Re: [urn] Informal NID registration interest

Kate Gray <kate@aerobatt.com> Tue, 30 March 2021 11:40 UTC

Return-Path: <kate@aerobatt.com>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1423A0D05 for <urn@ietfa.amsl.com>; Tue, 30 Mar 2021 04:40:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aboveandbeyondaero.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HGWC6ggPtIKI for <urn@ietfa.amsl.com>; Tue, 30 Mar 2021 04:40:06 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2131.outbound.protection.outlook.com [40.107.237.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FC093A0D01 for <urn@ietf.org>; Tue, 30 Mar 2021 04:40:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pl/o1o2ORYcjs04zz6kAD8sENAwxoWaeplWU/3FijHgNmT3R+AZwU25wMuKVQK1NHW2HlIuXK/303fq/r4SgPfvZJjfPu8lzl50aO7PWXudbx7LugOwvDigAYxfu4+67VOsUgZw7Ni0uEQaVd+s9397C4Xm24uq3r4gjhu89FiJRs0K6XE5zXUGkWqK6AXo0kCpgj6GRCIFoGruGzl6Wbi9OgnraaR1x7B1lwY5+k8SS/vNUIFnPbUAEFJdqEMpDN9Ice4jd7ytc95G/TZjd2DpEkzDlFWbUkESoSQLXWc5aseYHRG7IqHzwF0ZHcrE/2sc8gRZLlfM0XVmMUe9BVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fcHKQP01vKrbv1eyxVzYCg+/RJGHhbnuzB0UwQwo3cY=; b=UJ6PKJ+2/EF3gPm6A/7ceYgprKJGqY/rDQGu4BjN6gcnY4JbXMmeWzv8F0S/L3vWkgxCpFkVg8MlAm91hsHCI9x+tLGx0s0IOg1GtU5TXgxOsqc+pa+KIAzz5cciWgReUb2XDKQ/doqv5koDluCC+ZW7o4DUKzyYdPnCWoeTG5by4Na+RX2q1VJsRwOxMVW8Nmc/w3SDAKCY0LHDCFFt4/CuHx1nelAc2/vn5YOvtt4KA4FVnBsVhYk/bZ13cPu62/NxexexiH2p0+DA4+8/3tADLPe6KfJ25p5CWThqNRzmQvEqaluQP20zK3mTUplKMW2knTpKk95MtR3YcICPvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aerobatt.com; dmarc=pass action=none header.from=aerobatt.com; dkim=pass header.d=aerobatt.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aboveandbeyondaero.onmicrosoft.com; s=selector1-aboveandbeyondaero-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fcHKQP01vKrbv1eyxVzYCg+/RJGHhbnuzB0UwQwo3cY=; b=Ov6y/oc+0udDsRKy30gq3ouX82f89lu4udH+3Ftr3GmgNL1zOJ1DmY1OMlItt2kYbNpj/ZyUP9Om4UWdSLCxGI1EiXGbv5kxwEeohKi8oIQVkP78Z6JiKRFYR9EknhyGfPVgMcnac27dDCpU1iJkpEk/3DF7QZxbqJD/9ipQG3w=
Received: from DM6PR18MB3473.namprd18.prod.outlook.com (2603:10b6:5:2a1::10) by DM5PR1801MB2058.namprd18.prod.outlook.com (2603:10b6:4:67::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.29; Tue, 30 Mar 2021 11:40:02 +0000
Received: from DM6PR18MB3473.namprd18.prod.outlook.com ([fe80::b926:3fc1:246f:f907]) by DM6PR18MB3473.namprd18.prod.outlook.com ([fe80::b926:3fc1:246f:f907%3]) with mapi id 15.20.3977.033; Tue, 30 Mar 2021 11:40:02 +0000
From: Kate Gray <kate@aerobatt.com>
To: Ted Hardie <ted.ietf@gmail.com>
CC: "urn@ietf.org" <urn@ietf.org>
Thread-Topic: [urn] Informal NID registration interest
Thread-Index: AQHXI6jsp2uW4D9GK0abAS580bTAN6qbDkYAgAEZ9S6AADQ7AIAABFUO
Date: Tue, 30 Mar 2021 11:40:02 +0000
Message-ID: <DM6PR18MB34736B478E69F697DA448EBCB47D9@DM6PR18MB3473.namprd18.prod.outlook.com>
References: <DM6PR18MB3473CBFBFF360DF0CD5FBA0DB47F9@DM6PR18MB3473.namprd18.prod.outlook.com> <CA+9kkMAvvBgo+Mw3RhD0a0t2M6F4M_=CFDtkQncHVZuZmrKeoQ@mail.gmail.com> <DM6PR18MB3473EFA05F1C684FC3132CDAB47D9@DM6PR18MB3473.namprd18.prod.outlook.com>, <CA+9kkMDQaOoHos1ZfP6F37cKCidm4MoFRpieb7ry+qAW-E_58Q@mail.gmail.com>
In-Reply-To: <CA+9kkMDQaOoHos1ZfP6F37cKCidm4MoFRpieb7ry+qAW-E_58Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=aerobatt.com;
x-originating-ip: [67.79.85.206]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: be361dce-b25f-4a65-0eda-08d8f3708e50
x-ms-traffictypediagnostic: DM5PR1801MB2058:
x-microsoft-antispam-prvs: <DM5PR1801MB2058F98221F7A7462AA40550B47D9@DM5PR1801MB2058.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YdCgML9/ohGmHqz/7oude3wsVA4T0yOvwo22glhoEFhW7t6fNnGlfVnEFOfrlgjXnYZUri1ZU3708/fM0LErwojfgeDIM1AmwhGKPH84y7posuOYEDUIMFMPgFjTl96sLeX51vADRceclZOr9ySiZVYP+sGYz0JmOOSN1RYME97+4umoLQVJOz4mtADv4KHtTOLy63PXsd53OzutITyv+5ReBxN4vU/YN5nQFKmnuDNR2gzWnXbZf3V9p8P8R8caoZU37DnNzcufrRlpWTysHKgUxfPjbqu/b0XUMfOiDx1YyTg0yMnpakibKUi4sIWKbAn2rfHGR9nXIxCU/MMRfCXW1RANf/sZfu0sRnMBxDgPxgOiO8Hycmgf3GVstSL7Y8GVtXy3bdORzRa2HGiZPODbqXtWIsuNUEo+pwMebPiw14HSmw99lkCh+RFamFMm9d8OI3V4MlHueXHkh3NLQIQDvhtH3LS5ALIy3pRHDH0Qkp/Qy8abR0h7WDS0CNkkF3iJtr0ODSxmqQ67+19vZTsjIHKYpCcWpKHMFLIa0F56kA+/ZSsUKCixjE/3UTlrH6bDpWehxBK1epCFtvn6annrEbTPWSUXLuXBEoWHynIM+63ALpLDfHm+wSaXlJCINxwsr0u3hhOliaoUgxkg+cYSVmPz/IpPOZR66IRgvS+1zfFLUA7cygVihzgDHadKR0bL4maw3flXTweu1/E8ilhVjIxYF4yA73G6YDVkM6CXaq5SrG9E7FFFTyvocLpC
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR18MB3473.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(346002)(396003)(136003)(366004)(39830400003)(6916009)(52536014)(83380400001)(186003)(26005)(19627405001)(66946007)(66476007)(64756008)(66446008)(66556008)(8936002)(6506007)(166002)(71200400001)(2906002)(76116006)(91956017)(8676002)(478600001)(53546011)(66574015)(9686003)(86362001)(33656002)(5660300002)(30864003)(4326008)(45080400002)(316002)(966005)(7696005)(38100700001)(55016002)(71440200001)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?KbBU+6zepKCt0F8pJ0i/RxxoPRanDxZRMDtyuUjYSqCYfrshphJbANP/+v?= =?iso-8859-1?Q?gAGdRKmerQCaQ2wNFQCEQFHo/Id+SFu1LEcaMu6JJpWxbmDVx57r5uuiMf?= =?iso-8859-1?Q?3annxEO/fJ3qPsWvzmyQpGztZLcDb/Zer9caagF9m4UoOIavP+BrJ5v5C9?= =?iso-8859-1?Q?S7h6CN+rQLZhpV4dlvvuGYflA6izmvISe4fsL5Z07/J1RgVMh/bp2oaw9X?= =?iso-8859-1?Q?xazR8kaXkErw0vpQDbf3vNu7fDrOLsDKjzFXS++Cc5SExqBx5Z/DYjFEFV?= =?iso-8859-1?Q?RU5F4/ASJHpdSePTOegQ1Ar5POWvviPdF5jxbwX4GX1iUDdE9J5FqqLT1p?= =?iso-8859-1?Q?rfHTLcPmbwpeB+1Su2gI5Z7E0z/a6/C/3bbCWnq03sza1WFi8WuwtylPx5?= =?iso-8859-1?Q?10/Mzncz5/mhwpqFgHY6WLEwoFd2tqKatCQJOd3rLrqveeTQtSPKrLy5g6?= =?iso-8859-1?Q?nR6XwPWOw1Ws+5A4Ay1UE9AIJx/wVDi8FAIsmmL077fhioIc3NwDnoHQSP?= =?iso-8859-1?Q?4Lu8HdaRxND1prm5Bmpzp7mM7h81/tStdNtjCR0IooVR7twT0L8mDpNhBC?= =?iso-8859-1?Q?KOlg3liBlhNzjO2xkk8WafEQNHPNadLkS8RNKL2DQfZxe/7e8ztwTXRsSO?= =?iso-8859-1?Q?MOgpVEFDtU3VnyUlMsLaskUii4VrQMBWHAWGRnjnkClzDnxbAfHF4Zo51X?= =?iso-8859-1?Q?GeqqZ1nHSvWrBbRh0BtmMRwwzMx+kQYHx9Xg9xKov66deZWFRd7aBakkPx?= =?iso-8859-1?Q?zRgieqqfR9rN/rWS5puDv34lDB06H9GTsEtKcOi6awRgyZoeDQyt5p6bb5?= =?iso-8859-1?Q?xoMW91xFiG5q3TDvFkVQ6RLLXyOdIOpTqkBfwo3g/C825+asfGUle4w5BG?= =?iso-8859-1?Q?AqQXs2othbAVQ4F/ohycR4rYYGqDEz8Jeybm45hdOblnp8MY20t9TLU2OT?= =?iso-8859-1?Q?uh2Y/IFAT69DD7L2xRfxqIaKCahh/vvOpprVQtpcnfRHGEk7yHT6KF7Ztl?= =?iso-8859-1?Q?utvxuCur3VRfG2QU4Ky2HLLrYraV8IKaq9eV4iIjkk1N9DJ4PJbAhiWxiC?= =?iso-8859-1?Q?NKSLWjdW7chZmy0QEhTH9G4O2Wx6oVmCpd9O4BV/q+RJAxI97wptqUhxfP?= =?iso-8859-1?Q?hW/IlgaGHpWD20Cy/Q6KVaKyxt+fwzExSN0Cvnqj0EoMAP3ciCpMY8ctIb?= =?iso-8859-1?Q?Q9sAGinOho/CFupd4HZduK/kiH1xf+eF/OR9kATbpeekbcNssUjgARgS0K?= =?iso-8859-1?Q?cSxjOgnC67xo3h3uEfuR5xyjVhIiAsI49ijult7X0LtGaDCMkzJAFpScF8?= =?iso-8859-1?Q?ySAhWLdnAsxN1tfgObbUVHOB7QELDUMxLUYyBVplVTXWoiw=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR18MB34736B478E69F697DA448EBCB47D9DM6PR18MB3473namp_"
MIME-Version: 1.0
X-OriginatorOrg: aerobatt.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR18MB3473.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: be361dce-b25f-4a65-0eda-08d8f3708e50
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2021 11:40:02.0760 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e0c10a5c-cb0d-4dbf-8351-c088c95ec14d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OFbzKQpS5ck55Lez4zoW3DzWRtgLvP0ZB42srfiLE0NPbHg2NDOSxF+PNY+uvcG+xtXt/uZAk4mV7eclUlAOYg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1801MB2058
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/L2nXy0jeAm1fSFntXW-ltE-C5zk>
Subject: Re: [urn] Informal NID registration interest
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 11:40:11 -0000

Responses also below.

________________________________
From: Ted Hardie <ted.ietf@gmail.com>
Sent: Tuesday, March 30, 2021 6:46 AM
To: Kate Gray <kate@aerobatt.com>
Cc: urn@ietf.org <urn@ietf.org>
Subject: Re: [urn] Informal NID registration interest

Thanks for the reply.  Some additional comments below.

On Tue, Mar 30, 2021 at 8:42 AM Kate Gray <kate@aerobatt.com<mailto:kate@aerobatt.com>> wrote:
From: Kate Gray <kate@aerobatt.com<mailto:kate@aerobatt.com>>
Sent: Monday, March 29, 2021 1:40 PM
To: Ted Hardie <ted.ietf@gmail.com<mailto:ted.ietf@gmail.com>>
Subject: Re: [urn] Informal NID registration interest

Answers inline.

________________________________
From: Ted Hardie <ted.ietf@gmail.com<mailto:ted.ietf@gmail.com>>
Sent: Monday, March 29, 2021 10:50 AM
To: Kate Gray <kate@aerobatt.com<mailto:kate@aerobatt.com>>
Cc: urn@ietf.org<mailto:urn@ietf.org> <urn@ietf.org<mailto:urn@ietf.org>>
Subject: Re: [urn] Informal NID registration interest

Howdy,

Thanks for submitting the registration.  I have a couple of questions, inline below.

On Sun, Mar 28, 2021 at 3:05 PM Kate Gray <kate@aerobatt.com<mailto:kate@aerobatt.com>> wrote:
Hello,

I am interested in registering an informal NID for URNs.

I have attempted to fill out the template as requested.  I apologize if I screwed up somewhere; this is my first time doing this.

Namespace Identifier: Assigned by IANA (informal)

Version: 1

Date: 2021-03-28

Registrant:
    Kate Gray <kate&codebykate.com<http://codebykate.com/>>
    340 S Lemon Ave #5926
    Walnut, CA 91789 USA

Purpose:
    The purpose of this NID is to provide a Uniform Resource Name representing
    derived keys within a card issuance scheme.  Specifically, they provide a
    path within a hierarchal tree representing implementers (referred to as
    tenants within the system), card issuers (e.g. Universities), optional sub-
    issuers (e.g. Departments), and individual keys within a card (used for
    different purposes).

    These URNs will be used by card manufacturers (to preload data for issuers),
    as well as issuers and users to refer to the cards and keys throughout the
    card lifecycle.  Good security practices require the use of diversified
    (per-card) keys, so that an attacker who defeats the security on a card will
    not have the keys required to attack other cards within the system.

    A cryptographic module (generally a smart card) can be pre-provisioned with
    the issuer keys, and the URN for a given key provided to it.  With this
    information and cryptographic keying material, the appropriate keys can be
    derived, without the host needing to know the issuer keys.

    While this URN will be implemented into software (including open source
    software), and published to permit others within the industry to
    interoperate, it is not expected to become a formal standard, or to be
    publicly resolvable.  The general use will be between actors in a card
    issuance scheme, for purposes like enabling a vending machine to derive a
    balance update key for a stored balance wallet on a card, or for a help
    desk agent to determine the Personal Unblocking Key (PUK) for a user that
    has lost their PIN.

Syntax:

  All URNs defined under the namespace have the following structure,
  specified in RFC 7405 ABNF notation[1]:

    NSS                = %s"urn:" NID ":" TenantId "@" TenantVersion ":"
                         IssuerId "@" IssuerVersion ":" Purpose "@"
                         PurposeVersion "/" ResourceId "@" ResourceKeyVersion
    NID                = "urn" - DIGIT
    TenantId           = 3*(label)
    TenantVersion      = version
    IssuerId           = 3*(label) / 3*(label) ":" 3*(label) / 3*(label) ":" 3*(label) ":" 3*(label)
    IssuerVersion      = version

To confirm my understanding here:  the TenantId is associated with the software writer who went to the website and requested a new ID.  That implementer then manages the uniqueness of the TenantVersion, the IssuerId, and IssuerVersion of the NSS.  The latter two are managed by ensuring that each IssuerID minted goes only to a single organization? Is that correct?

The tenantID is associated with the implementer of the card issuance scheme.  It's functionally similar to a persistent domain name, issued without charge and in perpetuity.

The implementer may be a commercial entity, a standards body, or a parent organization of some sort.  For example, an organization like the UC system might wish to run their own tenant, with issuer keys given to each particular university within the system.

The term tenant is used within the scheme because it's intended to allow key management software to create separate trees in much the way that Gmail and Office 365 have separate tenants within their hosted email solutions.  Allowing a single piece of software to have multiple tenants allows for organizational flexibility in terms of division of responsibility.



    Purpose            = 3*(alphanum / other)
    PurposeVersion     = version
    ResourceId         = 1*(alphanum / other)
    ResourceKeyVersion = version
    label              = loalpha / loalpha *(alphanum / "-") alphanum

I am not sure that I understand the ABNF of "label".  According to section 3.6 of RFC 5234, * without a minimum or maximum bound can include zero of the following element.  That appears to mean that loalpha alphanum would be a legal result.  Is that intended, or is the "-" always present?

The intent is that the first character in the label must be lowercase alpha.  After that, alpha numeric may be used.  Dashes may be present, but if present, must be followed by at least one alpha numeric character.


I suspect we need to get a full ABNF review here, because I don't think this ABNF matches your intent (if there must be a loalpha to start, I believe you need "1*loalpha" followed by the alternatives, for example).  I'm also a little confused by the TenantId and IssuerId construct, because "3*label" means that there is a minimum of 3 labels.  Because there is no delimiter between the labels in that construct, it would be hard to identify where the label boundaries are. That is, I think if someone presented a TenantId like this:

aXaaa-YbbbGGa

"aX" could be a label but "aXa" could as well, so it is not clear where the label boundary is.  On the other hand, if your intent is to say that these labels must be a minimum of 3 characters long,  it is probably easier to define that within  the "label" rule.

That is a mistake, and I will correct it before the next version of the application.  The intent is that a label needs to be 3 or more characters, can't start or end with a hypen, and the rest is alphanumeric.  Tenant IDs should always be present between colons.

The issuer ID can be a single label, or a subtree which consists of label:label, or label:label:label.  Tenants can not be compound like that.

If you use the verification tools here: https://tools.ietf.org/inventory/verif-tools (e.g. Eustathius or abnfgen), do the productions match what you expect?

I didn't see anything amiss with abnfgen, but I can see I have more work to do on this one.  Thank you for catching that.


    version            = 2*2(HEXDIG)
    alphanum           = loalpha / DIGIT
    loalpha            = %x61-7A
    other              = "-" / "_"
    As the full string of the URN is used as an input to the Key Derivation
    Function, equivalent URNs are impossible.  As such, the equivalency rules
    consist of bit-by-bit comparisons (Simple String Comparison).

Assignment:

    Registration within this NID is private.

    Implementers will register a Tenant ID, and be responsibile for issuers and
    sub-issuers within their card issuance tenancy.  The web site will be
    responsible for ensuring that Tenant IDs are unique.


Can you specify the website which will issue them?  As written, it might be misread to imply that someone else could set up a website to issue these, which could result in collisions.

Tenant IDs will be registered, free of charge, through the website "credentsys.cloud".

Thank you; I suggest that the template include this information.

I will add this.

    Uniqueness will be guaranteed through a combination of statistical and
    database-based methods.  For example, when issuing management for PIV cards,
    the keying material used incudes a UUID that is guaranteed mathematically to
    be unique.  In contrast, when deriving GlobalPlatform keys (which use a 10
    byte unique ID for the card), issuers will be responsible for keeping a
    record of all such cards issued and ensuring there are no duplicate IDs.

GlobalPlatform keys do not appear to be referenced in the ABNF above.  Are these a sub type of the ResourceID?  If so, given these examples, is 1 really the minimum number of characters for a ResourceID?

That was intended as an example.  Different applets and card types provide different identifiers.  GlobalPlatform (the most common type of key) only allows 10 characters for derivation.  The goal is to ultimately be platform agnostic.

It might be useful to note that this is an example in the template.  I would also be surprised if a single character could be useful ID, but if this is your preferred minimum, it is up to you.

It's surprisingly a useful ID, and that particular design choice was not an accident (unlike the mistakes with the ABNF earlier).  There are situations in which keys are numbered sequentially for purposes of issuance.  Semantically, this is not a new version of a key (which could be accommodated with the version flag), but a new key.  Unlike a version change, the possibility exists that multiple keys will be used simultaneously.  Generally, with key versioning, a new version invalidates all previous keys for new operations moving forward.

With HSMs, the certificates are generally separate from the keys, and so it can make sense to represent a key in isolation from a certificate.  The same can be true on cards, where the secrets may be generated prior to issuance.  In other words, a URN need to represent something that's simply the Nth key in a sequence.

Here's a sample of what that might look like in practice:


urn:urn-8:kategray@01:hsmpool-04:hsm-02@01:puk@01/1@01?+len=08:truncate=oath

The intended parsing on this would be that the version numbers are all 1.  The tenant in this case would
be "kategray", and the resolver would know to act accordingly.  The issuer would be "hsmpool-04:hsm-02", which is a second level issuer.

Derivation could start at the "kategray" secret, deriving the secret for "hsmpool-04", and using that to derive the secret for "hsm-02", and using that to derive the puk key, which is then used to derive key #1 (representing the first card issued by hsm-02, for example).  If the key needed to be replaced on the card, its version number would be incremented to 2, with 1@2 representing a very different key from 2@1.

Alternatively, the resolver could store the hsmpool-04 secret, and derive the rest of the chain starting there.  Or, the resolver might only have the hsm-02 key, or even just the puk key.  Any of those would work, as the chain works its way down from the root.  In fact, if the resolver cached or stored it, it could even have /just/ that key #1.

Finally, the r component (which is not part of the standard at this point in time) provides hints to the resolver to how to use the SHA256 key.  In this case, it would be to take the SHA256 derived key, use the OATH truncation algorithm, and truncate it down to 8 digits.

In short, that URN would represent the way to get the Personal Unlock Key (PUK) for card #1, both how to derive the secret and how to format it for a particular use.  The same key may be formatted in different ways (for example, binary coded decimal, padded to different lengths, hex, etc.), so allowing resolver specific parameters provides a degree of flexibility in different systems while still semantically representing the same underlying key.



    Because each issuer is at a unique path within the hierarchal tree,
    uniqueness is guaranteed as long as they take care not to issue duplicate
    cards within their own subtree.

Security and Privacy:

    As these identifiers will be used in the generation of cryptographic keys,
    their opacity does serve to provide a degree of "security through obscurity"
    for attackers looking to compromise the cards.  The loss of that obscurity
    (for example, if an attacker is able to find a users card ID in the browser
    history) in theory represents a slight loss of security for the user.

    Keys for this system will be stored in Hardware Security Modules (HSMs), and
    configured such that the actual keying material for that level never leaves
    the cryptographic envelope.  Through the use of hash functions that provide
    strong cryptographic guarantees, and hardware security on the keys
    themselves, there is no need for the identifiers to be private, and no risk
    to the user should an attacker somehow gain access to his identifier without
    having additionally compromised the HSM or a machine connected to the HSM.

    In a broader sense, the point of this card issuance scheme is to facilitate
    the issuance of privacy-protecting and security-enhancing credentials to
    individuals within organizations.  Such cards permit strong authentication,
    as well as multi-factor logins that are resistant to phishing and which
    enable mutual authentication from the server level.  As such, the net effect
    on Privacy and Security will be positive.

Evaluating the system described is beyond the scope of the URN review process, but I will say that the description above seems to place a great deal of stress on the HSM and not much on what other inputs the hash function has and what properties are available to update the hash function used.  If you desire such a review, I believe the IETF security area advisory group (saag@ietf.org<mailto:saag@ietf.org>) could provide that.

Thank you for the recommendation.


Thanks again for your reply and registration.

best regards,

Ted Hardie


Interoperability:

    The author is not aware of any potential conflicts with this namespace, and
    given the rather tightly coupled nature of the identifier with the
    implementation, any overlapping areas of concern for other systems should
    not present interoperability issues, as there will be no operability.

Resolution:

    Resolution mechanisms are not intended or anticipated for this namespace.

Thanks again for submitting the registration.

regards,

Ted Hardie

_______________________________________________
urn mailing list
urn@ietf.org<mailto:urn@ietf.org>
https://www.ietf.org/mailman/listinfo/urn

________________________________
From: Ted Hardie <ted.ietf@gmail.com<mailto:ted.ietf@gmail.com>>
Sent: Monday, March 29, 2021 10:50 AM
To: Kate Gray <kate@aerobatt.com<mailto:kate@aerobatt.com>>
Cc: urn@ietf.org<mailto:urn@ietf.org> <urn@ietf.org<mailto:urn@ietf.org>>
Subject: Re: [urn] Informal NID registration interest

Howdy,

Thanks for submitting the registration.  I have a couple of questions, inline below.

On Sun, Mar 28, 2021 at 3:05 PM Kate Gray <kate@aerobatt.com<mailto:kate@aerobatt.com>> wrote:
Hello,

I am interested in registering an informal NID for URNs.

I have attempted to fill out the template as requested.  I apologize if I screwed up somewhere; this is my first time doing this.

Namespace Identifier: Assigned by IANA (informal)

Version: 1

Date: 2021-03-28

Registrant:
    Kate Gray <kate&codebykate.com<http://codebykate.com>>
    340 S Lemon Ave #5926
    Walnut, CA 91789 USA

Purpose:
    The purpose of this NID is to provide a Uniform Resource Name representing
    derived keys within a card issuance scheme.  Specifically, they provide a
    path within a hierarchal tree representing implementers (referred to as
    tenants within the system), card issuers (e.g. Universities), optional sub-
    issuers (e.g. Departments), and individual keys within a card (used for
    different purposes).

    These URNs will be used by card manufacturers (to preload data for issuers),
    as well as issuers and users to refer to the cards and keys throughout the
    card lifecycle.  Good security practices require the use of diversified
    (per-card) keys, so that an attacker who defeats the security on a card will
    not have the keys required to attack other cards within the system.

    A cryptographic module (generally a smart card) can be pre-provisioned with
    the issuer keys, and the URN for a given key provided to it.  With this
    information and cryptographic keying material, the appropriate keys can be
    derived, without the host needing to know the issuer keys.

    While this URN will be implemented into software (including open source
    software), and published to permit others within the industry to
    interoperate, it is not expected to become a formal standard, or to be
    publicly resolvable.  The general use will be between actors in a card
    issuance scheme, for purposes like enabling a vending machine to derive a
    balance update key for a stored balance wallet on a card, or for a help
    desk agent to determine the Personal Unblocking Key (PUK) for a user that
    has lost their PIN.

Syntax:

  All URNs defined under the namespace have the following structure,
  specified in RFC 7405 ABNF notation[1]:

    NSS                = %s"urn:" NID ":" TenantId "@" TenantVersion ":"
                         IssuerId "@" IssuerVersion ":" Purpose "@"
                         PurposeVersion "/" ResourceId "@" ResourceKeyVersion
    NID                = "urn" - DIGIT
    TenantId           = 3*(label)
    TenantVersion      = version
    IssuerId           = 3*(label) / 3*(label) ":" 3*(label) / 3*(label) ":" 3*(label) ":" 3*(label)
    IssuerVersion      = version

To confirm my understanding here:  the TenantId is associated with the software writer who went to the website and requested a new ID.  That implementer then manages the uniqueness of the TenantVersion, the IssuerId, and IssuerVersion of the NSS.  The latter two are managed by ensuring that each IssuerID minted goes only to a single organization? Is that correct?


    Purpose            = 3*(alphanum / other)
    PurposeVersion     = version
    ResourceId         = 1*(alphanum / other)
    ResourceKeyVersion = version
    label              = loalpha / loalpha *(alphanum / "-") alphanum

I am not sure that I understand the ABNF of "label".  According to section 3.6 of RFC 5234, * without a minimum or maximum bound can include zero of the following element.  That appears to mean that loalpha alphanum would be a legal result.  Is that intended, or is the "-" always present?


    version            = 2*2(HEXDIG)
    alphanum           = loalpha / DIGIT
    loalpha            = %x61-7A
    other              = "-" / "_"
    As the full string of the URN is used as an input to the Key Derivation
    Function, equivalent URNs are impossible.  As such, the equivalency rules
    consist of bit-by-bit comparisons (Simple String Comparison).

Assignment:

    Registration within this NID is private.

    Implementers will register a Tenant ID, and be responsibile for issuers and
    sub-issuers within their card issuance tenancy.  The web site will be
    responsible for ensuring that Tenant IDs are unique.


Can you specify the website which will issue them?  As written, it might be misread to imply that someone else could set up a website to issue these, which could result in collisions.

    Uniqueness will be guaranteed through a combination of statistical and
    database-based methods.  For example, when issuing management for PIV cards,
    the keying material used incudes a UUID that is guaranteed mathematically to
    be unique.  In contrast, when deriving GlobalPlatform keys (which use a 10
    byte unique ID for the card), issuers will be responsible for keeping a
    record of all such cards issued and ensuring there are no duplicate IDs.

GlobalPlatform keys do not appear to be referenced in the ABNF above.  Are these a sub type of the ResourceID?  If so, given these examples, is 1 really the minimum number of characters for a ResourceID?


    Because each issuer is at a unique path within the hierarchal tree,
    uniqueness is guaranteed as long as they take care not to issue duplicate
    cards within their own subtree.

Security and Privacy:

    As these identifiers will be used in the generation of cryptographic keys,
    their opacity does serve to provide a degree of "security through obscurity"
    for attackers looking to compromise the cards.  The loss of that obscurity
    (for example, if an attacker is able to find a users card ID in the browser
    history) in theory represents a slight loss of security for the user.

    Keys for this system will be stored in Hardware Security Modules (HSMs), and
    configured such that the actual keying material for that level never leaves
    the cryptographic envelope.  Through the use of hash functions that provide
    strong cryptographic guarantees, and hardware security on the keys
    themselves, there is no need for the identifiers to be private, and no risk
    to the user should an attacker somehow gain access to his identifier without
    having additionally compromised the HSM or a machine connected to the HSM.

    In a broader sense, the point of this card issuance scheme is to facilitate
    the issuance of privacy-protecting and security-enhancing credentials to
    individuals within organizations.  Such cards permit strong authentication,
    as well as multi-factor logins that are resistant to phishing and which
    enable mutual authentication from the server level.  As such, the net effect
    on Privacy and Security will be positive.

Evaluating the system described is beyond the scope of the URN review process, but I will say that the description above seems to place a great deal of stress on the HSM and not much on what other inputs the hash function has and what properties are available to update the hash function used.  If you desire such a review, I believe the IETF security area advisory group (saag@ietf.org<mailto:saag@ietf.org>) could provide that.


Interoperability:

    The author is not aware of any potential conflicts with this namespace, and
    given the rather tightly coupled nature of the identifier with the
    implementation, any overlapping areas of concern for other systems should
    not present interoperability issues, as there will be no operability.

Resolution:

    Resolution mechanisms are not intended or anticipated for this namespace.

Thanks again for submitting the registration.

regards,

Ted Hardie

_______________________________________________
urn mailing list
urn@ietf.org<mailto:urn@ietf.org>
https://www.ietf.org/mailman/listinfo/urn
_______________________________________________
urn mailing list
urn@ietf.org<mailto:urn@ietf.org>
https://www.ietf.org/mailman/listinfo/urn