Re: [Spasm] certspec work (draft-seantek-certspec-06.txt)
Wei Chuang <weihaw@google.com> Wed, 15 June 2016 21:26 UTC
Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F9912DBF4 for <spasm@ietfa.amsl.com>; Wed, 15 Jun 2016 14:26:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.126
X-Spam-Level:
X-Spam-Status: No, score=-4.126 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EoBFIjm0tp6T for <spasm@ietfa.amsl.com>; Wed, 15 Jun 2016 14:26:38 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF83A12DBF3 for <spasm@ietf.org>; Wed, 15 Jun 2016 14:26:37 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id d132so40225508oig.1 for <spasm@ietf.org>; Wed, 15 Jun 2016 14:26:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ASa6L63K8AEFBIz1RHwd3071gFap/thl66A/Jkk6Y3I=; b=V7dl4KLdYRyJsVYttkHPnRDlHTwISxZVzuyxduqX106J2NMoTTBY9UfU+l7vbCuWjn cvPFE+mIsEsmXcWjZuRhlTqTfKAhTdXT1jv/MsFte4RyzFViLhrbTIGSqTGLLIUWSysV ibnWEu9k4ikLSBzAHBlGXf++afIdjDPBboVVe4UnjNTTSuafoIjIHgC5QiZEg45bDNhn ny7aCsEeYzOj1o7/yKGZ4BvwazNzWBqtWM44vn5WEd9EvIvKjNIIRMd03U1q7ZlrmWX8 FqcCkTjIdTYka4gseZSDYc70p7mmrt7w/IrVSzr3OUy+z3qe66R2nnunwtIBdNQT6rXb woWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ASa6L63K8AEFBIz1RHwd3071gFap/thl66A/Jkk6Y3I=; b=LFSRwV77BhG8fWtQq/fwVwiFJQY3IbhiNBncAmQYH2hlTOFaI73zw56Rbsgt28aJXk ofHxIrHZnb9Y/TzTTzDDTRemqAOwJJs+GOV6VJ+oqnc4VlXJBc2pf0htyf9ddz6PuJ1g r9V8qhpvO3CP5Ecc3x4E+tl4TDqibhBGrXspWybMSQG4GgwjzpuPADX4OI6HUGYQW533 8MmwrRRhZ68e8SWbHY0rv1/qyGas8M+SsnXg2x0QAc5kdwJXY0RY9a9WCeGN3n8jNoZo F/5JblS+fcafv7XPOwpOIanVridjBXZbVHkugJu+NONdSAOrxV2K8bxtJ2V7GSvUcKPf 2yxw==
X-Gm-Message-State: ALyK8tLqTg0JkzhQCvJl6KYZt/NdjKNki9lxmSAN+oAP975w0bzJW3J/LlEj9qUVQaqXvct4H/OyTlhlUoJUeELM
X-Received: by 10.202.184.213 with SMTP id i204mr501276oif.128.1466025996594; Wed, 15 Jun 2016 14:26:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.27.139 with HTTP; Wed, 15 Jun 2016 14:26:35 -0700 (PDT)
In-Reply-To: <77fea80c-0c58-d64e-1260-074942211258@seantek.com>
References: <20160608161629.19935.86198.idtracker@ietfa.amsl.com> <f7c50b01-9d68-11ac-c343-9ffff7dbf143@seantek.com> <CAAFsWK1C4n-9rx+zCr+ig6of3XA=shE1HnvkTyJ6wfVp=BOJPw@mail.gmail.com> <77fea80c-0c58-d64e-1260-074942211258@seantek.com>
From: Wei Chuang <weihaw@google.com>
Date: Wed, 15 Jun 2016 14:26:35 -0700
Message-ID: <CAAFsWK1Y3UgaTWMOX3LHC4Y=VEfh=7VCf78FBPQH03C4ioOYsQ@mail.gmail.com>
To: Sean Leonard <dev+ietf@seantek.com>
Content-Type: multipart/alternative; boundary="001a113ce9a8c29fe1053557c61d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/pqH4IOlpNCW0a5y3cY0jovcK55w>
Cc: spasm@ietf.org
Subject: Re: [Spasm] certspec work (draft-seantek-certspec-06.txt)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2016 21:26:41 -0000
On Wed, Jun 15, 2016 at 12:15 PM, Sean Leonard <dev+ietf@seantek.com> wrote: > Returning to the rest of the response: > > On 6/9/2016 10:49 AM, Wei Chuang wrote: > > Just some thoughts about this draft: > > > 2. This document would do best when coupled with work on methods to access > certificates such as draft-bhjl-x509-srv-00 that would use it. > > > Yes, I think that would be fine and a useful coupling. > > However, the motivator for certspec is to identify a single certificate > unambiguously, not a family of certificates. Use cases include in > configuration data for Internet-connected devices, such as for > administrators administering certificate settings on clients, server, or > nodes on an internal network, using various configuration formats (config > files, YANG, XML, JSON, etc.). > > Section 2 says "Certificate specifications, or "certspecs", are not > designed or intended to provide a search tool or query language to match > multiple certificates. The goal is to replace data elements that would > otherwise have to include whole certificates, or that employ proprietary > reference schemes." It does not attempt, for example, to provide a syntax > for matching "any certificate for an e-mail address", as > draft-bhjl-x509-srv-00 suggests: > > https://certs.example.com/certificates/search.cgi?uri=someuser%40example.com > > > This is important because it is likely that such a query (it *is* a > query) could return multiple certificates. It would be fine to use > draft-bhjl-x509-srv-00 to construct a different query: > > https://certs.example.com/certificates/search.cgi?certspec=SHA-256:64DF > 42FF3410B579958ADDCC5C35E6BAEAFCCB4EB2B3FCDD29CE4EE06857F68E > > > That would be okay; the result would have to be strictly limited to a > single application/pkix-cert, not multiple certificates (compare with > Section 5 of draft-bhjl-x509-srv-00). However, I question the utility of > such a thing. If you know the SHA-256 hash but not anything else about the > certificate, are you sure you want to be asking "example.com"? Maybe you > should be asking elsewhere? (Compare with the ni: URI scheme.) If you know > the SHA-256 hash and you know that you are hunting for a certificate that > matches an e-mail address, it makes more sense to use > draft-bhjl-x509-srv-00 or something else to return all the known > certificates, and then have the client verify that one of the certificates > matches the SHA-256 hash. The client has to do this anyway for security > reasons. > > Certspecs are meant to be "simple" enough that they can be included as > components of broader formats, including certificate queries. For example: > > https://certs.example.com/certificates/search.cgi?uri=someuser%40example.com& > certspec=SHA-256:64DF42FF3410B579958ADDC > C5C35E6BAEAFCCB4EB2B3FCDD29CE4EE06857F68E&certspec=SHA-1:FEA3 > 64082CEACA2AC80E8AECFA2224BCC3210D2A > > > Would be a better example (assuming that the client really did forget > about the original certificate, perhaps because it is very > resource-constrained): the premise being that bandwidth can be saved by > doing server-side filtering. > > 1. The title is a little bit confusing, as much of the document is about > naming certificates. Perhaps "Naming and Metadata Specification for..."? > > Actually...none of the document is about naming certificates, because they > aren't names. > Regarding the title, then perhaps something describing how this document is to be used? > > Certificates don't have globally unique "names". The closest thing to a > name is Issuer + Serial Number, as issuer is theoretically unique and > serial number is supposed to be unique for every cert issued by a > particular CA. But we know this is not true because CA issuers are not > bound to follow some global Directory, which never materialized. > > The family of element-based specs is included for compatibility (e.g., > with CMS, which identifies certificates based on issuerAndSerialNumber or > SubjectKeyIdentifier; also compatibility with the MS CryptoAPI and Mozilla > NSS major implementations ) and efficiency (e.g., database lookups), rather > than absolute unambiguity. They are only unambiguous given certain > assumptions, namely assumptions about the store(s) where the certificates > are being looked up. > > Several drafts ago, I tried to call these things names by stuffing them > into the URN protocol slot. That ultimately failed, mainly because a lot of > these things aren't names. Hashes (fingerprints) of certificates are also > not truly unambiguous names--they are only unambiguous given certain > engineering assumptions for certain periods of time. If you doubt this, > consider whether MD5:01332f309262d789097cdda53be5174d is really the kind > of "name" that we are looking for. All cryptographic hash algorithms are > susceptible to cryptanalysis; it's just a matter of time and ingenuity. The > data-based specs are also not really names; it would be like "naming" a > human being by his or her entire genome sequence. > > So they aren't names; they are just ways of getting at a (single) > certificate in text. > And yet there's value in identifying certificates for lookup and such. Just pointing what I thought was a use for the specification. -Wei > > > 3. Modify the ABNF to clearly identify the certspec type vs data > > > The current ABNF is intentional. Prior drafts had "certspec-type", but the > most recent drafts remove that because it gets in the way of human > usability (copy-and-paste-ability). > > I thought about "path:" or "file:" for the filesystem-based path specs, > but "file:" looks too much like a file: URI (it's not a file URI), and > "path:" is both a bit superfluous, and a bit ambiguous (i.e., what kind of > path?). Overall, a conforming implementation can recognize additional specs > in its own special way, if it wants to. This specification only requires > implementations to recognize a few important string patterns. > > This reminds me...I was going to include Registry keys, such as > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\ > 109F1CAED645BB78B3EA2B94C0697C740733031C\Blob > > In that example, it's totally obvious that "HKEY_LOCAL_MACHINE\" is the > prefix to a Registry key or value (and, notably, not a filesystem path). > That would be an example of a class of certspecs that is not so great to > exchange on the open Internet, but is very useful for a managed intranet. > > Best regards, > > Sean >
- Re: [Spasm] certspec work (draft-seantek-certspec… Wei Chuang
- Re: [Spasm] certspec work (draft-seantek-certspec… Sean Leonard
- Re: [Spasm] certspec work (draft-seantek-certspec… Sean Leonard
- Re: [Spasm] certspec work (draft-seantek-certspec… Wei Chuang
- Re: [Spasm] certspec work (draft-seantek-certspec… Wei Chuang
- Re: [Spasm] certspec work (draft-seantek-certspec… Sean Leonard
- Re: [Spasm] certspec work (draft-seantek-certspec… Sean Leonard
- [Spasm] certspec work (draft-seantek-certspec-06.… Sean Leonard
- Re: [Spasm] certspec work (draft-seantek-certspec… Stephen Farrell
- Re: [Spasm] certspec work (draft-seantek-certspec… Wei Chuang