IETF Logo Mail Archive

Re: [stir] I-D Action: draft-ietf-stir-certificates-06.txt

Sean Turner <sean@sn3rd.com> Thu, 07 July 2016 04:24 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE1EF12B00B for <stir@ietfa.amsl.com>; Wed, 6 Jul 2016 21:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rz4PIrV1tuKk for <stir@ietfa.amsl.com>; Wed, 6 Jul 2016 21:24:20 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A9A128E19 for <stir@ietf.org>; Wed, 6 Jul 2016 21:24:20 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id t127so5398476qkf.1 for <stir@ietf.org>; Wed, 06 Jul 2016 21:24:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=/nAypLD5gw81TchEXR5AsdEGK6bUtath7PaflaFu5vE=; b=BYDTY/W94Aed05rc+WCe2rPjLiAF+2Amk0VXhJ4ah8MRwY4i7JC5tEp71P/B39ZoTY 6btgonN1Gn8G55BlkP0yC+DCQ4V6WLtOByN9yyWm1OOR7jFKydL4LfF5crz/ELL1LVgx /LoLv+qxgsEmeK+gYeCL5GBD8hivX6IK+hhkE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=/nAypLD5gw81TchEXR5AsdEGK6bUtath7PaflaFu5vE=; b=lPCzNYClX2a9KCkkw4HFjdIfAwFhj6ejieXAPEHSxdgX21knxDdqA+KlmTgi2/4RGx /Rrv0hPoNWHkgDzavKfe2qxrUKrEOG9SHu3jE0WPcGj7gpFWSpl/PmVqcmlF4j1dqhvT unF/tbRABj0fKnEFReCgUcx0LzXHTRfg9PNLOTEr7whKy6zoHyd6ATgKGonWVvGWbVdF P/9I4edwkkHmHU/UNaghOt3fqzkdcD0qNz+QjgOyR+jzTRnQkzKHZq7Sa7lT5IdUMBrq 0uflp3fGw3q2G56WEwxNJJv5BOAZfx93sBx7hrxc7xd8QZWpdSF1NyA796I88bNcvk3i uuOQ==
X-Gm-Message-State: ALyK8tJ7fHUipaiKqas2vsMYsSp8Nzl1DuNoRgcSlBuBXcsAOYeVHrXa81JCA6nAFCUBOQ==
X-Received: by 10.55.53.4 with SMTP id c4mr29726089qka.92.1467865459257; Wed, 06 Jul 2016 21:24:19 -0700 (PDT)
Received: from [172.16.0.112] ([96.231.230.69]) by smtp.gmail.com with ESMTPSA id 1sm2100331qtv.13.2016.07.06.21.24.18 for <stir@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 Jul 2016 21:24:18 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <20160707042049.26736.35696.idtracker@ietfa.amsl.com>
Date: Thu, 07 Jul 2016 00:24:17 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <95A0D3E3-7BAD-4FF9-981B-3B23EFB6EC62@sn3rd.com>
References: <20160707042049.26736.35696.idtracker@ietfa.amsl.com>
To: stir@ietf.org
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/qg0ztz8v8DJArw-xewicfWzLIvc>
Subject: Re: [stir] I-D Action: draft-ietf-stir-certificates-06.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2016 04:24:23 -0000

Hi,

This version incorporates text to address:

0. Levels Of Assurance

There was a TBD in s5.  I removed the TBD and added some text explaining how LOA is conveyed as OIDs in certificate's certificate policies extensions.  I threw in some additional wording about how OIDs represent the certification policies and those as well as the certification practice statements (CPSs) are just part of the normal PKI “process”.

I decided to co-opt the LOA profiles defined in RFC 6711.  I requires a SAML Context, but the RFC says non-SAML registrations are accepted.  So, I created sub-registry and instead of a SAML Context you submit your OID.  I included that the expert is expect to ensure that the OID is in the CP.  I almost added “and nothing else, but that’s maybe too much.  We could also get a couple of volunteers to be experts and the STIR-related registries could be farmed to them.

1. Profiling OCSP

We’ve got OCSP, we’ve got it's High-Volume Environment (HVE) profile, we’ve got an extension, we’ve got ECDSA P-256 with SHA-256 signatures.  Unfortunately, these all don’t go together so we had to do some profiling.  Most of it’s pretty straightforward, but a couple of things I wanted to note:

1.a.  draft-ietf-stir-certificates purposely DO NOT update the OCSP or HVE profiles because we’re not trying to say that all OCSP and HVE implementations MUST do what we’re specifying here.  Basically, the STIR profile is not for everybody.

1.b. OCSP has two places to extend requests/responses: one is per request/response and the other allows you to apply an extension to multiple requests/responses.  I think we’re not looking at grouping reqeusts/responses so I switched the location of the extensions from requestExtensions/responseExtensions to request’s singleResponseExtension/responses’ singleExtension.

1.c. As we discussed on the interim call, we need to return “not good” when the status is “unknown”.  I made the server a SHOULD send “not good” only, and clients a MUST treat “unknown” as “not good”.

1.d. The OCSP requires RSA with SHA-256 so we’re good there, but I had to mandate support for ECDSA using P-256 and SHA-256.

1.e. I’m proposing that we embrace SHA-256 for every hash.  Because the HVE profile requires SHA-1 for the hash values used to identify the issuer’s certificate and name and OCSP itself bakes SHA-1 into the optional ResponderId.KeyHash (the other choice is Name but HVE recommends KeyHash be used) I had to add some statements about SHA-256.  I’m thinking this for two reasons: 1) we’re using SHA-256 with our signatures so why have this code to generate these values reuse SHA-256, and 2) I suspect that some (likely Gov’t) weenie is going to ask in the not too distant future “does you product use SHA-1” and if you tick yes you’re going to have explain why (saying on here is probably worth it).

Comments welcome.

spt

> On Jul 07, 2016, at 00:20, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Secure Telephone Identity Revisited of the IETF.
> 
>        Title           : Secure Telephone Identity Credentials: Certificates
>        Authors         : Jon Peterson
>                          Sean Turner
> 	Filename        : draft-ietf-stir-certificates-06.txt
> 	Pages           : 21
> 	Date            : 2016-07-06
> 
> Abstract:
>   In order to prevent the impersonation of telephone numbers on the
>   Internet, some kind of credential system needs to exist that
>   cryptographically proves authority over telephone numbers.  This
>   document describes the use of certificates in establishing authority
>   over telephone numbers, as a component of a broader architecture for
>   managing telephone numbers as identities in protocols like SIP.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/
> 
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-stir-certificates-06
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-stir-certificates-06
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email