Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
On 8/11/22 07:35, Tero Kivinen wrote: Robert Moskowitz writes: So I think the correct example should be: foo.example.com IN IPSECKEY (10 0 4 . 3WTXgUvpn1RlCXnm80gGY2LZ/ErUUEZtZ33IDi8yfhM= ) I will fix my example. Do you think I should have both examples: with and without gateway? More examples is usually better as long as they are correct :-) If you want more, then send them my way. Current IANA registry is: 0 No key is present [RFC4025] 1 A DSA key is present, in the format defined in [RFC2536] [RFC4025] 2 A RSA key is present, in the format defined in [RFC3110] [RFC4025] 3 An ECDSA key is present, in the format defined in [RFC6605] [RFC8005] Per Paul's request I am coming up that for EdDSA I would ask the following be added: 4 An EdDSA Public key is present, in the format defined in [RFC8080] [This] Note the addition of "Public" • So should 1 - 3 also have "Public" added? • Should 4 NOT have "Public" • Should text be added describing this registry to be for "Public" keys? The current wording is bit funny, but I think that it is talking about the host properties. I.e. the host having this IPSECKEY RR do have DSA key (both public and private keys), and the public key of that DSA key is given inside the IPSECKEY RR in format defined in RFC2536. My read of it. Perhaps the best wording would be 3 An ECDSA Public key in the format defined in [RFC6605] Whether we want to change the other entries to match is then separate issue, and as this registry is IETF Review, I think we need and draft or similar to change the wording. I.e., if we want to change the wording of other entries, then we could request that change in this document too. If this is the way you want it, as you are the IPsec IANA registries expert... Help me with the text, and when this draft is adopted by the workgroup I will put it into the draft-ietf-ipsecme- release. Then the wg can bash on it a bit during wglc. Bob ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
Robert Moskowitz writes: > So I think the correct example should be: > > foo.example.com IN IPSECKEY > (10 0 4 . 3WTXgUvpn1RlCXnm80gGY2LZ/ErUUEZtZ33IDi8yfhM= ) > > I will fix my example. Do you think I should have both examples: with and > without gateway? More examples is usually better as long as they are correct :-) > Current IANA registry is: > > 0 No key is present [RFC4025] > 1 A DSA key is present, in the format defined in [RFC2536] [RFC4025] > 2 A RSA key is present, in the format defined in [RFC3110] [RFC4025] > 3 An ECDSA key is present, in the format defined in [RFC6605] > [RFC8005] > > Per Paul's request I am coming up that for EdDSA I would ask the following be > added: > > 4 An EdDSA Public key is present, in the format defined in [RFC8080] > [This] > > Note the addition of "Public" > > • So should 1 - 3 also have "Public" added? > • Should 4 NOT have "Public" > • Should text be added describing this registry to be for "Public" keys? The current wording is bit funny, but I think that it is talking about the host properties. I.e. the host having this IPSECKEY RR do have DSA key (both public and private keys), and the public key of that DSA key is given inside the IPSECKEY RR in format defined in RFC2536. Perhaps the best wording would be 3 An ECDSA Public key in the format defined in [RFC6605] Whether we want to change the other entries to match is then separate issue, and as this registry is IETF Review, I think we need and draft or similar to change the wording. I.e., if we want to change the wording of other entries, then we could request that change in this document too. -- kivi...@iki.fi ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
On 8/10/22 16:45, Paul Wouters wrote: On Aug 10, 2022, at 16:07, Robert Moskowitz wrote: On 8/10/22 16:04, Paul Wouters wrote: Robert Moskowitz wrote: I think I could have the IANA Considerations have a fix for 1 - 3 as well as add 4. Please do. I talked to IANA and they agreed this was the easiest solution. Should it be: * public key * Public key * Public Key My preference is Public Key but I don’t feel strongly at all - either of these are fine for me. It is all about is it a Proper Noun or not. Well, in the end, it will be up to the RFC Editor! :) Here goes: Looks good, thanks ! Paul 4.1. IANA IPSECKEY Registry Update This document requests IANA to clarify the text in the "Algorithm Type Field" subregistry of the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY] registry to explicitly state this is for "Public" keys: Value Description Reference 1 A DSA Public key is present, in the format defined in [RFC2536] [RFC4025] 2 A RSA Public key is present, in the format defined in [RFC3110] [RFC4025] 3 An ECDSA Public key is present, in the format defined in [RFC6605] [RFC8005] Futher, this document requests IANA to make the following addition to the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY] registry: IPSECKEY: This document defines the new IPSECKEY value TBD1 (suggested: 4) (Section 3) in the "Algorithm Type Field" subregistry of the "IPSECKEY Resource Record Parameters" registry. Value Description Reference TBD1 (suggested value 4) [This] An EdDSA Public key is present, in the format defined in [RFC8080] == ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
> On Aug 10, 2022, at 16:07, Robert Moskowitz wrote: > > > >> On 8/10/22 16:04, Paul Wouters wrote: >>> Robert Moskowitz wrote: >>> I think I could have the IANA Considerations have a fix for 1 - 3 as well as add 4. >> Please do. I talked to IANA and they agreed this was the easiest solution. > > Should it be: > > public key > Public key > Public Key My preference is Public Key but I don’t feel strongly at all - either of these are fine for me. > Here goes: Looks good, thanks ! Paul > > 4.1. IANA IPSECKEY Registry Update > >This document requests IANA to clarify the text in the "Algorithm >Type Field" subregistry of the "IPSECKEY Resource Record Parameters" >[IANA-IPSECKEY] registry to explicitly state this is for "Public" >keys: > > Value Description > Reference > > 1A DSA Public key is present, in the format defined in [RFC2536] > [RFC4025] > 2A RSA Public key is present, in the format defined in [RFC3110] > [RFC4025] > 3An ECDSA Public key is present, in the format defined in [RFC6605] > [RFC8005] > > >Futher, this document requests IANA to make the following addition to >the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY] registry: > >IPSECKEY: > This document defines the new IPSECKEY value TBD1 (suggested: 4) > (Section 3) in the "Algorithm Type Field" subregistry of the > "IPSECKEY Resource Record Parameters" registry. > > Value Description Reference > > TBD1 (suggested value 4) [This] > An EdDSA Public key is present, in the format defined > in [RFC8080] > > == > ___ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
On 8/10/22 16:04, Paul Wouters wrote: Robert Moskowitz wrote: I think I could have the IANA Considerations have a fix for 1 - 3 as well as add 4. Please do. I talked to IANA and they agreed this was the easiest solution. Should it be: * public key * Public key * Public Key ?? Here goes: 4.1. IANA IPSECKEY Registry Update This document requests IANA to clarify the text in the "Algorithm Type Field" subregistry of the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY] registry to explicitly state this is for "Public" keys: Value Description Reference 1 A DSA Public key is present, in the format defined in [RFC2536] [RFC4025] 2 A RSA Public key is present, in the format defined in [RFC3110] [RFC4025] 3 An ECDSA Public key is present, in the format defined in [RFC6605] [RFC8005] Futher, this document requests IANA to make the following addition to the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY] registry: IPSECKEY: This document defines the new IPSECKEY value TBD1 (suggested: 4) (Section 3) in the "Algorithm Type Field" subregistry of the "IPSECKEY Resource Record Parameters" registry. Value Description Reference TBD1 (suggested value 4) [This] An EdDSA Public key is present, in the format defined in [RFC8080] ==___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
> > Robert Moskowitz wrote: > >> I think I could have the IANA Considerations have a fix for 1 - 3 as >> well as add 4. Please do. I talked to IANA and they agreed this was the easiest solution. Paul ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
Robert Moskowitz wrote: >> I think it should have public and an errata could be filed for 1-3 ? >> Or we can draft a separate draft for encoding algo 14 (digital >> signatures) that also fixes up these entries ? >> >> Or this draft could fix them ? Maybe the chairs or AD could give >> guidance here > I think I could have the IANA Considerations have a fix for 1 - 3 as > well as add 4. > I will work something up and share it here.. Couldn't the IESG just provide IANA some clarifying guidance here? -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
Paul Wouters wrote: >> On Aug 10, 2022, at 10:30, Robert Moskowitz >> wrote: >> >> I will fix my example. Do you think I should have both examples: with >> and without gateway? > No. First because you are not tunneling and it doesn’t apply to you and > second because it can only be set for IPSECKEY records in the reverse > zones, not in any forward zones. Agreed! >> Per Paul's request I am coming up that for EdDSA I would ask the >> following be added: >> >> 4 An EdDSA Public key is present, in the format defined in [RFC8080] >> [This] >> >> >> Note the addition of "Public" >> >> So should 1 - 3 also have "Public" added? Should 4 NOT have "Public" >> Should text be added describing this registry to be for "Public" keys? > I think it should have public and an errata could be filed for 1-3 ? Or > we can draft a separate draft for encoding algo 14 (digital signatures) > that also fixes up these entries ? I supposed that the word public could be added all over the Registry. I think that RFC4025 has the word in enough places that it should be obvious that a private key does not go there. So this seems like printing "This bag is not a toy" on stuff, but I don't object to this. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
Paul, On 8/10/22 11:09, Paul Wouters wrote: On Aug 10, 2022, at 10:30, Robert Moskowitz wrote: I will fix my example. Do you think I should have both examples: with and without gateway? No. First because you are not tunneling and it doesn’t apply to you and second because it can only be set for IPSECKEY records in the reverse zones, not in any forward zones. Current IANA registry is: 0 No key is present [RFC4025] 1 A DSA key is present, in the format defined in [RFC2536] [RFC4025] 2 A RSA key is present, in the format defined in [RFC3110] [RFC4025] 3 An ECDSA key is present, in the format defined in [RFC6605] [RFC8005] Per Paul's request I am coming up that for EdDSA I would ask the following be added: 4 An EdDSA Public key is present, in the format defined in [RFC8080] [This] Note the addition of "Public" * So should 1 - 3 also have "Public" added? * Should 4 NOT have "Public" * Should text be added describing this registry to be for "Public" keys? I think it should have public and an errata could be filed for 1-3 ? Or we can draft a separate draft for encoding algo 14 (digital signatures) that also fixes up these entries ? Or this draft could fix them ? Maybe the chairs or AD could give guidance here I think I could have the IANA Considerations have a fix for 1 - 3 as well as add 4. I will work something up and share it here.. Thanks Bob! Paul ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
> On Aug 10, 2022, at 10:30, Robert Moskowitz wrote: > > I will fix my example. Do you think I should have both examples: with and > without gateway? No. First because you are not tunneling and it doesn’t apply to you and second because it can only be set for IPSECKEY records in the reverse zones, not in any forward zones. > Current IANA registry is: > > 0 No key is present [RFC4025] > 1 A DSA key is present, in the format defined in [RFC2536] [RFC4025] > 2 A RSA key is present, in the format defined in [RFC3110] [RFC4025] > 3 An ECDSA key is present, in the format defined in [RFC6605] > [RFC8005] > > > Per Paul's request I am coming up that for EdDSA I would ask the following be > added: > > 4 An EdDSA Public key is present, in the format defined in [RFC8080] > [This] > > > Note the addition of "Public" > > So should 1 - 3 also have "Public" added? > Should 4 NOT have "Public" > Should text be added describing this registry to be for "Public" keys? I think it should have public and an errata could be filed for 1-3 ? Or we can draft a separate draft for encoding algo 14 (digital signatures) that also fixes up these entries ? Or this draft could fix them ? Maybe the chairs or AD could give guidance here Thanks Bob! Paul ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Fwd: New Version Notification for draft-moskowitz-ipsecme-ipseckey-eddsa-01.txt
Tero, Thanks for the review. On 8/9/22 11:46, Tero Kivinen wrote: Robert Moskowitz writes: This latest ver is in response to comments recieved. Please review Appendix A that I have the RR properly set up. I think the priority needs to be in decimal, and you are missing the gateway address. I.e., at least the 4025 has examples as follows: 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) where you have: foo.example.com IN IPSECKEY (a 0 4 3WTXgUvpn1RlCXnm80gGY2LZ/ErUUEZtZ33IDi8yfhM= ) The generic format from 4025 is: IN IPSECKEY ( precedence gateway-type algorithm gateway base64-encoded-public-key ) and also says: If no gateway is to be indicated, then the gateway type field MUST be zero, and the gateway field MUST be "." I missed that in my read of 4025. So I think the correct example should be: foo.example.com IN IPSECKEY (10 0 4 . 3WTXgUvpn1RlCXnm80gGY2LZ/ErUUEZtZ33IDi8yfhM= ) I will fix my example. Do you think I should have both examples: with and without gateway? I also have questions about the text added to specify this is for public key lookup. Please review how I have said this in the draft. Also the text for use in the IPSECKEY registry is at odds with the text for the current values. What to do? Instruct IANA to adjust the text for values 1 - 3 to match? What do you mean with this? Current IANA registry is: 0 No key is present [RFC4025] 1 A DSA key is present, in the format defined in [RFC2536] [RFC4025] 2 A RSA key is present, in the format defined in [RFC3110] [RFC4025] 3 An ECDSA key is present, in the format defined in [RFC6605] [RFC8005] Per Paul's request I am coming up that for EdDSA I would ask the following be added: 4 An EdDSA Public key is present, in the format defined in [RFC8080] [This] Note the addition of "Public" * So should 1 - 3 also have "Public" added? * Should 4 NOT have "Public" * Should text be added describing this registry to be for "Public" keys? Choise one (I hope!) Write text to go at the beginning that this is for public keys and remove the proposed such text for the eddsa value. I have not (yet) found any IANA registry that has such text, and any points would help this discussion. Bob ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec