way we stay ready if SIDR certs uses some of these hashes
functions in the future.

regards,

Roque


On Wed, May 12, 2010 at 8:00 PM, Stephen Kent <kent@bbn.com> wrote:
> At 6:38 PM +0200 5/8/10, Roque Gagliano wrote:
>
> Patrick,
>
> Thank you for your review.
>
> You are correct oonly 160 bits SHA-1 hash is defined in RFC 5280 and
> required in draft-ietf-sidr-res-cert
>
> Regards,
>
> Roque
>
> Roque,
> 5280 defines how to use SHA-1, but it does not require use of this specific
> hash function. 4.2.1.2 says:
>    For CA certificates, subject key identifiers SHOULD be derived from the
> public key or a method that generates unique values.  Two common methods for
> generating key identifiers from the public key are:
> ...
> Other methods of generating unique numbers are also acceptable.
> So, use of another one-way hash function, e.g., SHA-256 meets the criteria
> defined above (associated with the "SHOULD") and is consistent with the
> final comment.
> CAs need to know which function to use, but RPs just perform comparisons. We
> could modify the RPKI cert profile (if Geoff and the SIDR WG don't mind) to
> specify use of SHA-256 for generation of SKI/AKI values. I guess the real
> issue is whether commonly used software (e.g., OpenSSL) will support this.
> Steve