Re: [urn] Informal NID registration interest

Ted Hardie <> Mon, 29 March 2021 14:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD3C23A16FF for <>; Mon, 29 Mar 2021 07:50:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id m20AjQYsLMMm for <>; Mon, 29 Mar 2021 07:50:30 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C3A023A16FD for <>; Mon, 29 Mar 2021 07:50:30 -0700 (PDT)
Received: by with SMTP id 91-20020a9d08640000b0290237d9c40382so12482181oty.12 for <>; Mon, 29 Mar 2021 07:50:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2qre3qU1gINDux6ViVSxlKbiSiHfDDMSipQWK2nlT74=; b=bKwdUjAWawOTFLROjFvgSDMI1O7l8e4A3+cSLPJIf4HRl1EAWDG6R/rXwckEtkZ4cq /+WTbQmZpn9VAT/EMJU3xJCrwwWBCeoEwYHB9NYgD/uUFb/Gpj3lkxGckFDslpRD4Meb TFcBryesblwqTs0qLOBGHUC6p5iImgqjB2NwSlxozfvzG7nhDLQKm+ZTf32fzVDUZn2E ha1pVR+59Th2Y0yp6kXq3xA+yZtcheWGsr9AVy6wJehtnqvN00yMwgSmscbvzbZDP3ns qhrTsz347polwphaL9f/i0JVrnd+muLNN04JiuSHbS6a8T4o+OgNKfx1DVsbu2Zp1gsz ++LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2qre3qU1gINDux6ViVSxlKbiSiHfDDMSipQWK2nlT74=; b=XYAuR9uweNe2QKgj5jcShPWrMd/izwBYmtfqM7hgpRLzrsW6ptJBo7pQR50CzeEVgS SIgXkf2SvU2VuQaaGqshyzfP8C2+qcemCYkBswiitENoZG8AvFkbtJLBPlhNmnR+lV5T JT0mdIXO91fS/G/Q/zE46dDQv63phP1MITPycV/zIDdNDxJUWKm59RiFubazIkkkz0Qn UluaVyQdVjIPrbax5ZC6haBEKkjLITXAEJdFBckQ9RyspnftAHMDWUlgBRwjYt4v4OGt IwRPk2u+Rde72QNZgbrjSdE904rhCwmhUsZHaZV80FbZrF0BDgjw2nNsdLMDYY0Hhutb MuyA==
X-Gm-Message-State: AOAM530hmk7EQkrKKkk6FKiBpLELJAWqDJW6IS3fnMa/DGCWFosbH0R0 bjf0xatZ5aFWitmiEZNUUIUMZVQ2Ht9o2DUdvxUv85hZiLs=
X-Google-Smtp-Source: ABdhPJxbEgygr/e2pH7tvBf10wMMm4Q8GbH72Bpw1IDKAAVOSeBmXjqis9QGjGFQhCVhp584IKxI3QPogfXAdkybzo8=
X-Received: by 2002:a9d:921:: with SMTP id 30mr23031890otp.49.1617029428628; Mon, 29 Mar 2021 07:50:28 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Ted Hardie <>
Date: Mon, 29 Mar 2021 14:50:02 +0000
Message-ID: <>
To: Kate Gray <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="000000000000af508d05beae003e"
Archived-At: <>
Subject: Re: [urn] Informal NID registration interest
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Mar 2021 14:50:36 -0000


Thanks for submitting the registration.  I have a couple of questions,
inline below.

On Sun, Mar 28, 2021 at 3:05 PM Kate Gray <> wrote:

> Hello,
> I am interested in registering an informal NID for URNs.
> I have attempted to fill out the template as requested.  I apologize if I
> screwed up somewhere; this is my first time doing this.
> Namespace Identifier: Assigned by IANA (informal)
> Version: 1
> Date: 2021-03-28
> Registrant:
>     Kate Gray <kate&>
>     340 S Lemon Ave #5926
>     Walnut, CA 91789 USA
> Purpose:
>     The purpose of this NID is to provide a Uniform Resource Name
> representing
>     derived keys within a card issuance scheme.  Specifically, they
> provide a
>     path within a hierarchal tree representing implementers (referred to
> as
>     tenants within the system), card issuers (e.g. Universities), optional
> sub-
>     issuers (e.g. Departments), and individual keys within a card (used for
>     different purposes).
>     These URNs will be used by card manufacturers (to preload data for
> issuers),
>     as well as issuers and users to refer to the cards and keys throughout
> the
>     card lifecycle.  Good security practices require the use of diversified
>     (per-card) keys, so that an attacker who defeats the security on a
> card will
>     not have the keys required to attack other cards within the system.
>     A cryptographic module (generally a smart card) can be pre-provisioned
> with
>     the issuer keys, and the URN for a given key provided to it.  With this
>     information and cryptographic keying material, the appropriate keys
> can be
>     derived, without the host needing to know the issuer keys.
>     While this URN will be implemented into software (including open source
>     software), and published to permit others within the industry to
>     interoperate, it is not expected to become a formal standard, or to be
>     publicly resolvable.  The general use will be between actors in a card
>     issuance scheme, for purposes like enabling a vending machine to
> derive a
>     balance update key for a stored balance wallet on a card, or for a help
>     desk agent to determine the Personal Unblocking Key (PUK) for a user
> that
>     has lost their PIN.
> Syntax:
>   All URNs defined under the namespace have the following structure,
>   specified in RFC 7405 ABNF notation[1]:
>     NSS                = %s"urn:" NID ":" TenantId "@" TenantVersion ":"
>                          IssuerId "@" IssuerVersion ":" Purpose "@"
>                          PurposeVersion "/" ResourceId "@"
> ResourceKeyVersion
>     NID                = "urn" - DIGIT
>     TenantId           = 3*(label)
>     TenantVersion      = version
>     IssuerId           = 3*(label) / 3*(label) ":" 3*(label) / 3*(label)
> ":" 3*(label) ":" 3*(label)
>     IssuerVersion      = version

To confirm my understanding here:  the TenantId is associated with the
software writer who went to the website and requested a new ID.  That
implementer then manages the uniqueness of the TenantVersion, the IssuerId,
and IssuerVersion of the NSS.  The latter two are managed by ensuring that
each IssuerID minted goes only to a single organization? Is that correct?

>     Purpose            = 3*(alphanum / other)
>     PurposeVersion     = version
>     ResourceId         = 1*(alphanum / other)
>     ResourceKeyVersion = version
>     label              = loalpha / loalpha *(alphanum / "-") alphanum

I am not sure that I understand the ABNF of "label".  According to section
3.6 of RFC 5234, * without a minimum or maximum bound can include zero of
the following element.  That appears to mean that loalpha alphanum would be
a legal result.  Is that intended, or is the "-" always present?

>     version            = 2*2(HEXDIG)
>     alphanum           = loalpha / DIGIT
>     loalpha            = %x61-7A
>     other              = "-" / "_"
    As the full string of the URN is used as an input to the Key Derivation
>     Function, equivalent URNs are impossible.  As such, the equivalency
> rules
>     consist of bit-by-bit comparisons (Simple String Comparison).
> Assignment:
>     Registration within this NID is private.
>     Implementers will register a Tenant ID, and be responsibile for
> issuers and
>     sub-issuers within their card issuance tenancy.  The web site will be
>     responsible for ensuring that Tenant IDs are unique.
Can you specify the website which will issue them?  As written, it might be
misread to imply that someone else could set up a website to issue these,
which could result in collisions.

>     Uniqueness will be guaranteed through a combination of statistical and
>     database-based methods.  For example, when issuing management for PIV
> cards,
>     the keying material used incudes a UUID that is guaranteed
> mathematically to
>     be unique.  In contrast, when deriving GlobalPlatform keys (which use
> a 10
>     byte unique ID for the card), issuers will be responsible for keeping a
>     record of all such cards issued and ensuring there are no duplicate
> IDs.

GlobalPlatform keys do not appear to be referenced in the ABNF above.  Are
these a sub type of the ResourceID?  If so, given these examples, is 1
really the minimum number of characters for a ResourceID?

>     Because each issuer is at a unique path within the hierarchal tree,
>     uniqueness is guaranteed as long as they take care not to issue
> duplicate
>     cards within their own subtree.
> Security and Privacy:
>     As these identifiers will be used in the generation of cryptographic
> keys,
>     their opacity does serve to provide a degree of "security through
> obscurity"
>     for attackers looking to compromise the cards.  The loss of that
> obscurity
>     (for example, if an attacker is able to find a users card ID in the
> browser
>     history) in theory represents a slight loss of security for the user.
>     Keys for this system will be stored in Hardware Security Modules
> (HSMs), and
>     configured such that the actual keying material for that level never
> leaves
>     the cryptographic envelope.  Through the use of hash functions that
> provide
>     strong cryptographic guarantees, and hardware security on the keys
>     themselves, there is no need for the identifiers to be private, and no
> risk
>     to the user should an attacker somehow gain access to his identifier
> without
>     having additionally compromised the HSM or a machine connected to the
> HSM.
>     In a broader sense, the point of this card issuance scheme is to
> facilitate
>     the issuance of privacy-protecting and security-enhancing credentials
> to
>     individuals within organizations.  Such cards permit strong
> authentication,
>     as well as multi-factor logins that are resistant to phishing and which
>     enable mutual authentication from the server level.  As such, the net
> effect
>     on Privacy and Security will be positive.
> Evaluating the system described is beyond the scope of the URN review
process, but I will say that the description above seems to place a great
deal of stress on the HSM and not much on what other inputs the hash
function has and what properties are available to update the hash function
used.  If you desire such a review, I believe the IETF security area
advisory group ( could provide that.

> Interoperability:
>     The author is not aware of any potential conflicts with this
> namespace, and
>     given the rather tightly coupled nature of the identifier with the
>     implementation, any overlapping areas of concern for other systems
> should
>     not present interoperability issues, as there will be no operability.
> Resolution:
>     Resolution mechanisms are not intended or anticipated for this
> namespace.

Thanks again for submitting the registration.


Ted Hardie

> _______________________________________________
> urn mailing list