Re: [IPsec] IPSECKEY Resource Record Parameter for EdDSA
On 10/11/19 5:44 AM, Michael Richardson wrote: Robert Moskowitz wrote: > At some point I am going to need one, as 8005 references IPSECKEY for > its RR and I am using EdDSA for the tm-rid work. I was surprised at the 8005 reference to IPSECKEY, since it seemed wrong that a IPSECKEY RR would point at some machine that was going to answer with HIP and not IKEv2... but now I see that you have your own RR, but share the algorithm numbers with IPSECKEY. there was an attitude to not maintain 2 separate number spaces. Now I have to live with that (how would I handle the ECDH Identities for HIP-DEX which I do not belive IKE has anything similar?) It seems that your tm-rid work can just amend this IANA registry. If you had a WG, you could ask for an early allocation. I don't think that the IPSEC WG chairs could ask for an early allocation for you at this point, alas. The way I see it, rfc 8420 'requires' this allocation. I suspect whatever works for 8420 will work for draft-moskowitz-hip-new-crypto. So I am being 'nice' and asking the owners of the IPSECKEY namespace to fix what I see as a shared problem. I really don't want to go down a path of having a tm-rid wg doing the allocation. Bob ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] IPSECKEY Resource Record Parameter for EdDSA
On 10/11/19 5:26 AM, Michael Richardson wrote: Robert Moskowitz wrote: > Is there an update for EDDSA (RFC 8420) for the ipseckey RR? > https://www.iana.org/assignments/ipseckey-rr-parameters/ipseckey-rr-parameters.xhtml > IANA is not showing it, so perhaps it is in a draft somewhere? I haven't done this. It's marked IETF Review, so a document is needed (but necessarily standards track). What's your use case today? Surely not tm-rid? Yes it is tm-rid. Look for a revision to https://datatracker.ietf.org/doc/draft-moskowitz-hip-hhit-registries/ Any observer should have access to the HI on observing the HIT in the RemoteID Basic Message. This is needed to validate the signature in the Authentication Message. Only an authorized observer can query the USS for more information (as Stu alluded to) about the UAV. In the ASTM docs we cannot release yet (grumble) they propose both SAML and JSON for the query for these details by an authorized observer. Thus only the HI/HIT will be returned in the DNS query. RVS is normally restricted information. Bob ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] IPSECKEY Resource Record Parameter for EdDSA
Robert Moskowitz wrote: > At some point I am going to need one, as 8005 references IPSECKEY for > its RR and I am using EdDSA for the tm-rid work. I was surprised at the 8005 reference to IPSECKEY, since it seemed wrong that a IPSECKEY RR would point at some machine that was going to answer with HIP and not IKEv2... but now I see that you have your own RR, but share the algorithm numbers with IPSECKEY. It seems that your tm-rid work can just amend this IANA registry. If you had a WG, you could ask for an early allocation. I don't think that the IPSEC WG chairs could ask for an early allocation for you at this point, alas. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] IPSECKEY Resource Record Parameter for EdDSA
Robert Moskowitz wrote: > Is there an update for EDDSA (RFC 8420) for the ipseckey RR? > https://www.iana.org/assignments/ipseckey-rr-parameters/ipseckey-rr-parameters.xhtml > IANA is not showing it, so perhaps it is in a draft somewhere? I haven't done this. It's marked IETF Review, so a document is needed (but necessarily standards track). What's your use case today? Surely not tm-rid? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] IPSECKEY Resource Record Parameter for EdDSA
ok At some point I am going to need one, as 8005 references IPSECKEY for its RR and I am using EdDSA for the tm-rid work. Since we have a PK length field, that can separate Ed25519 from Ed448. Right now we are framing our hackathon effort so will just use something. Like 4. On 10/10/19 4:33 PM, Paul Wouters wrote: Not yet, Also my idea was the skip ECDSA (8-11) and only do one for DigitalSignatures (14) style pubkey (RFC 7427) Paul Sent from my iPhone On Oct 10, 2019, at 16:11, Robert Moskowitz wrote: Is there an update for EDDSA (RFC 8420) for the ipseckey RR? https://www.iana.org/assignments/ipseckey-rr-parameters/ipseckey-rr-parameters.xhtml IANA is not showing it, so perhaps it is in a draft somewhere? Thanks ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] IPSECKEY Resource Record Parameter for EdDSA
Not yet, Also my idea was the skip ECDSA (8-11) and only do one for DigitalSignatures (14) style pubkey (RFC 7427) Paul Sent from my iPhone > On Oct 10, 2019, at 16:11, Robert Moskowitz wrote: > > Is there an update for EDDSA (RFC 8420) for the ipseckey RR? > > https://www.iana.org/assignments/ipseckey-rr-parameters/ipseckey-rr-parameters.xhtml > > > IANA is not showing it, so perhaps it is in a draft somewhere? > > Thanks > > > ___ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec