[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RE: NOTICE: DSS Profile for X.509 Certificates to be deleted.



  > At 10:40 AM 9/23/96 -0700, John Marchioni wrote:

{Recommendation from John Marchioni deleted}
 
  > 
  > For the benefit of everyone, I have attached below a copy of the 
referenced
  > e-mail from me.  I won't include the uuencoded Word attachment on such a
  > wide distribution as this message, but will send it to anyone requesting
  >  it.
  > 
  > >The Diffie-Hellman cert profile should be added next when it is agreed
  >  that
  > the D-H cert section of ANSI >X9.42 is stable.  I recommend that the IETF
  > and ANSI X9.42 use the same ARC for OIDs as in X9.57 when >dealing with
  >  D-H
  > keys and certificates, if this ARC is registered and valid.
  > 
  > The X9.57 arc is certainly registered (under ANSI as an ANSI standard)
  >  and
  > valid, and we have used it for X9.57 and X9.55.  I would not object to
  >  using
  > it also for X9.42

Warwick,

I have just received a newly assigned ARC for ANSI X9.42 (Diffie-Hellman).  I 
suspect the parameter syntax and encoding section for X9.42 to undergo some 
revision after the ANSI X9.F1 next week after I get some feedback. (BTW, you 
should have received hardcopy of this document a few weeks ago.  Please let me 
know if you haven't. (That goes for anyone else that needs a copy, too)).

I have assumed that X9.57 and X9.55 would be integrating details on 
constructing and encoding Diffie-Hellman certificates.  I.e., I deliberately 
ommitted a D-H certificate section since I considered out of scope.  As such, 
I only specified public number and system parameter syntax and encoding in 
X9.42.

Basically, I agree that the X9.57 ARC should be used for certificates but I 
disagree regarding the use of the X9.57 ARC for the public numbers and system 
parameters.  Why not stick with the X.42 ARC for those?

Regards,

-John Kennedy

p.s. For follow-ups, I suggest we prune down the distribution to only Cc: 
ietf-pkix@tandem.com and ipsec@tis.com


From: John Marchioni <johnmarc@cylink.com>
To: "jkennedy@cylink.com" <jkennedy@cylink.com>, 
    "'carlisle (c.m.) adams'" <cadams@nortel.ca>
Cc: "johnmarc@cylink.com" <johnmarc@cylink.com>, 
    "ipsec@tis.com" <ipsec@TIS.COM>, 
    "ietf-pkix@tandem.com" <ietf-pkix@tandem.com>, 
    "isakmp-oakley@cisco.com" <isakmp-oakley@cisco.com>, 
    "skip-info@tik.ee.ethz.ch" <skip-info@tik.ee.ethz.ch>
Subject: RE: NOTICE: DSS Profile for X.509 Certificates to be deleted. 
Date: Mon, 23 Sep 1996 10:40:42 -0700
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9609240717.aa12310@neptune.TIS.COM>

That's correct, it should have been "section 7" of "pkix-1" which is =
essentially correct but we don't like the current OID value for DSA with =
SHA1, looks like the leftover from the NIST OIW/OSE. =20

Warwick just distributed a softcopy of a paper from his work with the =
NIST PKI TWG which seems to be comprehensive in filling in the holes for =
DSA certs.  If Warwick folds this into "section 7" then I think the DSA =
cert profile work for IETF is complete for now. =20

The Diffie-Hellman cert profile should be added next when it is agreed =
that the D-H cert section of ANSI X9.42 is stable.  I recommend that the =
IETF and ANSI X9.42 use the same ARC for OIDs as in X9.57 when dealing =
with D-H keys and certificates, if this ARC is registered and valid.
- John

----------
From: 	carlisle (c.m.) adams
Sent: 	Monday, September 23, 1996 7:23 AM
To: 	jkennedy@cylink.com
Cc: 	johnmarc@cylink.com; ipsec@tis.com; ietf-pkix@tandem.com; =
isakmp-oakley@cisco.com; skip-info@tik.ee.ethz.ch
Subject: 	re:NOTICE: DSS Profile for X.509 Certificates to be deleted.=20



In message "NOTICE: DSS Profile for X.509 Certificates to be deleted.",=20
jkennedy@cylink.com writes:

>
>I received the following message from the Internet-Drafts Administrator =
about=20
>a month ago regarding the deletion of the I-D John Marchioni and I =
co-authored=20
>on a "DSS Profile for X.509 Certificates".  This draft was submitted =
only as=20
>an interim solution since the PKIX was just coming up to speed and had =
not yet=20
>included this material in the PKIX draft.  I do not know exactly what =
the=20
>status of the X.509 DSS profile is in the PKIX document so I am sharing =
this=20
>current status information with you now.  As far as I know DSS =
Certificates=20
>are being used in both the SKIP and ISAKMP/Oakley reference =
implementations=20
>and the aforementioned draft is cited in the applicable I-D's for these =
key=20
>management protocols.
>
>I have a number of choices:
>
>a) Do nothing and let the draft gracefully expire.
>b) Update and submit a revised draft of =




To: ipsec@TIS.COM, gnu@toad.com
Subject: Readable specs?
Date: Mon, 23 Sep 1996 17:47:10 -0700
From: John Gilmore <gnu@toad.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9609240718.aa12349@neptune.TIS.COM>

Now that we've "decided" what the key management protocol will be
called, does anyone plan to write a readable spec for it?  Or are we
doomed to produce the first IETF standard as incomprehensible as an
OSI or ANSI standard?

	John




Date: Mon, 23 Sep 1996 17:08:00 -0400
To: John Marchioni <johnmarc@cylink.com>, 
    "jkennedy@cylink.com" <jkennedy@cylink.com>, 
    "'carlisle (c.m.) adams'" <cadams@nortel.ca>
From: Warwick Ford <wford@mail.intranet.ca>
Subject: RE: NOTICE: DSS Profile for X.509 Certificates to be deleted. 
Cc: "ipsec@tis.com" <ipsec@TIS.COM>, 
    "ietf-pkix@tandem.com" <ietf-pkix@tandem.com>, 
    "isakmp-oakley@cisco.com" <isakmp-oakley@cisco.com>, 
    "skip-info@tik.ee.ethz.ch" <skip-info@tik.ee.ethz.ch>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9609240718.aa12331@neptune.TIS.COM>

At 10:40 AM 9/23/96 -0700, John Marchioni wrote:
>That's correct, it should have been "section 7" of "pkix-1" which is
essentially correct but we don't like the current OID value for DSA with
SHA1, looks like the leftover from the NIST OIW/OSE.  
>
>Warwick just distributed a softcopy of a paper from his work with the NIST
PKI TWG which seems to be >comprehensive in filling in the holes for DSA
certs.  If Warwick folds this into "section 7" then I think >the DSA cert
profile work for IETF is complete for now.  

For the benefit of everyone, I have attached below a copy of the referenced
e-mail from me.  I won't include the uuencoded Word attachment on such a
wide distribution as this message, but will send it to anyone requesting it.

>The Diffie-Hellman cert profile should be added next when it is agreed that
the D-H cert section of ANSI >X9.42 is stable.  I recommend that the IETF
and ANSI X9.42 use the same ARC for OIDs as in X9.57 when >dealing with D-H
keys and certificates, if this ARC is registered and valid.

The X9.57 arc is certainly registered (under ANSI as an ANSI standard) and
valid, and we have used it for X9.57 and X9.55.  I would not object to using
it also for X9.42

Warwick
----------------------------------
>Date: Mon, 23 Sep 1996 10:39:36 -0400
>To: pki-twg@csmes.ncsl.nist.gov,housley@spyrus.com
>From: Warwick Ford <wford@mail.intranet.ca>
>Subject: DSA Algorithm Definitions
>X-Attachments: C:\Business\ANSIX9\Algids.doc;
>
>Attached are the latest algorithm definitions from ANSI X9.57.  When Russ,
Rich Ankney, and I devised this set, we hoped we had developed one answer
that would satisfy everyone (ANSI, PKIX, and the FPKI).
>
>There are 3 algorithmIds:
>- dsa - has p, q, and g parameters - for use in subjectPublicKeyInfo
>- dsa-with-sha-1 - no parameters - for use in the signature fields
>- dsa-match - has key length as parameter - for use in those situations
where you want to determine the capabilities of a remote system, e.g., in
supportedAlgorithms attribute
> 
>Warwick
>
-------------------------------------------------------------------
Warwick Ford: wford@intranet.ca Tel: (613)2253487 Fax: (613)2256361
   Postal:  25 Assiniboine Drive, Nepean, Ontario, Canada K2E5R8
-------------------------------------------------------------------




Date: Tue, 24 Sep 96 09:35:55 EDT
From: "W. Douglas Maughan" <wdm@epoch.ncsc.mil>
Message-Id: <9609241335.AA04357@dolphin.ncsc.mil>
To: ipsec@TIS.COM, gnu@toad.com
Subject: Re: Readable specs?
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

John,

> Now that we've "decided" what the key management protocol will be
> called, does anyone plan to write a readable spec for it?  Or are we
> doomed to produce the first IETF standard as incomprehensible as an
> OSI or ANSI standard?

We are in the process of editing and improving the existing ISAKMP
Internet-Draft. As it was explained to me by the IPSEC co-chairs, we
have the following timeline:

4 November	I-D available for Working Group
Late Nov.	WG chairs will issue Last Call
	(NOTE: Last Call will include the Dec. IETF)
Late Dec.	Last Call will be completed

(RAN/PAUL: Please correct me if I'm wrong)

This will meet the schedule proposed by Jeff Schiller in his Security
AD Statement (i.e. Jan 97 - Submit Internet-Draft of the Internet Key
Management Protocol (IKMP) based on ISAKMP/Oakley to the IESG for
consideration as a Proposed Standard).

We welcome all comments, corrections, etc. pertaining to the existing
ISAKMP I-D (draft-ietf-ipsec-isakmp-05). If you have specific text you
would like to propose for version 6 of the draft that would be great.

Regards,

Doug Maughan




Date: Tue, 24 Sep 1996 10:45:13 -0400
To: Germano Caronni <caronni@tik.ee.ethz.ch>, skip-info@skip.org, 
    Project SKIP <skip@tik.ee.ethz.ch>, 
    Bernhard Plattner <plattner@tik.ee.ethz.ch>, ipsec@TIS.COM
From: Robert Moskowitz <rgm3@chrysler.com>
Subject: Re: The skip-info mailing list
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9609241057.aa15315@neptune.TIS.COM>

At 01:20 PM 9/23/96 +0200, Germano Caronni wrote:
>The SKIP internal mailing list 'skip-info@tik.ee.ethz.ch' has moved. It is
>now located at skip-info@skip.org. 
>
OMG, what they let into .ORG these days  ;)

Is there really a registered (someplace on this planet) SKIP organization?
Facinating.


Robert Moskowitz
Chrysler Corporation
(810) 758-8212