Re: [secdir] secdir review of draft-ietf-csi-send-name-type-registry-03
Sean Turner <turners@ieca.com> Mon, 17 May 2010 14:52 UTC
Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 91B023A67EA for <secdir@core3.amsl.com>; Mon, 17 May 2010 07:52:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.314
X-Spam-Level:
X-Spam-Status: No, score=-0.314 tagged_above=-999 required=5 tests=[AWL=-0.650, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDHwD8K+8+iy for <secdir@core3.amsl.com>; Mon, 17 May 2010 07:52:57 -0700 (PDT)
Received: from smtp111.biz.mail.sp1.yahoo.com (smtp111.biz.mail.sp1.yahoo.com [69.147.92.224]) by core3.amsl.com (Postfix) with SMTP id C762F3A6CB0 for <secdir@ietf.org>; Mon, 17 May 2010 07:52:06 -0700 (PDT)
Received: (qmail 63138 invoked from network); 17 May 2010 14:51:59 -0000
Received: from thunderfish.local (turners@71.191.0.118 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 17 May 2010 07:51:58 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: NBD.XzAVM1mhaQXM.QEYjZN_IDae69qfq58hkIjKpx0Tzs_YiAJRAUR23zbyUFccY01fkAmXIS77Qd.I9GYuHopt2jEpCpuqnH2_M8UPjHwlit_lVaQmfpfHfxVpKUi62Io2hS2oMh2z4TqGWh4wsIHbmzjKpIATQqCwL3Z1Qym0DYwV3oCU6ekgUjFJMLsOwS2PSrk7RxQ4esSiQFbqR6abHMgpqeByeCSjAC9bf4ybxGaAGSxyELUyYcAdH4nQidlKbPEeh9ZtSyyBpEqvHUyiHXL.cnBh_EbfwUolZ5pK1nQ55B_0q7QUPkhPQbsk.ed8dkfNQsnRHbJq_1II7g--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4BF1580C.70407@ieca.com>
Date: Mon, 17 May 2010 10:51:56 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Roque Gagliano <roque.lacnic@gmail.com>
References: <020001caeebe$ffdcd560$ff968020$@com> <AANLkTikBkBWm8hY9Jyj7PxciFc8FRrnbII_OajwD7Gt2@mail.gmail.com> <p06240804c8109ae33406@192.168.1.5> <AANLkTin41WmwxOsbvHD4IwzQ4za9D8dmZLGwHJhWO5bE@mail.gmail.com>
In-Reply-To: <AANLkTin41WmwxOsbvHD4IwzQ4za9D8dmZLGwHJhWO5bE@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: iesg@ietf.org, draft-ietf-csi-send-name-type-registry.all@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-csi-send-name-type-registry-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 14:52:57 -0000
That is what, I believe, Pat was asking for. spt Roque Gagliano wrote: > Stephen/ Patrick/Sean, > > Thank you for your comments. What about adding the following extra > numbers to the registry?: > > +---------+----------------------------------------------------+ > | Value | Description | > +---------+----------------------------------------------------+ > | 0 | Reserved | > | | | > | 1 | DER Encoded X.501 Name (RFC 3971) | > | | | > | 2 | FQDN (RFC 3971) | > | | | > | 3 | SHA-1 Subject Key Identifier (SKI) ( Section 3 ) | > | | | > | 4 | SHA-224 Subject Key Identifier (SKI) ( Section 3 ) | > | | | > | 5 | SHA-256 Subject Key Identifier (SKI) ( Section 3 ) | > | | | > | 6 | SHA-384 Subject Key Identifier (SKI) ( Section 3 ) | > | | | > | 7 | SHA-512 Subject Key Identifier (SKI) ( Section 3 ) | > | | | > | 253-254 | Experimental use | > | | | > | 255 | Reserved | > +---------+----------------------------------------------------+ > > This way we stay ready if SIDR certs uses some of these hashes > functions in the future. > > regards, > > Roque > > > On Wed, May 12, 2010 at 8:00 PM, Stephen Kent <kent@bbn.com> wrote: >> At 6:38 PM +0200 5/8/10, Roque Gagliano wrote: >> >> Patrick, >> >> Thank you for your review. >> >> You are correct oonly 160 bits SHA-1 hash is defined in RFC 5280 and >> required in draft-ietf-sidr-res-cert >> >> Regards, >> >> Roque >> >> Roque, >> 5280 defines how to use SHA-1, but it does not require use of this specific >> hash function. 4.2.1.2 says: >> For CA certificates, subject key identifiers SHOULD be derived from the >> public key or a method that generates unique values. Two common methods for >> generating key identifiers from the public key are: >> ... >> Other methods of generating unique numbers are also acceptable. >> So, use of another one-way hash function, e.g., SHA-256 meets the criteria >> defined above (associated with the "SHOULD") and is consistent with the >> final comment. >> CAs need to know which function to use, but RPs just perform comparisons. We >> could modify the RPKI cert profile (if Geoff and the SIDR WG don't mind) to >> specify use of SHA-256 for generation of SKI/AKI values. I guess the real >> issue is whether commonly used software (e.g., OpenSSL) will support this. >> Steve >
- [secdir] secdir review of draft-ietf-csi-send-nam… Patrick Cain
- Re: [secdir] secdir review of draft-ietf-csi-send… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-send… Sean Turner
- Re: [secdir] secdir review of draft-ietf-csi-send… Stephen Kent
- Re: [secdir] secdir review of draft-ietf-csi-send… Sean Turner
- Re: [secdir] secdir review of draft-ietf-csi-send… Sean Turner
- Re: [secdir] secdir review of draft-ietf-csi-send… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-send… Patrick Cain