Re: [woes] Naked Public Key, was: RE: Proposed charter, post-Quebec edition

Hal Lockhart <hal.lockhart@oracle.com> Mon, 08 August 2011 15:35 UTC

Return-Path: <hal.lockhart@oracle.com>
X-Original-To: woes@ietfa.amsl.com
Delivered-To: woes@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A68FA21F85C0 for <woes@ietfa.amsl.com>; Mon, 8 Aug 2011 08:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlKbuiZe6VRR for <woes@ietfa.amsl.com>; Mon, 8 Aug 2011 08:35:46 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 0260521F85B8 for <woes@ietf.org>; Mon, 8 Aug 2011 08:35:45 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p78FaAp8003961 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Aug 2011 15:36:11 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p78Fa9A9004567 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Aug 2011 15:36:09 GMT
Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p78Fa3ir019107; Mon, 8 Aug 2011 10:36:04 -0500
MIME-Version: 1.0
Message-ID: <0c100e09-dad3-4cc5-87a2-b42f1f6c834b@default>
Date: Mon, 8 Aug 2011 08:36:02 -0700 (PDT)
From: Hal Lockhart <hal.lockhart@oracle.com>
To: Eric Rescorla <ekr@rtfm.com>, Joe Hildebrand <joe.hildebrand@webex.com>
In-Reply-To: <CABcZeBPWj8GC4nK7qZ_uypk+4uAPtGYhQu3rAdz+xr9AuP13rg@mail.gmail.com>
X-Priority: 3
X-Mailer: Oracle Beehive Extensions for Outlook 2.0.1.4.1.0 (410211) [OL 9.0.0.6627]
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: quoted-printable
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A020207.4E40026C.002E:SCFMA922111,ss=1,re=-4.000,fgs=0
Cc: woes@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [woes] Naked Public Key, was: RE: Proposed charter, post-Quebec edition
X-BeenThere: woes@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Web Object Encryption and Signing \(woes\) BOF discussion list" <woes.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/woes>, <mailto:woes-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/woes>
List-Post: <mailto:woes@ietf.org>
List-Help: <mailto:woes-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/woes>, <mailto:woes-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2011 15:35:46 -0000

Hal:
> >> I would like to push back on the idea of only supporting 
> naked public keys. It
> >> is my understanding that common cryto libraries, e.g. 
> OpenSSL, expect public
> >> keys to be in certificates and the coding to get them to 
> accept a naked key as
> >> input is ugly. I don't think they care if the cert is self 
> signed or even
> >> signed at all, its just a format issue.

Joe:
> > Just doing the math yourself, from scratch, is pretty easy 
> if you have the
> > bare key.  It's nigh-on trivial if you have a bigint 
> library.  Solution:
> > don't use OpenSSL.  I propose we don't get bogged down in 
> the certificate
> > problem for the moment.

Eric:
> Cryptographer's warning: do not do this. Hard hat area ahead.


I am with Eric here. I would like to explicitly state that I think it is NOT desirable to do anything which encourages people to do new implementations of crypto operations. The corollary is that the spec should specify objects in formats which make them easy to be passed as arguments to existing libraries, especially libraries which are likely to be present in the target environment.

Hal