Diffie-Hellman Proof-of-Possession Algorithms
draft-schaad-pkix-rfc2875-bis-08

IESG/Authors/WG Chairs:

IANA has reviewed draft-schaad-pkix-rfc2875-bis-07.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions.

If this assessment is not accurate, please respond as soon as possible.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
Reply-To: ietf@ietf.org
Subject: Last Call:  (Diffie-Hellman Proof-of-Possession Algorithms) to Proposed Standard


The IESG has received a request from an individual submitter to consider
the following document:
- 'Diffie-Hellman Proof-of-Possession Algorithms'
  as Proposed Standard

This Last Call is the second IETF Last Call for this document.
No technical issues were raised during the first Last Call.  However, the
Last Call failed to highlight three normative references to informational
RFCs:  RFCs 2104, RFC 2986, and RFC 6234.  RFCs 2104 and 2986
already appear in the downref registry located at:
http://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry
but RFC 6234 does not.  This abbreviated Last Call is focused solely on
whether the downref to RFC 6234 is appropriate in the context of
draft-schaad-pkix-rfc2875.  Note that RFC 6234 is also called out in
a downref in another IETF Last Call ending on the same date.

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2013-03-19. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes two methods for producing an integrity check
  value from a Diffie-Hellman key pair and one method for producing an
  integrity check value from an Elliptic Curve key pair.  This behavior
  is needed for such operations as creating the signature of a PKCS #10
  certification request.  These algorithms are designed to provide a
  proof-of-possession of the private key and not to be a general
  purpose signing algorithm.

  This document obsoletes RFC 2875.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-schaad-pkix-rfc2875-bis/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-schaad-pkix-rfc2875-bis/ballot/


No IPR declarations have been submitted directly on this I-D.

[Ballot comment]
  I think that the Introduction needs to be expanded.  First, the phrase
  "producing a POP" does not make it clear that the proof is that the
  party has possession of the private key that corresponds to the public
  key in the certificate request.  Second, in some cases, a DH key can
  be used to make a DSA signature, and an ECDH key can be used to make
  an ECDSA signature.  Such an operation would provide the POP.  Such
  an operation may not be possible if the key is stored in a hardware
  device that ensures a typed key is used only with one algorithm.

  The Introduction states:
  >
  > Given the current PKIX definitions for the public key parameters of
  > elliptic curve, the number of groups is both limited and predefined.
  > This means that the probability that the same set of parameters are
  > going to be used by the key requester and the key validator are
  > significantly higher than they are in the Diffie-Hellman case.
  >
  In Static-Static Diffie-Hellman, both parties must employ the exact
  same parameters.  In Ephemeral-Static Diffie-Hellman, the sender must
  employ the parameters from the certificate of the receiver.  Thus, it
  seems to me that DH is also reduced to a well-known set of parameters.

[Ballot discuss]

  I understand these two purposes for this document:

  o  New instances of the static DH POP algorithm have been created
      using HMAC paired with the SHA-224, SHA-256, SHA-384 and SHA-512
      hash algorithms.

  o  A new Static ECDH Proof-of-Possession algorithm has been added.

  However, a great number of changes to the algorithms come from the
  other objectives of the author.  Given the relatively small use of
  Diffie-Hellman in the marketplace, I expected a fairly minor change
  to avoid changes in products that have embraced the Diffie-Hellman
  key agreement algorithm.

[Ballot comment]

  I think that the Introduction needs to be expanded.  First, the phrase
  "producing a POP" does not make it clear that the proof is that the
  party has possession of the private key that corresponds to the public
  key in the certificate request.  Second, in some cases, a DH key can
  be used to make a DSA signature, and an ECDH key can be used to make
  an ECDSA signature.  Such an operation would provide the POP.  Such
  an operation may not be possible if the key is stored in a hardware
  device that ensures a typed key is used only with one algorithm.

  The Introduction states:
  >
  > Given the current PKIX definitions for the public key parameters of
  > elliptic curve, the number of groups is both limited and predefined.
  > This means that the probability that the same set of parameters are
  > going to be used by the key requester and the key validator are
  > significantly higher than they are in the Diffie-Hellman case.
  >
  In Static-Static Diffie-Hellman, both parties must employ the exact
  same parameters.  In Ephemeral-Static Diffie-Hellman, the sender must
  employ the parameters from the certificate of the receiver.  Thus, it
  seems to me that DH is also reduced to a well-known set of parameters.

[Ballot comment]

- Is floor(a,b) not an odd notation? Normally floor has only
one input. Is this used elsewhere? Why not just define
floor(x) and then use floor(a/b) as usual?

- It appears as if you have gotten OIDs from the PKIX arc
already, so the tense in the IANA section is wrong.

- I didn't check the ASN.1 modules, nor the examples.  Has
anyone?

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)? Why is
this the proper type of RFC? Is this type of RFC indicated in the title
page header?

Intended Status: Proposed Standard.  This follows from the original RFC
and the status is indicated in the title page header.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

This document is an update to RFC 2875 ("Diffie-Hellman
Proof-of-Possession Algorithms").  It extends 2875 to include support
for the Elliptic Curve Diffie-Hellman algorithm along with the SHA-2
family of hash functions.  The proof-of-possession methods described in
this document are used in a Certificate Service Request to demonstrate
possession of a private key that is not capable of producing a digital
signature.  Certificate Signing Requests are normally signed by the
private key matching the public conveyed in the request.  Certain
algorithms such as the Diffie-Hellman family are incapable of creating
digital signatures.  By leveraging their key exchange properties, the
Diffie-Hellman algorithms can be used to provide a proof-of-possession
analogous to a digital signature and sufficient to allow validation of a
Certificate Signing Request.

Working Group Summary

This draft is not the product of a WG.  RFC 2875 was a product of the
PKIX WG, but when the author asked for WG adoption there was only
lukewarm response.  This is pretty normal for algorithm-type drafts
because the updates basically do the same thing as the RFC they're
updating but use longer outputs and new OIDs (i.e., they're not very
interesting from a technical point of view). The draft was presented to
the PKIX WG in Paris, where the author received some comments that were
incorporated.

Document Quality

Although dense with ASN.1 and cryptographic equations, the 2875bis
document is quite attainable.  The author has implemented the methods
described in the document and provided sample ASN.1 encodings to
demonstrate the expected output of several combinations of the
Diffie-Hellman and hash algorithms.

Personnel

Peter Yee (peter at akayla.com) is the document shepherd.
Sean Turner (turners at ieca.com) is the responsible Area Director.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the IESG.

I have reviewed this document at the -02 and -03 draft versions. Draft
-03 represented a substantial improvement over draft -02 and was itself
essentially ready for publication modulo a few small nits.  Draft -04
cleans up the last remaining nits.  Then -05 and  -06 addressed last
call comments.  I've reviewed the math used in the document for
correctness and it appears fine.  The only area I have not verified is
the ASN.1 encoding examples as that would require that I implement the
specification myself in order to validate the example output.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

I do not have any concerns regarding the depth or breadth of the reviews
performed.  As this document extends an existing standard, it leverages
the original reviews of that document while adding new mechanisms that
are in line with those originally approved by the PKIX WG.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that took
place.

Review from other WGs is probably not merited as this document's scope
is within the purview of the PKIX WG and only affects existing PKIX
protocols.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

I have no specific concerns or issues with the document that I'm raising
to the responsible AD or the IESG.  The document represents a
straight-forward extension to RFC 2875.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

There are no known IPR issues requiring filing disclosures as given in
BCP 78 and BCP 79.

(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

I am not aware of any IPR disclosures filed that reference this document.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others being
silent, or does the WG as a whole understand and agree with it?

As noted in the Working Group Summary above, the WG is ambivalent about
the document as it doesn't represent interesting new work in the field.
  There were no technical objections to the content.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No one has threatened an appeal or otherwise indicated extreme
discontent with the document.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The document currently makes normative references to 3 Informational
RFCs.  I'm of the opinion that these are valid downward references and
the author concurs.  The references are to RFCs 2104, 2986, and 6234.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

No relevant formal criteria of which I am aware.

(13) Have all references within this document been identified as either
normative or informative?

All references have been identified as normative or informative.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

There are no references to documents that would impede this document's
progress.

(15) Are there downward normative references (see RFC 3967)? If so, list
these downward references to support the Area Director in the Last Call
procedure.

The document currently makes normative references to 3 Informational
RFCs.  I'm of the opinion that these are valid downward references and
the author concurs. The references are to RFCs 2104, 2986, and 6234.

(16) Will publication of this document change the status of any existing
RFCs? Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction? If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs
is discussed. If this information is not in the document, explain why
the WG considers it unnecessary.

Publication of this document will replace RFC 2875.  2875 is listed in
on the title page and in the abstract.  It is discussed in a subsection
to the introduction.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

I concur with the IANA considerations section of the document (which
merely says that there are none as this document uses numbers that come
from the PKIX WG arc).

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful
in selecting the IANA Experts for these new registries.

No new IANA registries are required.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

I have not performed any automated checks on the ASN.1 sections of this
document.

IANA has reviewed draft-schaad-pkix-rfc2875-bis-03, which is currently
in Last Call, and has the following comments:

IANA understands that, upon approval of this document, there are no
IANA Actions that need completion.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
Reply-To: ietf@ietf.org
Subject: Last Call:  (Diffie-Hellman Proof-of-Possession Algorithms) to Proposed Standard


The IESG has received a request from an individual submitter to consider
the following document:
- 'Diffie-Hellman Proof-of-Possession Algorithms'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2013-01-02. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes two methods for producing an integrity check
  value from a Diffie-Hellman key pair and one method for producing an
  integrity check value from an Elliptic Curve key pair.  This behavior
  is needed for such operations as creating the signature of a PKCS #10
  certification request.  These algorithms are designed to provide a
  proof-of-possession rather than general purpose signing.

  This document obsoletes RFC 2875.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-schaad-pkix-rfc2875-bis/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-schaad-pkix-rfc2875-bis/ballot/


No IPR declarations have been submitted directly on this I-D.