Re: [Tm-rid] IPv6 address encoding in commonName
Robert Moskowitz <rgm@labs.htt-consult.com> Thu, 15 August 2019 02:28 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F17DA120816 for <tm-rid@ietfa.amsl.com>; Wed, 14 Aug 2019 19:28:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mI7CIc1YQ5nk for <tm-rid@ietfa.amsl.com>; Wed, 14 Aug 2019 19:28:05 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4A7A12001E for <tm-rid@ietf.org>; Wed, 14 Aug 2019 19:28:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 4C4E66210D; Wed, 14 Aug 2019 22:28:03 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id baYPOBz0wuoS; Wed, 14 Aug 2019 22:27:56 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 6B16C60964; Wed, 14 Aug 2019 22:27:54 -0400 (EDT)
To: Michael Richardson <mcr+ietf@sandelman.ca>, Robert Moskowitz <rgm@htt-consult.com>, tm-rid@ietf.org
References: <d02be2b0-ab7b-9c66-617d-0625ebf8cb16@htt-consult.com> <335d070b-79e1-899c-2c0a-77a7afc1cbbf@wisemo.com> <1835423d-c59a-60b4-007f-afe4545089d9@htt-consult.com> <2862.1565827429@localhost>
From: Robert Moskowitz <rgm@labs.htt-consult.com>
Message-ID: <dc596ccb-9c52-d3e6-bf3a-29e6ce929e95@labs.htt-consult.com>
Date: Wed, 14 Aug 2019 22:27:45 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <2862.1565827429@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/LEVQgxaSHfT1FK03crEeZFB7PPc>
Subject: Re: [Tm-rid] IPv6 address encoding in commonName
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Trustworthy Multipurpose RemoteID <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 02:28:08 -0000
On 8/14/19 8:03 PM, Michael Richardson wrote:
> {Bob, replying to tm-rid list from openssl list, since this is not about openssl}
>
> Robert Moskowitz <rgm@htt-consult.com> wrote:
> > I am working with a 2-tier pki. The root CA cert will have some sort of
> > standard DN for subjectName, naming the owner of the pki. The intermediate
> > signing CA certs are for the agencies that actually register and, to some
> > degree, manage these devices. All these agencies will be 'named' by the HHIT
> > (draft-moskowitz-hierarchical-hip) derived from the ed25519 key of their
> > signing cert. Well they are named by their /64 per the draft. And perhaps
> > that is better, as over the years there will be new signing certs with
> > different keys, but the same HHIT prefix. Hmmm.
>
> > Also size of the DN is important as it is the issuerName in the client cert
> > which may get transmitted over a very constrained (e.g. BT4) link. The
> > intermediate CA cert has ITS issuerName of the root cert that identifies the
> > pki for this purpose. So the CN could simply be:
>
> > CN=2001:24:28:24/64
>
> In the 6tisch 802.15.4 space, where we are hoping to do EDHOC,
> we are trying to find a way to send the IDevID (which may be largish due to
> various extensions) by reference rather than value.
>
> It seems that you have the same problem with the intermediate CAs as we do.
> draft-hallambaker-mesh-udf-05
> is one thing I've looked at, but it isn't clear how much of a win it is.
>
> As your intermediates will be identified by HITT, could you store them in
> reverse DNS?
Michael,
Given the HHIT prefix as in the example above, the reverse DNS for the
HDA/RRA can be calculated (first attempt in
draft-moskowitz-hierarchical-hip, but I am revising it) and additional
information learned.
In raw HHIT mode, you have the device's HHIT and thus the /64 prefix.
That gets you to services to learn the HI to validate sigs, for example
and see if the HHIT revocated and such.
In fact, I am leaning toward a simple DNS structure:
hda.rra.hhit.tld PTR foo.com
and foo.com has lots of SRV RR for all the various services it
provides. Why go through the allusion of rDNS in this case?
In client x.509 cert mode the issuerName is the CN like above. But
again, the subjectName is empty and the SAN is the client HHIT. Well the
client HHIT prefix MUST be the same as that in the issuerName, so why
bother with that, other than x.509 says there is an issuerName...
Hope this helps in sharing my thoughts.
- Re: [Tm-rid] IPv6 address encoding in commonName Michael Richardson
- Re: [Tm-rid] IPv6 address encoding in commonName Robert Moskowitz
- Re: [Tm-rid] IPv6 address encoding in commonName Michael Richardson