Diffie-Hellman Proof-of-Possession Algorithms
draft-schaad-pkix-rfc2875-bis-08
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2013-05-29
|
08 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2013-05-10
|
08 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2013-04-15
|
08 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2013-04-05
|
08 | Cindy Morgan | State changed to RFC Ed Queue from Approved-announcement sent |
2013-04-05
|
08 | (System) | RFC Editor state changed to EDIT |
2013-04-05
|
08 | (System) | Announcement was received by RFC Editor |
2013-04-04
|
08 | (System) | IANA Action state changed to No IC |
2013-04-04
|
08 | Amy Vezza | State changed to Approved-announcement sent from Approved-announcement to be sent |
2013-04-04
|
08 | Amy Vezza | IESG has approved the document |
2013-04-04
|
08 | Amy Vezza | Closed "Approve" ballot |
2013-04-04
|
08 | Sean Turner | Ballot writeup was changed |
2013-03-27
|
08 | Amy Vezza | Ballot approval text was generated |
2013-03-27
|
08 | Amy Vezza | State changed to Approved-announcement to be sent from Waiting for AD Go-Ahead |
2013-03-27
|
08 | Amy Vezza | Ballot writeup was changed |
2013-03-27
|
08 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-08.txt |
2013-03-19
|
07 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call |
2013-03-16
|
07 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2013-02-25
|
07 | Amanda Baber | IESG/Authors/WG Chairs: IANA has reviewed draft-schaad-pkix-rfc2875-bis-07.txt, which is currently in Last Call, and has the following comments: We understand that this document doesn't require … IESG/Authors/WG Chairs: IANA has reviewed draft-schaad-pkix-rfc2875-bis-07.txt, which is currently in Last Call, and has the following comments: We understand that this document doesn't require any IANA actions. If this assessment is not accurate, please respond as soon as possible. |
2013-02-21
|
07 | Martin Thomson | Assignment of request for Last Call review by GENART to Martin Thomson was rejected |
2013-02-21
|
07 | Jean Mahoney | Request for Last Call review by GENART is assigned to Martin Thomson |
2013-02-21
|
07 | Jean Mahoney | Request for Last Call review by GENART is assigned to Martin Thomson |
2013-02-20
|
07 | Sean Turner | Pete was able to verify the examples. |
2013-02-19
|
07 | Cindy Morgan | IANA Review state changed to IANA Review Needed |
2013-02-19
|
07 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce Reply-To: ietf@ietf.org Subject: Last Call: (Diffie-Hellman Proof-of-Possession Algorithms) to Proposed Standard The … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce Reply-To: ietf@ietf.org Subject: Last Call: (Diffie-Hellman Proof-of-Possession Algorithms) to Proposed Standard The IESG has received a request from an individual submitter to consider the following document: - 'Diffie-Hellman Proof-of-Possession Algorithms' as Proposed Standard This Last Call is the second IETF Last Call for this document. No technical issues were raised during the first Last Call. However, the Last Call failed to highlight three normative references to informational RFCs: RFCs 2104, RFC 2986, and RFC 6234. RFCs 2104 and 2986 already appear in the downref registry located at: http://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry but RFC 6234 does not. This abbreviated Last Call is focused solely on whether the downref to RFC 6234 is appropriate in the context of draft-schaad-pkix-rfc2875. Note that RFC 6234 is also called out in a downref in another IETF Last Call ending on the same date. The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-03-19. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document describes two methods for producing an integrity check value from a Diffie-Hellman key pair and one method for producing an integrity check value from an Elliptic Curve key pair. This behavior is needed for such operations as creating the signature of a PKCS #10 certification request. These algorithms are designed to provide a proof-of-possession of the private key and not to be a general purpose signing algorithm. This document obsoletes RFC 2875. The file can be obtained via http://datatracker.ietf.org/doc/draft-schaad-pkix-rfc2875-bis/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-schaad-pkix-rfc2875-bis/ballot/ No IPR declarations have been submitted directly on this I-D. |
2013-02-19
|
07 | Cindy Morgan | State changed to In Last Call from Last Call Requested |
2013-02-19
|
07 | Cindy Morgan | Last call announcement was changed |
2013-02-19
|
07 | Cindy Morgan | Last call announcement was changed |
2013-02-19
|
07 | Cindy Morgan | Last call announcement was generated |
2013-02-19
|
07 | Sean Turner | Last call was requested |
2013-02-19
|
07 | Sean Turner | State changed to Last Call Requested from IESG Evaluation::AD Followup |
2013-02-19
|
07 | Sean Turner | Last call announcement was changed |
2013-02-15
|
07 | Martin Thomson | Assignment of request for Telechat review by GENART to Martin Thomson was rejected |
2013-02-04
|
07 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2013-02-04
|
07 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-07.txt |
2013-02-04
|
06 | Russ Housley | [Ballot comment] I think that the Introduction needs to be expanded. First, the phrase "producing a POP" does not make it clear that … [Ballot comment] I think that the Introduction needs to be expanded. First, the phrase "producing a POP" does not make it clear that the proof is that the party has possession of the private key that corresponds to the public key in the certificate request. Second, in some cases, a DH key can be used to make a DSA signature, and an ECDH key can be used to make an ECDSA signature. Such an operation would provide the POP. Such an operation may not be possible if the key is stored in a hardware device that ensures a typed key is used only with one algorithm. The Introduction states: > > Given the current PKIX definitions for the public key parameters of > elliptic curve, the number of groups is both limited and predefined. > This means that the probability that the same set of parameters are > going to be used by the key requester and the key validator are > significantly higher than they are in the Diffie-Hellman case. > In Static-Static Diffie-Hellman, both parties must employ the exact same parameters. In Ephemeral-Static Diffie-Hellman, the sender must employ the parameters from the certificate of the receiver. Thus, it seems to me that DH is also reduced to a well-known set of parameters. |
2013-02-04
|
06 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss |
2013-01-25
|
06 | Tero Kivinen | Closed request for Last Call review by SECDIR with state 'No Response' |
2013-01-24
|
06 | Cindy Morgan | State changed to IESG Evaluation::Revised ID Needed from IESG Evaluation |
2013-01-24
|
06 | Cindy Morgan | [Ballot Position Update] New position, No Objection, has been recorded for Ronald Bonica by Cindy Morgan |
2013-01-24
|
06 | Barry Leiba | [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba |
2013-01-24
|
06 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2013-01-24
|
06 | Stewart Bryant | [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant |
2013-01-23
|
06 | Wesley Eddy | [Ballot Position Update] New position, No Objection, has been recorded for Wesley Eddy |
2013-01-23
|
06 | Russ Housley | [Ballot discuss] I understand these two purposes for this document: o New instances of the static DH POP algorithm have been created … [Ballot discuss] I understand these two purposes for this document: o New instances of the static DH POP algorithm have been created using HMAC paired with the SHA-224, SHA-256, SHA-384 and SHA-512 hash algorithms. o A new Static ECDH Proof-of-Possession algorithm has been added. However, a great number of changes to the algorithms come from the other objectives of the author. Given the relatively small use of Diffie-Hellman in the marketplace, I expected a fairly minor change to avoid changes in products that have embraced the Diffie-Hellman key agreement algorithm. |
2013-01-23
|
06 | Russ Housley | [Ballot comment] I think that the Introduction needs to be expanded. First, the phrase "producing a POP" does not make it clear that … [Ballot comment] I think that the Introduction needs to be expanded. First, the phrase "producing a POP" does not make it clear that the proof is that the party has possession of the private key that corresponds to the public key in the certificate request. Second, in some cases, a DH key can be used to make a DSA signature, and an ECDH key can be used to make an ECDSA signature. Such an operation would provide the POP. Such an operation may not be possible if the key is stored in a hardware device that ensures a typed key is used only with one algorithm. The Introduction states: > > Given the current PKIX definitions for the public key parameters of > elliptic curve, the number of groups is both limited and predefined. > This means that the probability that the same set of parameters are > going to be used by the key requester and the key validator are > significantly higher than they are in the Diffie-Hellman case. > In Static-Static Diffie-Hellman, both parties must employ the exact same parameters. In Ephemeral-Static Diffie-Hellman, the sender must employ the parameters from the certificate of the receiver. Thus, it seems to me that DH is also reduced to a well-known set of parameters. |
2013-01-23
|
06 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley |
2013-01-23
|
06 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2013-01-22
|
06 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel |
2013-01-22
|
06 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick |
2013-01-22
|
06 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded for Robert Sparks |
2013-01-22
|
06 | Sean Turner | I was able to compile the ASN.1. |
2013-01-22
|
06 | Brian Haberman | [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman |
2013-01-22
|
06 | Stephen Farrell | [Ballot comment] - Is floor(a,b) not an odd notation? Normally floor has only one input. Is this used elsewhere? Why not just define floor(x) and … [Ballot comment] - Is floor(a,b) not an odd notation? Normally floor has only one input. Is this used elsewhere? Why not just define floor(x) and then use floor(a/b) as usual? - It appears as if you have gotten OIDs from the PKIX arc already, so the tense in the IANA section is wrong. - I didn't check the ASN.1 modules, nor the examples. Has anyone? |
2013-01-22
|
06 | Stephen Farrell | [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell |
2013-01-22
|
06 | Sean Turner | Ballot has been issued |
2013-01-22
|
06 | Sean Turner | [Ballot Position Update] New position, Yes, has been recorded for Sean Turner |
2013-01-22
|
06 | Sean Turner | Created "Approve" ballot |
2013-01-22
|
06 | Sean Turner | Ballot writeup was changed |
2013-01-22
|
06 | Sean Turner | State changed to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup |
2013-01-17
|
06 | Jean Mahoney | Request for Telechat review by GENART is assigned to Martin Thomson |
2013-01-17
|
06 | Jean Mahoney | Request for Telechat review by GENART is assigned to Martin Thomson |
2013-01-08
|
06 | Amy Vezza | (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? … (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? Intended Status: Proposed Standard. This follows from the original RFC and the status is indicated in the title page header. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary This document is an update to RFC 2875 ("Diffie-Hellman Proof-of-Possession Algorithms"). It extends 2875 to include support for the Elliptic Curve Diffie-Hellman algorithm along with the SHA-2 family of hash functions. The proof-of-possession methods described in this document are used in a Certificate Service Request to demonstrate possession of a private key that is not capable of producing a digital signature. Certificate Signing Requests are normally signed by the private key matching the public conveyed in the request. Certain algorithms such as the Diffie-Hellman family are incapable of creating digital signatures. By leveraging their key exchange properties, the Diffie-Hellman algorithms can be used to provide a proof-of-possession analogous to a digital signature and sufficient to allow validation of a Certificate Signing Request. Working Group Summary This draft is not the product of a WG. RFC 2875 was a product of the PKIX WG, but when the author asked for WG adoption there was only lukewarm response. This is pretty normal for algorithm-type drafts because the updates basically do the same thing as the RFC they're updating but use longer outputs and new OIDs (i.e., they're not very interesting from a technical point of view). The draft was presented to the PKIX WG in Paris, where the author received some comments that were incorporated. Document Quality Although dense with ASN.1 and cryptographic equations, the 2875bis document is quite attainable. The author has implemented the methods described in the document and provided sample ASN.1 encodings to demonstrate the expected output of several combinations of the Diffie-Hellman and hash algorithms. Personnel Peter Yee (peter at akayla.com) is the document shepherd. Sean Turner (turners at ieca.com) is the responsible Area Director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. I have reviewed this document at the -02 and -03 draft versions. Draft -03 represented a substantial improvement over draft -02 and was itself essentially ready for publication modulo a few small nits. Draft -04 cleans up the last remaining nits. Then -05 and -06 addressed last call comments. I've reviewed the math used in the document for correctness and it appears fine. The only area I have not verified is the ASN.1 encoding examples as that would require that I implement the specification myself in order to validate the example output. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? I do not have any concerns regarding the depth or breadth of the reviews performed. As this document extends an existing standard, it leverages the original reviews of that document while adding new mechanisms that are in line with those originally approved by the PKIX WG. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Review from other WGs is probably not merited as this document's scope is within the purview of the PKIX WG and only affects existing PKIX protocols. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. I have no specific concerns or issues with the document that I'm raising to the responsible AD or the IESG. The document represents a straight-forward extension to RFC 2875. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. There are no known IPR issues requiring filing disclosures as given in BCP 78 and BCP 79. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. I am not aware of any IPR disclosures filed that reference this document. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? As noted in the Working Group Summary above, the WG is ambivalent about the document as it doesn't represent interesting new work in the field. There were no technical objections to the content. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No one has threatened an appeal or otherwise indicated extreme discontent with the document. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The document currently makes normative references to 3 Informational RFCs. I'm of the opinion that these are valid downward references and the author concurs. The references are to RFCs 2104, 2986, and 6234. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No relevant formal criteria of which I am aware. (13) Have all references within this document been identified as either normative or informative? All references have been identified as normative or informative. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? There are no references to documents that would impede this document's progress. (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. The document currently makes normative references to 3 Informational RFCs. I'm of the opinion that these are valid downward references and the author concurs. The references are to RFCs 2104, 2986, and 6234. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. Publication of this document will replace RFC 2875. 2875 is listed in on the title page and in the abstract. It is discussed in a subsection to the introduction. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). I concur with the IANA considerations section of the document (which merely says that there are none as this document uses numbers that come from the PKIX WG arc). (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. No new IANA registries are required. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. I have not performed any automated checks on the ASN.1 sections of this document. |
2013-01-07
|
06 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2013-01-07
|
06 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-06.txt |
2013-01-02
|
05 | Sean Turner | State changed to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead |
2013-01-02
|
05 | Sean Turner | Removed telechat returning item indication |
2013-01-02
|
05 | Sean Turner | Telechat date has been changed to 2013-01-24 from 2013-01-10 |
2013-01-02
|
05 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call |
2012-12-28
|
05 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-05.txt |
2012-12-28
|
04 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-04.txt |
2012-12-20
|
03 | Pearl Liang | IANA has reviewed draft-schaad-pkix-rfc2875-bis-03, which is currently in Last Call, and has the following comments: IANA understands that, upon approval of this document, there … IANA has reviewed draft-schaad-pkix-rfc2875-bis-03, which is currently in Last Call, and has the following comments: IANA understands that, upon approval of this document, there are no IANA Actions that need completion. |
2012-12-07
|
03 | Martin Thomson | Request for Last Call review by GENART Completed: Ready. Reviewer: Martin Thomson. |
2012-12-07
|
03 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Dave Cridland |
2012-12-07
|
03 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Dave Cridland |
2012-12-06
|
03 | Jean Mahoney | Request for Last Call review by GENART is assigned to Martin Thomson |
2012-12-06
|
03 | Jean Mahoney | Request for Last Call review by GENART is assigned to Martin Thomson |
2012-12-05
|
03 | Sean Turner | Placed on agenda for telechat - 2013-01-10 |
2012-12-05
|
03 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce Reply-To: ietf@ietf.org Subject: Last Call: (Diffie-Hellman Proof-of-Possession Algorithms) to Proposed Standard The … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce Reply-To: ietf@ietf.org Subject: Last Call: (Diffie-Hellman Proof-of-Possession Algorithms) to Proposed Standard The IESG has received a request from an individual submitter to consider the following document: - 'Diffie-Hellman Proof-of-Possession Algorithms' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-01-02. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document describes two methods for producing an integrity check value from a Diffie-Hellman key pair and one method for producing an integrity check value from an Elliptic Curve key pair. This behavior is needed for such operations as creating the signature of a PKCS #10 certification request. These algorithms are designed to provide a proof-of-possession rather than general purpose signing. This document obsoletes RFC 2875. The file can be obtained via http://datatracker.ietf.org/doc/draft-schaad-pkix-rfc2875-bis/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-schaad-pkix-rfc2875-bis/ballot/ No IPR declarations have been submitted directly on this I-D. |
2012-12-05
|
03 | Amy Vezza | State changed to In Last Call from Last Call Requested |
2012-12-05
|
03 | Sean Turner | Last call was requested |
2012-12-05
|
03 | Sean Turner | Ballot approval text was generated |
2012-12-05
|
03 | Sean Turner | Ballot writeup was generated |
2012-12-05
|
03 | Sean Turner | State changed to Last Call Requested from Publication Requested |
2012-12-05
|
03 | Sean Turner | Last call announcement was generated |
2012-12-05
|
03 | Sean Turner | State changed to Publication Requested from AD is watching |
2012-12-01
|
03 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-03.txt |
2012-08-01
|
02 | Sean Turner | Assigned to Security Area |
2012-08-01
|
02 | Sean Turner | Note added 'Peter Yee (peter@akayla.com) is the Document Shepherd.' |
2012-08-01
|
02 | Sean Turner | State Change Notice email list changed to draft-schaad-pkix-rfc2875-bis@tools.ietf.org |
2012-08-01
|
02 | Sean Turner | IESG process started in state AD is watching |
2012-08-01
|
02 | Sean Turner | Notification list changed to : draft-schaad-pkix-rfc2875-bis@tools.ietf.org, peter@akayla.com |
2012-08-01
|
02 | Sean Turner | Shepherding AD changed to Sean Turner |
2012-08-01
|
02 | Sean Turner | Intended Status changed to Proposed Standard from None |
2012-08-01
|
02 | Sean Turner | Stream changed to IETF from None |
2012-08-01
|
02 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-02.txt |
2012-04-29
|
01 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-01.txt |
2012-03-08
|
00 | Jim Schaad | New version available: draft-schaad-pkix-rfc2875-bis-00.txt |