IETF Logo Mail Archive

Re: [lamps] On the need for standardization of software-based interoperable private keys [was: Re: draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)]

Russ Housley <housley@vigilsec.com> Tue, 10 August 2021 13:55 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B309B3A0B8D for <spasm@ietfa.amsl.com>; Tue, 10 Aug 2021 06:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkMqD7uqB5K9 for <spasm@ietfa.amsl.com>; Tue, 10 Aug 2021 06:55:48 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51E5D3A0B9F for <spasm@ietf.org>; Tue, 10 Aug 2021 06:55:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DD7BF300C9A for <spasm@ietf.org>; Tue, 10 Aug 2021 09:55:44 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id nfJwM4RBfRO3 for <spasm@ietf.org>; Tue, 10 Aug 2021 09:55:43 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 2F7F5300AF2; Tue, 10 Aug 2021 09:55:43 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <4157B24C-8343-45E1-8AEF-94FDF04B7CFE@vigilsec.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_E911A9D2-EE0D-46C3-A33B-07EB0E8EABDD"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Tue, 10 Aug 2021 09:55:41 -0400
In-Reply-To: <877dgu369z.fsf@fifthhorseman.net>
Cc: LAMPS WG <spasm@ietf.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <87czr0ww0d.fsf@fifthhorseman.net> <FF939B28-528B-47F9-9C0C-6585D1B02FBE@vigilsec.com> <87mtq3ukk0.fsf@fifthhorseman.net> <CAErg=HHQMZ1jk+bVxA=MzVvW+9ucie7bu-N6O8Asnp0V8Rf9Bg@mail.gmail.com> <30546.1627850836@localhost> <CAErg=HHKL-E5yT0UnPKcLfMQU41iDg7GGgjsSXs3eRg8daJRkg@mail.gmail.com> <87wnp347iu.fsf@fifthhorseman.net> <1388.1627996026@localhost> <87pmuu42hf.fsf@fifthhorseman.net> <20862.1628113377@localhost> <656985A5-BED4-4BA8-9233-B3C93966016C@ll.mit.edu> <877dh03x35.fsf@fifthhorseman.net> <722a1f15-8ac8-54f2-3c7a-14c7ed92c6ef@cs.tcd.ie> <87zgtv3jf9.fsf@fifthhorseman.net> <115D31F8-A088-413B-A526-9C48D579C122@vigilsec.com> <877dgu369z.fsf@fifthhorseman.net>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/o0FNn-dTywCCn63GxUpedIhabAo>
Subject: Re: [lamps] On the need for standardization of software-based interoperable private keys [was: Re: draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)]
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2021 13:55:54 -0000


> On Aug 9, 2021, at 12:57 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> 
> Signed PGP part
> On Sat 2021-08-07 11:52:07 -0400, Russ Housley wrote:
>>> On Aug 5, 2021, at 1:12 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>> 
>>> - formally deprecate PKCS#12 (e.g. move 7292 from informational to
>>>  historical) and encourage some other standard (a PKZIP file full of
>>>  independent PKCS#8 objects and certificate objects?  that seems
>>>  morally equivalent to PKCS#12 to me, but a much longer lead time to
>>>  get any sort of adoption)
>> 
>> RFC 5208 is the PKCS#8 v1.2 specification.
>> 
>> RFC 5985 is an enhancement to PKCS#8 that allows the certificate to be carried along with the private key.  In addition, RFC 5985 provides a content type for PKCS#8.
>> 
>> RFC 4073 defines a way to carry a collection of contents, each with their own type:
>> 
>>      ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo
>> 
>> These seem to be the building blocks that are needed to carrya a collection of PKCS#8-protected private keys along with the associated certificate.
> 
> Thanks, Russ!  I appreciate this collection of pointers, but i am not
> convinced they belong in draft-ietf-lamps-samples today given that i
> don't know of any tooling that is capable of ingesting them.
> 
> If someone in the WG wants to assemble such an object from the keys and
> certs already in the draft, and other folks in the WG can independently
> confirm that it appears to be correct, then i'd be fine with including
> it alongside the PKCS#12 objects that the draft currently publishes.
> I'd be even more strongly convinced if someone can point to an
> implementation that is capable of processing them.
> 
> Including such an object in the spec might be a helpful spur for
> adoption!  But without other people stepping forward to assemble and
> test the pieces and point to implemententations, i'm inclined to leave
> this as future work so we can get draft-ietf-lamps-samples out the door.

I was not suggesting them for lamps-samples.

I was pointing out a simple way to construct an alternative to PKCS#12 for multiple private keys and their certificates.

Russ

v2.23.0 | Report a Bug | By Email