Re: [TLS] OpenPGP and TLS cert_type code point reuse

Nikos Mavrogiannopoulos <nmav@gnutls.org> Thu, 30 September 2010 17:26 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CAEC3A6D40 for <tls@core3.amsl.com>; Thu, 30 Sep 2010 10:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hF90oC2lo4+b for <tls@core3.amsl.com>; Thu, 30 Sep 2010 10:26:10 -0700 (PDT)
Received: from mail-ew0-f44.google.com (mail-ew0-f44.google.com [209.85.215.44]) by core3.amsl.com (Postfix) with ESMTP id 32B7B3A6BAF for <tls@ietf.org>; Thu, 30 Sep 2010 10:26:10 -0700 (PDT)
Received: by ewy26 with SMTP id 26so1216427ewy.31 for <tls@ietf.org>; Thu, 30 Sep 2010 10:26:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=slmJqB61CmRUQ1MQnknS0StrL8tPdUVnonSGRUfA2vY=; b=qxgCr9gUdRI1tkLK5Rr4l4BWQzI5M66RFvPwDihWqmLtTV5/X/jOCDhhubnhnxX8ey 5xqPThXWPCsa8ltVSJ7w6+SsB5j52tUiI3aCFMRwzX1sD0pGTjghextLT1pO2W4B+Vlp xXS/4CCKZPexSSeRz3xRaYxwkGzjGFESt+kyc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=DAgcMsDNjN/VCVqajT7W2s1DXbx+3h1E3KfSV4E1ZKvsfR2rIUsxA5aS4NWh1FLBTn cvmp1MAu84vDTdvzb9WlLBiWBYHuV/ZLtUMdM+7S7QquQOVaFiyoOZAItRKWf1+BllaP XbgrUCUWwvYBwIeum+jnHpI+Rym6bE4+/qgv0=
Received: by 10.14.37.67 with SMTP id x43mr2516078eea.12.1285867615959; Thu, 30 Sep 2010 10:26:55 -0700 (PDT)
Received: from [10.100.2.14] (78-23-65-223.access.telenet.be [78.23.65.223]) by mx.google.com with ESMTPS id z55sm143226eeh.3.2010.09.30.10.26.53 (version=SSLv3 cipher=RC4-MD5); Thu, 30 Sep 2010 10:26:54 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4CA4C85C.3020907@gnutls.org>
Date: Thu, 30 Sep 2010 19:26:52 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: tls@ietf.org
References: <4CA48C67.9050304@ieca.com> <p06240803c8ca5a5b9904@[10.20.30.158]>
In-Reply-To: <p06240803c8ca5a5b9904@[10.20.30.158]>
X-Enigmail-Version: 1.0.1
OpenPGP: id=96865171
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] OpenPGP and TLS cert_type code point reuse
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2010 17:26:11 -0000

On 09/30/2010 05:18 PM, Paul Hoffman wrote:
> At 9:11 AM -0400 9/30/10, Sean Turner wrote:
>> draft-mavrogiannopoulos-rfc5081bis reuses the Certificate Type value assigned in RFC 5081 (it's 1).  The extension defined in draft-mavrogiannopoulos-rfc5081bis is not backwards compatible with RFC 5081.  If there were many implementations, then I'd be concerned about reusing the value.  The authors (and I) don't think there are any implementations other than GnuTLS, but I'd like to know if anybody knows of TLS implementations that support RFC 5081.
> Given that there is a known implementation of 5081, and given that GnuTLS is reasonably well-deployed, why doesn't draft-mavrogiannopoulos-rfc5081bis simply use a new certificate type number? So far, only 2 out of >200 have been allocated, so there is no shortage.

The problem is not strictly on the reusal of the extension but on the
reusal of the OpenPGP CertificateType, but the idea is the same. The
problem is that this reuse was made quite long ago in gnutls (when
draft-mavrogiannopoulos-rfc5081bis-01 appeared), thus having all gnutls
releases follow that approach since then.

The reason we don't change that now is that will make the draft
incompatible with gnutls openpgp support, which is supposed to describe
(this is an informational RFC and not standards track). Hence if there
are not any other implementations following RFC5081 this will have
no side effects.

regards,
Nikos