[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Lasr RFC dratf comments


Thank you for these comments.  I will work on the next draft with these in 

 - Carl

(see comments interspersed below)

At 11:35 AM 11/25/97 +0100, serret wrote:
>Hello all!
>After trying to study the last RFC's draft
>(draft-ietf-spki-cert-structure-02 & theory & examples) we found several
>problems or inconsistencies ( commented over
>draft-ietf-spki-cert-structure-02 document).
>Principal confusion:
>In the whole document the notion of Principal is used. The major problem
>is that is never clearly specified that in the general case of a public
>key cryptosystem, the Principal is the private key, but its (unique)
>identifier (what we will find writen in the certificates) is its public
>key or the hash of its public key. If the hash of the private key is
>used to identify a principal on a certificate, then it is clear that we
>will never be able to check a signature, because there is no way to go
>from hash(PrivateKey) to PublicKey. This means that we use the private
>key in the same way as a secret key.

I will make this clearer.

The private key is that which speaks and is the machinery of the principal.

The public key is 1:1 with the private key and is both a way of verifying a 
signature and a name for the public key.

The hash of the public key is a name for the public key.

So, we use either the public key or its hash as the principal -- precisely, 
as a name for the private key.

>BNF lack:
>BNF is used to specify the structures, but unfortunately BNF is only
>poorly introduced in page 12, (for example the operator "|" is not
>explained) and there is no bibliographic pointer. 

I assumed everyone knew these, but you're right.  If I define * and ?, I 
should define |.

>SDSI confusion:
>The examples based on SDSI are almost confusing. The reader must guest
>the meaning of all the fields, and then try to check if the example
>"works" or have any sense. Pages 8(better) & 31(worst). Reading the
>proposed online documentation does not help.
>In page 8 I would change the text where it says :
>By NAME (formally "SDSI Name") we mean a string of the form (K1 N1 N2
>   ... Nk) where 1 <= k.  Every name is a name in some namespace.
>To :
>By NAME (formally "SDSI Name") we mean a string of the form (K1 N1 N2
>   ... Nk) where 1 <= k.  Every name is a name in some namespace
>designed by the previous name in the string, being K1 the owner of the
>initial namespace.

I will look carefully at that text and find a way to rework it.
Thanks for the catch.

>ACL : 
>The meaning of the term ACL for SPKI is well defined, but the term
>itself is valid only for historical reasons, and Access Control List
>does not mean " unsigned certificate issued by me". Maybe somebody can
>propose a better name ?.

We might call it an assertion.  It really is an ACL, of course.  That is, an 
ACL is a list of assignments of authorizations to subjects, not signed.  I 
like "ACL" for its brevity, but will gladly listen to discussion on the term.

>IANA (page 15):
>What is it? some useful pointers ?.

I'll track down defining RFCs (if any).

>Why the pub-sig-alg-id includes the hasing algorithm ? I think is much
>better to leave a public key alone and identify the hash-alg-name in the
><hash> structures. Keeping in that way a key is forced to use always the
>same hash algorithm, and what happens if a key will never be used to
>sign ? ( yes is possible).

A key not used to sign would have a different name.  It could have the same 
values, but a different algorithm name.

We went back and forth on naming of public keys.  The separation of parts of 
the process led us down the path of expressing a public key as a little 
(LISP) program to do the signature validation -- but that got out of hand.  
I can argue both directions.  I like the idea of naming algorithms with 
little programs everyone can execute.  However, that's a complexity for many 
people.  E.g., those with BSAFE don't have that choice.  They have a list of 
combined algorithm names like the ones we're using.

><reval> & <reval>, <crl> <delta-crl> <sequence> :
>The s-expression <reval> is defined two times : one in page 32
>(<reval>:: "(" "reval" <version> <subj-hash> <valid-basic> ")";) and
>other in 33 (<reval>:: "(" "reval" <version> <subj-hash> <one-valid>
>")"; ).

There are two kinds of reval -- one-time and persistent.  I will look at the 
text to see how to make that clear.

>The version field is not optional here -> <crl> , <delta-crl> <reval>,

The version should be optional in all these cases.  It's sloppiness on my 
part when it isn't.

>Finally and must important, a big incoherence :
>To be valid the <cert> <reval> & <crl> objects must be signed, for that
>reason <cert> is packed in the <sequence> object, who to have any sense
>must contain almost a <cert> and a <signature> over that <cert>.
>Strangely <reval> and <crl> are top level objects, who can stand alone
>with any signature over them !. I suggest to add <reval> and <crl> items
>to the <seq-entry>.

<reval>, <crl> are not part of a normal sequence.  They are responses to 
on-line tests and arrive alone.  However, you are correct that the response 
itself will probably need to be a sequence.  I will modify the BNF and the 
text to note that.

>Finally I would like to apologize for being more destructive that I
>would desire to.

I really appreciate your help and your thorough reading of the draft.

 - Carl

Version: PGP for Personal Privacy 5.0
Charset: noconv


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |

Follow-Ups: References: