Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
RFC 5349

[Ballot comment]
Informative References:
> [LENSTRA]  Tung, B., Neuman, B., and S. Medvinsky, "Public Key
>            Cryptography for Initial Authentication in Kerberos",
>            August 2004.

Is this supposed to refer to some paper by Arjen Lenstra?

It seems reference [SEC2] could be informative (all the EC things
should be in X9.62/X9.63/IEEE1363).

[Ballot discuss]
Section 4:
> The DHSharedSecret is the x-coordinate of the shared secret value
> (an elliptic curve point); DHSharedSecret is the output of operation
> ECSVDP-DH as described in Section 7.2.1 of [IEEE1363].

This text needs some clarification (DHSharedSecret can't be both the
x-coordinate of some point and the output of the ECSVDP-DH operation;
and the text needs to say how the x-coordinate is converted to an
octet string).

Suggested rephrasing: The ECDH shared secret value (an elliptic curve
point) is calculated using operation ECSVDP-DH as described in Section
7.2.1 of [IEEE1363]. The x-coordinate of this point is converted to an
octet string using operation FE2OSP as described in Section 5.5.4 of
[IEEE1363]. This octet string is the DHSharedSecret.

Section 7:
> When using ECDH key agreement, the recipient of an elliptic curve
> public key should perform certain checks to avoid the attacks
> described in [ECC-Validation].

Do we have any better reference for the "certain checks"; e.g.
something in IEEE P1363 or X9.62/63?

[Ballot comment]
The document refers to RFC 3280.  Please update the reference to
  point to RFC 5280.  I can't think of any reason why a reference to
  the older document is preferable.

[Ballot comment]
Having a normative reference to the publication of a consortium with only
one listed member seems questionable to me.  However, that reference
seems unnecessary given the FIPS-186-2 reference so I suppose it's
mostly harmless for an informational RFC.

[Ballot comment]
Having a normative reference to the publication of a consortium with only
one listed member seems questionable to me.  However, that reference
seems unnecessary given the FIPS-186-2 reference so I suppose it's
mostly harmless for an infromational RFC.

PROTO Write-up

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

>> The Document Shepard for this document is Jeffrey Hutzelman,
>> <jhutz@cmu.edu>. I have reviewed this document, and I believe
>> it is ready for IETF-wide review and publication as a
>> Proposed Standard.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

>> This document has received review both within the working group
>> and from key experts outside the working group. Any issues raised
>> have been resolved.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

>> This document adds support for use of elliptic curve crypto to
>> an existing protocol. As such, it does require some review by
>> individuals with expertise in that area. I believe that there
>> has been sufficient review, but of course, more is always welcome.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

>> I have no concerns. This document is a fairly straightforward
>> specification of an optional feature for PKINIT. No IPR
>> disclosures related to this document have been filed.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

>> There is concensus within the working group to publish this
>> document. While there has not been broad interest in working
>> on this document, there has been support from several active
>> WG members, and there have been no objections to moving forward.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

>> There have been no expressions of discontent.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

>> This document has been run through the idnits tool, and was
>> reviewed manually for compliance with requirements not checked
>> by the automatic tool. No additional formal review criteria
>> apply to this document.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

>> References have been split appropriately. There is presently
>> a normative downreference to RFC 3278, an informational RFC
>> specifying the use of elliptic curve cryptography (ECC) with
>> the Cryptographic Message Syntax (CMS). This is a key reference,
>> as PKINIT makes use of CMS messages, and the present document
>> describes how to use PKINIT with ECC.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC2434]. If the
document describes an Expert Review process has Shepherd
conferred with the Responsible Area Director so that the IESG
can appoint the needed Expert during the IESG Evaluation?

>> This document requires no IANA actions. It specifies
>> protocol extensions to allow the use of new cryptographic
>> algorithms, all of which are identified by OID's assigned
>> elsewhere.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

>> No part of this document is written in a formal language
>> requiring such verification.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:


Technical Summary

This document describes the use of Elliptic Curve certificates,
Elliptic Curve signature schemes and Elliptic Curve Diffie-Hellman
(ECDH) key agreement within the framework of PKINIT - the Kerberos
Version 5 extension that provides for the use of public key
cryptography.


Working Group Summary

This document represents the consensus of the Kerberos Working Group.


Document Quality

This document describes an optional mode of operation for the
PKINIT extension to the Kerberos protocol. Several major Kerberos
implementors currently support or plan to support PKINIT, and at
least one has indicated an intent to support the mode of operation
described in this document.


Personnel

The Document Shepard for this document is Jeffrey Hutzelman.
The responsible Area Director is Sam Hartman.