From nobody Tue Nov 16 02:54:04 2021 Return-Path: X-Original-To: curdle@ietfa.amsl.com Delivered-To: curdle@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2B83A07E9 for ; Tue, 16 Nov 2021 02:54:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5K5Pj4MBU4bJ for ; Tue, 16 Nov 2021 02:53:57 -0800 (PST) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6635D3A07E7 for ; Tue, 16 Nov 2021 02:53:57 -0800 (PST) Received: by rfc-editor.org (Postfix, from userid 499) id 21FA01FCF52; Tue, 16 Nov 2021 02:53:57 -0800 (PST) To: simon@josefsson.org, ietf@augustcellars.com, rdd@cert.org, kaduk@mit.edu, daniel.migault@ericsson.com, rsalz@akamai.com From: RFC Errata System Cc: daniel.minder@utimaco.com, curdle@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20211116105357.21FA01FCF52@rfc-editor.org> Date: Tue, 16 Nov 2021 02:53:57 -0800 (PST) Archived-At: Subject: [Curdle] [Technical Errata Reported] RFC8410 (6738) X-BeenThere: curdle@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "List for discussion of potential new security area wg." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Nov 2021 10:54:03 -0000 The following errata report has been submitted for RFC8410, "Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6738 -------------------------------------- Type: Technical Reported by: Daniel Minder Section: 7 and 10.3 Original Text ------------- Section 7 says OneAsymmetricKey ::= SEQUENCE { version Version, privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, privateKey PrivateKey, attributes [0] IMPLICIT Attributes OPTIONAL, ..., [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]], ... } 2nd example given in both section 7 and section 10.3: -----BEGIN PRIVATE KEY----- MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB Z9w7lshQhqowtrbLDFw4rXAxZuE= -----END PRIVATE KEY------ ASN.1 dump of this private key in section 10.3: The same item dumped as ASN.1 yields: 0 114: SEQUENCE { 2 1: INTEGER 1 5 5: SEQUENCE { 7 3: OBJECT IDENTIFIER '1 3 101 112' : } 12 34: OCTET STRING, encapsulates { : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 : 58 42 : } 48 31: [0] { 50 29: SEQUENCE { 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20' 64 15: SET { 66 13: UTF8String 'Curdle Chairs' : } : } : } 81 33: [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66 E1 : } Corrected Text -------------- Correct definition in section 7: OneAsymmetricKey ::= SEQUENCE { version Version, privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, privateKey PrivateKey, attributes [0] Attributes OPTIONAL, ..., [[2: publicKey [1] PublicKey OPTIONAL ]], ... } Example key in section 7 and 10.3: -----BEGIN PRIVATE KEY----- MHQCAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzoSMDIQAZv0QJaYTN/oVB usFn3DuWyFCGqjC2tssMXDitcDFm4Q== -----END PRIVATE KEY----- ASN.1 dump of this private key in section 10.3: 0 116: SEQUENCE { 2 1: INTEGER 1 5 5: SEQUENCE { 7 3: OBJECT IDENTIFIER '1 3 101 112' : } 12 34: OCTET STRING, encapsulates { : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 : 58 42 : } 48 31: [0] { 50 29: SEQUENCE { 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20' 64 15: SET { 66 13: UTF8String 'Curdle Chairs' : } : } : } 81 35: [1] { 83 33: BIT STRING { 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66 E1 } } : } Notes ----- OneAsymmetricKey is defined in RFC 5958. It does NOT define attributes and publicKey as IMPLICIT. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8410 (draft-ietf-curdle-pkix-10) -------------------------------------- Title : Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure Publication Date : August 2018 Author(s) : S. Josefsson, J. Schaad Category : PROPOSED STANDARD Source : CURves, Deprecating and a Little more Encryption Area : Security Stream : IETF Verifying Party : IESG From nobody Tue Nov 16 06:13:09 2021 Return-Path: X-Original-To: curdle@ietfa.amsl.com Delivered-To: curdle@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B39983A0064 for ; Tue, 16 Nov 2021 06:13:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PxsrBwfqOneg for ; Tue, 16 Nov 2021 06:13:03 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 669113A0062 for ; Tue, 16 Nov 2021 06:13:03 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 108D1300BE3 for ; Tue, 16 Nov 2021 09:13:05 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3vvahtuxzxcV for ; Tue, 16 Nov 2021 09:12:57 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 803C23001A8; Tue, 16 Nov 2021 09:12:55 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) From: Russ Housley In-Reply-To: <20211116105357.21FA01FCF52@rfc-editor.org> Date: Tue, 16 Nov 2021 09:12:52 -0500 Cc: Simon Josefsson , "Roman D. Danyliw" , Ben Kaduk , daniel.migault@ericsson.com, Rich Salz , curdle@ietf.org, RFC Editor Content-Transfer-Encoding: quoted-printable Message-Id: <5E5DECA1-8701-4E45-84D2-0C03D6438C69@vigilsec.com> References: <20211116105357.21FA01FCF52@rfc-editor.org> To: daniel.minder@utimaco.com X-Mailer: Apple Mail (2.3445.104.21) Archived-At: Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (6738) X-BeenThere: curdle@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "List for discussion of potential new security area wg." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Nov 2021 14:13:09 -0000 Daniel: RFC 5958 imports the definition of ATTRIBUTE from the = PKIX-CommonTypes-2009 module in RFC 5912. You will see at the top of the ASN.1 module in RFC 5958 the phrase = "DEFINITIONS IMPLICIT TAGS". This means that the definitions use = implicit tagging unless the definition itself includes "EXPLICIT" to = override the module default. However, the PKIX-CommonTypes-2009 module in RFC 5912 has the phrase = "DEFINITIONS EXPLICIT TAGS". Thus, the Attributes SEQUENCE should have = explicit tags as shown in the examples Therefore, the only correction needed is the incorrect quote from RFC = 5958 in Section 7 of RFC 8410. ORIGINAL TEXT: OneAsymmetricKey ::=3D SEQUENCE { version Version, privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, privateKey PrivateKey, attributes [0] IMPLICIT Attributes OPTIONAL, ..., [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]], ... } CORRECTED TEXT: OneAsymmetricKey ::=3D SEQUENCE { version Version, privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, privateKey PrivateKey, attributes [0] Attributes OPTIONAL, ..., [[2: publicKey [1] PublicKey OPTIONAL ]], ... } Hope this helps, Russ > On Nov 16, 2021, at 5:53 AM, RFC Errata System = wrote: >=20 > The following errata report has been submitted for RFC8410, > "Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in = the Internet X.509 Public Key Infrastructure". >=20 > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid6738 >=20 > -------------------------------------- > Type: Technical > Reported by: Daniel Minder >=20 > Section: 7 and 10.3 >=20 > Original Text > ------------- > Section 7 says >=20 > OneAsymmetricKey ::=3D SEQUENCE { > version Version, > privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > privateKey PrivateKey, > attributes [0] IMPLICIT Attributes OPTIONAL, > ..., > [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]], > ... > } >=20 > 2nd example given in both section 7 and section 10.3: >=20 > -----BEGIN PRIVATE KEY----- > MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC > oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB > Z9w7lshQhqowtrbLDFw4rXAxZuE=3D > -----END PRIVATE KEY------ >=20 > ASN.1 dump of this private key in section 10.3: >=20 > The same item dumped as ASN.1 yields: >=20 > 0 114: SEQUENCE { > 2 1: INTEGER 1 > 5 5: SEQUENCE { > 7 3: OBJECT IDENTIFIER '1 3 101 112' > : } > 12 34: OCTET STRING, encapsulates { > : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 > : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 > : 58 42 > : } > 48 31: [0] { > 50 29: SEQUENCE { > 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20' > 64 15: SET { > 66 13: UTF8String 'Curdle Chairs' > : } > : } > : } > 81 33: [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B > 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66 > E1 > : } >=20 >=20 > Corrected Text > -------------- > Correct definition in section 7: >=20 > OneAsymmetricKey ::=3D SEQUENCE { > version Version, > privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > privateKey PrivateKey, > attributes [0] Attributes OPTIONAL, > ..., > [[2: publicKey [1] PublicKey OPTIONAL ]], > ... > } >=20 > Example key in section 7 and 10.3: >=20 > -----BEGIN PRIVATE KEY----- > MHQCAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC > oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzoSMDIQAZv0QJaYTN/oVB > usFn3DuWyFCGqjC2tssMXDitcDFm4Q=3D=3D > -----END PRIVATE KEY----- >=20 >=20 > ASN.1 dump of this private key in section 10.3: >=20 > 0 116: SEQUENCE { > 2 1: INTEGER 1 > 5 5: SEQUENCE { > 7 3: OBJECT IDENTIFIER '1 3 101 112' > : } > 12 34: OCTET STRING, encapsulates { > : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 > : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 > : 58 42 > : } > 48 31: [0] { > 50 29: SEQUENCE { > 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20' > 64 15: SET { > 66 13: UTF8String 'Curdle Chairs' > : } > : } > : } > 81 35: [1] { =20 > 83 33: BIT STRING { > 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B > 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66 > E1 > } > } > : } >=20 >=20 > Notes > ----- > OneAsymmetricKey is defined in RFC 5958. It does NOT define attributes = and publicKey as IMPLICIT. >=20 > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party =20 > can log in to change the status and edit the report, if necessary.=20 >=20 > -------------------------------------- > RFC8410 (draft-ietf-curdle-pkix-10) > -------------------------------------- > Title : Algorithm Identifiers for Ed25519, Ed448, = X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure > Publication Date : August 2018 > Author(s) : S. Josefsson, J. Schaad > Category : PROPOSED STANDARD > Source : CURves, Deprecating and a Little more Encryption > Area : Security > Stream : IETF > Verifying Party : IESG >=20 > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle From prvs=0954a48b03=daniel.minder@utimaco.com Tue Nov 16 07:13:03 2021 Return-Path: X-Original-To: curdle@ietfa.amsl.com Delivered-To: curdle@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A5283A05DC for ; Tue, 16 Nov 2021 07:13:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=utimaco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YbNr0e-AZJWQ for ; Tue, 16 Nov 2021 07:12:55 -0800 (PST) Received: from mx2.utimaco.com (mx2.utimaco.com [93.159.251.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BA8D3A05A9 for ; Tue, 16 Nov 2021 07:12:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=utimaco.com ; s=dkim1; h=Content-Transfer-Encoding:Content-Type:MIME-Version:In-Reply-To: References:Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dUQ5RVWsssK0sA94DBV0Bd3iJabIivdW7Vb3cAye2ok=; b=E/JpJRP3Rinz4cwYKjEJaSn500 kj/+/ySUQhH6aFZTazKyaSd2n4frXQlmUrmDO2ubUZl+OXgPE1QBx91MIz1Mz+NXK4IJhq8mZR83p 0ITHmoit9C71nLnRrMklAANvUrmlapKm+mIdWn1IrYUCouhwaz7x3l/KeQ9k/M5GHr3Md5KOl60w7 FISSaJMSx7/g8ksZSAT/O7thcXRRwsOffHY5Mr8CNJ9MCz35Ct44sB7owmWcog3xvCZCi3rgSAAWQ ORioNjXFr8GL08Jz2i1BgphL8lMhDDziqvI2RmDtav31ctkbzb/ZgWiTnnIh92ZHmi48OkEyjSdC6 SwasGReQ==; Received: from [172.20.92.60] (port=58104 helo=de-ac-sr-smgw1.uti.local) by mx2.utimaco.com with esmtps (TLS1.2) tls TLS_ECDH_anon_WITH_AES_256_CBC_SHA (Exim 4.94.2) (envelope-from ) id 1mn08S-00027A-03 for curdle@ietf.org; Tue, 16 Nov 2021 16:12:36 +0100 Received: from de-ac-sr-smgw1.uti.local (de-ac-sr-smgw1.uti.local [127.0.0.1]) by de-ac-sr-smgw1.uti.local (Postfix) with ESMTP id EA9CA182271 for ; Tue, 16 Nov 2021 16:12:35 +0100 (CET) From: Daniel Minder To: Russ Housley CC: Simon Josefsson , "Roman D. Danyliw" , Ben Kaduk , "daniel.migault@ericsson.com" , Rich Salz , "curdle@ietf.org" , RFC Editor Thread-Topic: [Curdle] [Technical Errata Reported] RFC8410 (6738) Thread-Index: AQHX2thFgOAn0Fs9YkmSChSrLQbigKwGIaEAgAAfVXA= Date: Tue, 16 Nov 2021 15:11:45 +0000 Message-ID: <1940223ae4324f15a84963142aeddf8c@utimaco.com> References: <20211116105357.21FA01FCF52@rfc-editor.org> <5E5DECA1-8701-4E45-84D2-0C03D6438C69@vigilsec.com> In-Reply-To: <5E5DECA1-8701-4E45-84D2-0C03D6438C69@vigilsec.com> Accept-Language: de-DE, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.17.0.164] x-c2processedorg: 35941bba-ece4-4902-98a7-5f032c87e04d MIME-Version: 1.0 X-CompuMailGateway: Version: 7.00.0.21112.i686 COMPUMAIL Date: 20211116151233Z Content-Language: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Archived-At: X-Mailman-Approved-At: Tue, 16 Nov 2021 07:15:10 -0800 Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (6738) X-BeenThere: curdle@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "List for discussion of potential new security area wg." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Nov 2021 15:14:38 -0000 UnVzcywNCg0KeW91IGFyZSByaWdodC4gSXQgc2VlbXMgSSBjb21wbGV0ZWx5IG1pc3NlZCB0aGF0 IGhlYWRlci4NClNpbmNlIGluIHNlY3Rpb24gNyB0aGVyZSBpcyBubyBjb21wbGV0ZSBtb2R1bGUg ZGVmaW5pdGlvbiBhbmQgdGhlICJERUZJTklUSU9OUyBJTVBMSUNJVCBUQUdTIiBpcyBtaXNzaW5n IGhlcmUsIG9uZSBjb3VsZCBwZXJmZWN0bHkgYXJndWUgdGhhdCB0aGUgIklNUExJQ0lUIiBzdGF0 ZW1lbnQgY291bGQgYmUgaW5jbHVkZWQgZm9yIGNsYXJpdHkuDQoNCkkgdGhvdWdodCBJIGNhbWUg YWNyb3NzIGEgUEtDUyM4IC8gT25lQXN5bW1ldHJpY0tleSBleGFtcGxlIGluIGFub3RoZXIgUkZD IG9yIGEgc3RhbmRhcmQgdG9vbCwgYnV0IEkgY2Fubm90IGZpbmQgaXQgYW55bW9yZS4gSSB3YXMg cHJvYmFibHkgd3JvbmcgaGVyZSwgdG9vLg0KDQpQbGVhc2UgZXhjdXNlIHRoZSBkaXN0dXJiYW5j ZS4gSSdtIG9rIHRvIHJlamVjdCB0aGUgZXJyYXRhIGNvbXBsZXRlbHkuDQoNClRoYW5rcywNCkRh bmllbA0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogUnVzcyBIb3VzbGV5IDxo b3VzbGV5QHZpZ2lsc2VjLmNvbT4NClNlbnQ6IERpZW5zdGFnLCAxNi4gTm92ZW1iZXIgMjAyMSAx NToxMw0KVG86IERhbmllbCBNaW5kZXIgPERhbmllbC5NaW5kZXJAdXRpbWFjby5jb20+DQpDYzog U2ltb24gSm9zZWZzc29uIDxzaW1vbkBqb3NlZnNzb24ub3JnPjsgUm9tYW4gRC4gRGFueWxpdyA8 cmRkQGNlcnQub3JnPjsgQmVuIEthZHVrIDxrYWR1a0BtaXQuZWR1PjsgZGFuaWVsLm1pZ2F1bHRA ZXJpY3Nzb24uY29tOyBSaWNoIFNhbHogPHJzYWx6QGFrYW1haS5jb20+OyBjdXJkbGVAaWV0Zi5v cmc7IFJGQyBFZGl0b3IgPHJmYy1lZGl0b3JAcmZjLWVkaXRvci5vcmc+DQpTdWJqZWN0OiBSZTog W0N1cmRsZV0gW1RlY2huaWNhbCBFcnJhdGEgUmVwb3J0ZWRdIFJGQzg0MTAgKDY3MzgpDQoNCkRh bmllbDoNCg0KUkZDIDU5NTggaW1wb3J0cyB0aGUgZGVmaW5pdGlvbiBvZiBBVFRSSUJVVEUgZnJv bSB0aGUgUEtJWC1Db21tb25UeXBlcy0yMDA5IG1vZHVsZSBpbiBSRkMgNTkxMi4NCg0KWW91IHdp bGwgc2VlIGF0IHRoZSB0b3Agb2YgdGhlIEFTTi4xIG1vZHVsZSBpbiBSRkMgNTk1OCB0aGUgcGhy YXNlICJERUZJTklUSU9OUyBJTVBMSUNJVCBUQUdTIi4gIFRoaXMgbWVhbnMgdGhhdCB0aGUgZGVm aW5pdGlvbnMgdXNlIGltcGxpY2l0IHRhZ2dpbmcgdW5sZXNzIHRoZSBkZWZpbml0aW9uIGl0c2Vs ZiBpbmNsdWRlcyAiRVhQTElDSVQiIHRvIG92ZXJyaWRlIHRoZSBtb2R1bGUgZGVmYXVsdC4NCg0K SG93ZXZlciwgdGhlIFBLSVgtQ29tbW9uVHlwZXMtMjAwOSBtb2R1bGUgaW4gUkZDIDU5MTIgaGFz IHRoZSBwaHJhc2UgIkRFRklOSVRJT05TIEVYUExJQ0lUIFRBR1MiLiAgVGh1cywgdGhlIEF0dHJp YnV0ZXMgU0VRVUVOQ0Ugc2hvdWxkIGhhdmUgZXhwbGljaXQgdGFncyBhcyBzaG93biBpbiB0aGUg ZXhhbXBsZXMNCg0KVGhlcmVmb3JlLCB0aGUgb25seSBjb3JyZWN0aW9uIG5lZWRlZCBpcyB0aGUg aW5jb3JyZWN0IHF1b3RlIGZyb20gUkZDIDU5NTggaW4gU2VjdGlvbiA3IG9mIFJGQyA4NDEwLg0K DQpPUklHSU5BTCBURVhUOg0KDQogICBPbmVBc3ltbWV0cmljS2V5IDo6PSBTRVFVRU5DRSB7DQog ICAgICB2ZXJzaW9uIFZlcnNpb24sDQogICAgICBwcml2YXRlS2V5QWxnb3JpdGhtIFByaXZhdGVL ZXlBbGdvcml0aG1JZGVudGlmaWVyLA0KICAgICAgcHJpdmF0ZUtleSBQcml2YXRlS2V5LA0KICAg ICAgYXR0cmlidXRlcyBbMF0gSU1QTElDSVQgQXR0cmlidXRlcyBPUFRJT05BTCwNCiAgICAgIC4u LiwNCiAgICAgIFtbMjogcHVibGljS2V5IFsxXSBJTVBMSUNJVCBQdWJsaWNLZXkgT1BUSU9OQUwg XV0sDQogICAgICAuLi4NCiAgIH0NCg0KQ09SUkVDVEVEIFRFWFQ6DQoNCiAgICAgT25lQXN5bW1l dHJpY0tleSA6Oj0gU0VRVUVOQ0Ugew0KICAgICAgIHZlcnNpb24gVmVyc2lvbiwNCiAgICAgICBw cml2YXRlS2V5QWxnb3JpdGhtIFByaXZhdGVLZXlBbGdvcml0aG1JZGVudGlmaWVyLA0KICAgICAg IHByaXZhdGVLZXkgUHJpdmF0ZUtleSwNCiAgICAgICBhdHRyaWJ1dGVzIFswXSBBdHRyaWJ1dGVz IE9QVElPTkFMLA0KICAgICAgIC4uLiwNCiAgICAgICBbWzI6IHB1YmxpY0tleSBbMV0gUHVibGlj S2V5IE9QVElPTkFMIF1dLA0KICAgICAgIC4uLg0KICAgICB9DQoNCkhvcGUgdGhpcyBoZWxwcywN CiBSdXNzDQoNCg0KPiBPbiBOb3YgMTYsIDIwMjEsIGF0IDU6NTMgQU0sIFJGQyBFcnJhdGEgU3lz dGVtIDxyZmMtZWRpdG9yQHJmYy1lZGl0b3Iub3JnPiB3cm90ZToNCj4NCj4gVGhlIGZvbGxvd2lu ZyBlcnJhdGEgcmVwb3J0IGhhcyBiZWVuIHN1Ym1pdHRlZCBmb3IgUkZDODQxMCwgIkFsZ29yaXRo bQ0KPiBJZGVudGlmaWVycyBmb3IgRWQyNTUxOSwgRWQ0NDgsIFgyNTUxOSwgYW5kIFg0NDggZm9y IFVzZSBpbiB0aGUgSW50ZXJuZXQgWC41MDkgUHVibGljIEtleSBJbmZyYXN0cnVjdHVyZSIuDQo+ DQo+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQo+IFlvdSBtYXkgcmV2 aWV3IHRoZSByZXBvcnQgYmVsb3cgYW5kIGF0Og0KPiBodHRwczovL3d3dy5yZmMtZWRpdG9yLm9y Zy9lcnJhdGEvZWlkNjczOA0KPg0KPiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLQ0KPiBUeXBlOiBUZWNobmljYWwNCj4gUmVwb3J0ZWQgYnk6IERhbmllbCBNaW5kZXIgPGRh bmllbC5taW5kZXJAdXRpbWFjby5jb20+DQo+DQo+IFNlY3Rpb246IDcgYW5kIDEwLjMNCj4NCj4g T3JpZ2luYWwgVGV4dA0KPiAtLS0tLS0tLS0tLS0tDQo+IFNlY3Rpb24gNyBzYXlzDQo+DQo+ICAg T25lQXN5bW1ldHJpY0tleSA6Oj0gU0VRVUVOQ0Ugew0KPiAgICAgIHZlcnNpb24gVmVyc2lvbiwN Cj4gICAgICBwcml2YXRlS2V5QWxnb3JpdGhtIFByaXZhdGVLZXlBbGdvcml0aG1JZGVudGlmaWVy LA0KPiAgICAgIHByaXZhdGVLZXkgUHJpdmF0ZUtleSwNCj4gICAgICBhdHRyaWJ1dGVzIFswXSBJ TVBMSUNJVCBBdHRyaWJ1dGVzIE9QVElPTkFMLA0KPiAgICAgIC4uLiwNCj4gICAgICBbWzI6IHB1 YmxpY0tleSBbMV0gSU1QTElDSVQgUHVibGljS2V5IE9QVElPTkFMIF1dLA0KPiAgICAgIC4uLg0K PiAgIH0NCj4NCj4gMm5kIGV4YW1wbGUgZ2l2ZW4gaW4gYm90aCBzZWN0aW9uIDcgYW5kIHNlY3Rp b24gMTAuMzoNCj4NCj4gICAtLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS0NCj4gICBNSElDQVFF d0JRWURLMlZ3QkNJRUlOVHVjdHY1RTFoSzFiYlk4ZmRwK0swNi9ud295L0hVKytDWHFJOUVkVmhD DQo+ICAgb0I4d0hRWUtLb1pJaHZjTkFRa0pGREVQREExRGRYSmtiR1VnUTJoaGFYSnpnU0VBR2I5 RUNXbUV6ZjZGUWJyQg0KPiAgIFo5dzdsc2hRaHFvd3RyYkxERnc0clhBeFp1RT0NCj4gICAtLS0t LUVORCBQUklWQVRFIEtFWS0tLS0tLQ0KPg0KPiBBU04uMSBkdW1wIG9mIHRoaXMgcHJpdmF0ZSBr ZXkgaW4gc2VjdGlvbiAxMC4zOg0KPg0KPiAgIFRoZSBzYW1lIGl0ZW0gZHVtcGVkIGFzIEFTTi4x IHlpZWxkczoNCj4NCj4gICAgIDAgMTE0OiBTRVFVRU5DRSB7DQo+ICAgICAyICAgMTogICBJTlRF R0VSIDENCj4gICAgIDUgICA1OiAgIFNFUVVFTkNFIHsNCj4gICAgIDcgICAzOiAgICAgT0JKRUNU IElERU5USUZJRVIgJzEgMyAxMDEgMTEyJw0KPiAgICAgICAgICA6ICAgICB9DQo+ICAgIDEyICAz NDogICBPQ1RFVCBTVFJJTkcsIGVuY2Fwc3VsYXRlcyB7DQo+ICAgICAgICAgIDogICAgIDA0IDIw IEQ0IEVFIDcyIERCIEY5IDEzIDU4IDRBIEQ1IEI2IEQ4IEYxIEY3IDY5DQo+ICAgICAgICAgIDog ICAgIEY4IEFEIDNBIEZFIDdDIDI4IENCIEYxIEQ0IEZCIEUwIDk3IEE4IDhGIDQ0IDc1DQo+ICAg ICAgICAgIDogICAgIDU4IDQyDQo+ICAgICAgICAgIDogICAgIH0NCj4gICAgNDggIDMxOiAgIFsw XSB7DQo+ICAgIDUwICAyOTogICAgIFNFUVVFTkNFIHsNCj4gICAgNTIgIDEwOiAgICAgICBPQkpF Q1QgSURFTlRJRklFUiAnMSAyIDg0MCAxMTM1NDkgMSA5IDkgMjAnDQo+ICAgIDY0ICAxNTogICAg ICAgU0VUIHsNCj4gICAgNjYgIDEzOiAgICAgICAgIFVURjhTdHJpbmcgJ0N1cmRsZSBDaGFpcnMn DQo+ICAgICAgICAgIDogICAgICAgICB9DQo+ICAgICAgICAgIDogICAgICAgfQ0KPiAgICAgICAg ICA6ICAgICB9DQo+ICAgODEgIDMzOiAgIFsxXSAwMCAxOSBCRiA0NCAwOSA2OSA4NCBDRCBGRSA4 NSA0MSBCQSBDMSA2NyBEQyAzQg0KPiAgICAgICAgICAgICAgICAgOTYgQzggNTAgODYgQUEgMzAg QjYgQjYgQ0IgMEMgNUMgMzggQUQgNzAgMzEgNjYNCj4gICAgICAgICAgICAgICAgIEUxDQo+ICAg ICAgICAgIDogICB9DQo+DQo+DQo+IENvcnJlY3RlZCBUZXh0DQo+IC0tLS0tLS0tLS0tLS0tDQo+ IENvcnJlY3QgZGVmaW5pdGlvbiBpbiBzZWN0aW9uIDc6DQo+DQo+ICAgT25lQXN5bW1ldHJpY0tl eSA6Oj0gU0VRVUVOQ0Ugew0KPiAgICAgdmVyc2lvbiAgICAgICAgICAgICAgICAgICBWZXJzaW9u LA0KPiAgICAgcHJpdmF0ZUtleUFsZ29yaXRobSAgICAgICBQcml2YXRlS2V5QWxnb3JpdGhtSWRl bnRpZmllciwNCj4gICAgIHByaXZhdGVLZXkgICAgICAgICAgICAgICAgUHJpdmF0ZUtleSwNCj4g ICAgIGF0dHJpYnV0ZXMgICAgICAgICAgICBbMF0gQXR0cmlidXRlcyBPUFRJT05BTCwNCj4gICAg IC4uLiwNCj4gICAgIFtbMjogcHVibGljS2V5ICAgICAgICBbMV0gUHVibGljS2V5IE9QVElPTkFM IF1dLA0KPiAgICAgLi4uDQo+ICAgfQ0KPg0KPiBFeGFtcGxlIGtleSBpbiBzZWN0aW9uIDcgYW5k IDEwLjM6DQo+DQo+ICAgLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tDQo+ICAgTUhRQ0FRRXdC UVlESzJWd0JDSUVJTlR1Y3R2NUUxaEsxYmJZOGZkcCtLMDYvbndveS9IVSsrQ1hxSTlFZFZoQw0K PiAgIG9COHdIUVlLS29aSWh2Y05BUWtKRkRFUERBMURkWEprYkdVZ1EyaGhhWEp6b1NNRElRQVp2 MFFKYVlUTi9vVkINCj4gICB1c0ZuM0R1V3lGQ0dxakMydHNzTVhEaXRjREZtNFE9PQ0KPiAgIC0t LS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0NCj4NCj4NCj4gQVNOLjEgZHVtcCBvZiB0aGlzIHByaXZh dGUga2V5IGluIHNlY3Rpb24gMTAuMzoNCj4NCj4gICAgIDAgMTE2OiBTRVFVRU5DRSB7DQo+ICAg ICAyICAgMTogICBJTlRFR0VSIDENCj4gICAgIDUgICA1OiAgIFNFUVVFTkNFIHsNCj4gICAgIDcg ICAzOiAgICAgT0JKRUNUIElERU5USUZJRVIgJzEgMyAxMDEgMTEyJw0KPiAgICAgICAgICA6ICAg ICB9DQo+ICAgIDEyICAzNDogICBPQ1RFVCBTVFJJTkcsIGVuY2Fwc3VsYXRlcyB7DQo+ICAgICAg ICAgIDogICAgIDA0IDIwIEQ0IEVFIDcyIERCIEY5IDEzIDU4IDRBIEQ1IEI2IEQ4IEYxIEY3IDY5 DQo+ICAgICAgICAgIDogICAgIEY4IEFEIDNBIEZFIDdDIDI4IENCIEYxIEQ0IEZCIEUwIDk3IEE4 IDhGIDQ0IDc1DQo+ICAgICAgICAgIDogICAgIDU4IDQyDQo+ICAgICAgICAgIDogICAgIH0NCj4g ICAgNDggIDMxOiAgIFswXSB7DQo+ICAgIDUwICAyOTogICAgIFNFUVVFTkNFIHsNCj4gICAgNTIg IDEwOiAgICAgICBPQkpFQ1QgSURFTlRJRklFUiAnMSAyIDg0MCAxMTM1NDkgMSA5IDkgMjAnDQo+ ICAgIDY0ICAxNTogICAgICAgU0VUIHsNCj4gICAgNjYgIDEzOiAgICAgICAgIFVURjhTdHJpbmcg J0N1cmRsZSBDaGFpcnMnDQo+ICAgICAgICAgIDogICAgICAgICB9DQo+ICAgICAgICAgIDogICAg ICAgfQ0KPiAgICAgICAgICA6ICAgICB9DQo+ICAgIDgxICAzNTogICBbMV0gew0KPiAgICA4MyAg MzM6ICAgICBCSVQgU1RSSU5HIHsNCj4gICAgICAgICAgICAgICAgICAwMCAxOSBCRiA0NCAwOSA2 OSA4NCBDRCBGRSA4NSA0MSBCQSBDMSA2NyBEQyAzQg0KPiAgICAgICAgICAgICAgICAgIDk2IEM4 IDUwIDg2IEFBIDMwIEI2IEI2IENCIDBDIDVDIDM4IEFEIDcwIDMxIDY2DQo+ICAgICAgICAgICAg ICAgICAgRTENCj4gICAgICAgICAgICAgICAgICB9DQo+ICAgICAgICAgICAgICAgIH0NCj4gICAg ICAgICAgOiAgIH0NCj4NCj4NCj4gTm90ZXMNCj4gLS0tLS0NCj4gT25lQXN5bW1ldHJpY0tleSBp cyBkZWZpbmVkIGluIFJGQyA1OTU4LiBJdCBkb2VzIE5PVCBkZWZpbmUgYXR0cmlidXRlcyBhbmQg cHVibGljS2V5IGFzIElNUExJQ0lULg0KPg0KPiBJbnN0cnVjdGlvbnM6DQo+IC0tLS0tLS0tLS0t LS0NCj4gVGhpcyBlcnJhdHVtIGlzIGN1cnJlbnRseSBwb3N0ZWQgYXMgIlJlcG9ydGVkIi4gSWYg bmVjZXNzYXJ5LCBwbGVhc2UNCj4gdXNlICJSZXBseSBBbGwiIHRvIGRpc2N1c3Mgd2hldGhlciBp dCBzaG91bGQgYmUgdmVyaWZpZWQgb3IgcmVqZWN0ZWQuDQo+IFdoZW4gYSBkZWNpc2lvbiBpcyBy ZWFjaGVkLCB0aGUgdmVyaWZ5aW5nIHBhcnR5IGNhbiBsb2cgaW4gdG8gY2hhbmdlDQo+IHRoZSBz dGF0dXMgYW5kIGVkaXQgdGhlIHJlcG9ydCwgaWYgbmVjZXNzYXJ5Lg0KPg0KPiAtLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KPiBSRkM4NDEwIChkcmFmdC1pZXRmLWN1cmRs ZS1wa2l4LTEwKQ0KPiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KPiBU aXRsZSAgICAgICAgICAgICAgIDogQWxnb3JpdGhtIElkZW50aWZpZXJzIGZvciBFZDI1NTE5LCBF ZDQ0OCwgWDI1NTE5LCBhbmQgWDQ0OCBmb3IgVXNlIGluIHRoZSBJbnRlcm5ldCBYLjUwOSBQdWJs aWMgS2V5IEluZnJhc3RydWN0dXJlDQo+IFB1YmxpY2F0aW9uIERhdGUgICAgOiBBdWd1c3QgMjAx OA0KPiBBdXRob3IocykgICAgICAgICAgIDogUy4gSm9zZWZzc29uLCBKLiBTY2hhYWQNCj4gQ2F0 ZWdvcnkgICAgICAgICAgICA6IFBST1BPU0VEIFNUQU5EQVJEDQo+IFNvdXJjZSAgICAgICAgICAg ICAgOiBDVVJ2ZXMsIERlcHJlY2F0aW5nIGFuZCBhIExpdHRsZSBtb3JlIEVuY3J5cHRpb24NCj4g QXJlYSAgICAgICAgICAgICAgICA6IFNlY3VyaXR5DQo+IFN0cmVhbSAgICAgICAgICAgICAgOiBJ RVRGDQo+IFZlcmlmeWluZyBQYXJ0eSAgICAgOiBJRVNHDQo+DQo+IF9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IEN1cmRsZSBtYWlsaW5nIGxpc3QNCj4g Q3VyZGxlQGlldGYub3JnDQo+IGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v Y3VyZGxlDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQpVdGltYWNv IElTIEdtYkgNCkdlcm1hbnVzc3RyLiA0LCBELjUyMDgwIEFhY2hlbiwgR2VybWFueSwgVGVsOiAr NDktMjQxLTE2OTYtMCwgd3d3LnV0aW1hY28uY29tDQpTZWF0OiBBYWNoZW4g4oCTIFJlZ2lzdGVy Z2VyaWNodCBBYWNoZW4gSFJCIDE4OTIyDQpWQVQgSUQgTm8uOiBERSA4MTUgNDk2IDQ5Ng0KTWFu YWdlbWVudGJvYXJkOiBTdGVmYW4gQXVlcmJhY2ggKENoYWlybWFuKSBDRU8sIE1hbHRlIFBvbGxt YW5uIENTTywgTWFydGluIFN0YW1tIENGTw0KDQpUaGlzIGNvbW11bmljYXRpb24gaXMgY29uZmlk ZW50aWFsLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCBhbnkgdXNlLCBp bnRlcmZlcmVuY2Ugd2l0aCwgZGlzY2xvc3VyZSBvciBjb3B5aW5nIG9mIHRoaXMgbWF0ZXJpYWwg aXMgdW5hdXRob3Jpc2VkIGFuZCBwcm9oaWJpdGVkLiBQbGVhc2UgaW5mb3JtIHVzIGltbWVkaWF0 ZWx5IGFuZCBkZXN0cm95IHRoZSBlbWFpbC4NCg== From nobody Tue Nov 16 07:55:50 2021 Return-Path: X-Original-To: curdle@ietfa.amsl.com Delivered-To: curdle@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9DE33A079A for ; Tue, 16 Nov 2021 07:55:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DC3h_U5A8E6o for ; Tue, 16 Nov 2021 07:55:43 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F7A03A079F for ; Tue, 16 Nov 2021 07:55:43 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 6EB6D300C1D for ; Tue, 16 Nov 2021 10:55:41 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MR0wtsK03BtB for ; Tue, 16 Nov 2021 10:55:32 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id F147F300BE9; Tue, 16 Nov 2021 10:55:28 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) From: Russ Housley In-Reply-To: <1940223ae4324f15a84963142aeddf8c@utimaco.com> Date: Tue, 16 Nov 2021 10:55:24 -0500 Cc: Simon Josefsson , "Roman D. Danyliw" , Ben Kaduk , "daniel.migault@ericsson.com" , Rich Salz , "curdle@ietf.org" , RFC Editor Content-Transfer-Encoding: quoted-printable Message-Id: References: <20211116105357.21FA01FCF52@rfc-editor.org> <5E5DECA1-8701-4E45-84D2-0C03D6438C69@vigilsec.com> <1940223ae4324f15a84963142aeddf8c@utimaco.com> To: Daniel Minder X-Mailer: Apple Mail (2.3445.104.21) Archived-At: Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (6738) X-BeenThere: curdle@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "List for discussion of potential new security area wg." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Nov 2021 15:55:49 -0000 I do think it is appropriate to make the one change noted below. Since the ASN.1 module at the end of the document does not reference = OneAsymmetricKey in any way, this error in the body of the document did = not impact the implementation that I did in any way. Russ > On Nov 16, 2021, at 10:11 AM, Daniel Minder = wrote: >=20 > Russ, >=20 > you are right. It seems I completely missed that header. > Since in section 7 there is no complete module definition and the = "DEFINITIONS IMPLICIT TAGS" is missing here, one could perfectly argue = that the "IMPLICIT" statement could be included for clarity. >=20 > I thought I came across a PKCS#8 / OneAsymmetricKey example in another = RFC or a standard tool, but I cannot find it anymore. I was probably = wrong here, too. >=20 > Please excuse the disturbance. I'm ok to reject the errata completely. >=20 > Thanks, > Daniel >=20 > -----Original Message----- > From: Russ Housley > Sent: Dienstag, 16. November 2021 15:13 > To: Daniel Minder > Cc: Simon Josefsson ; Roman D. Danyliw = ; Ben Kaduk ; daniel.migault@ericsson.com; = Rich Salz ; curdle@ietf.org; RFC Editor = > Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (6738) >=20 > Daniel: >=20 > RFC 5958 imports the definition of ATTRIBUTE from the = PKIX-CommonTypes-2009 module in RFC 5912. >=20 > You will see at the top of the ASN.1 module in RFC 5958 the phrase = "DEFINITIONS IMPLICIT TAGS". This means that the definitions use = implicit tagging unless the definition itself includes "EXPLICIT" to = override the module default. >=20 > However, the PKIX-CommonTypes-2009 module in RFC 5912 has the phrase = "DEFINITIONS EXPLICIT TAGS". Thus, the Attributes SEQUENCE should have = explicit tags as shown in the examples >=20 > Therefore, the only correction needed is the incorrect quote from RFC = 5958 in Section 7 of RFC 8410. >=20 > ORIGINAL TEXT: >=20 > OneAsymmetricKey ::=3D SEQUENCE { > version Version, > privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > privateKey PrivateKey, > attributes [0] IMPLICIT Attributes OPTIONAL, > ..., > [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]], > ... > } >=20 > CORRECTED TEXT: >=20 > OneAsymmetricKey ::=3D SEQUENCE { > version Version, > privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > privateKey PrivateKey, > attributes [0] Attributes OPTIONAL, > ..., > [[2: publicKey [1] PublicKey OPTIONAL ]], > ... > } >=20 > Hope this helps, > Russ >=20 >=20 >> On Nov 16, 2021, at 5:53 AM, RFC Errata System = wrote: >>=20 >> The following errata report has been submitted for RFC8410, = "Algorithm >> Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the = Internet X.509 Public Key Infrastructure". >>=20 >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid6738 >>=20 >> -------------------------------------- >> Type: Technical >> Reported by: Daniel Minder >>=20 >> Section: 7 and 10.3 >>=20 >> Original Text >> ------------- >> Section 7 says >>=20 >> OneAsymmetricKey ::=3D SEQUENCE { >> version Version, >> privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, >> privateKey PrivateKey, >> attributes [0] IMPLICIT Attributes OPTIONAL, >> ..., >> [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]], >> ... >> } >>=20 >> 2nd example given in both section 7 and section 10.3: >>=20 >> -----BEGIN PRIVATE KEY----- >> MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC >> oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB >> Z9w7lshQhqowtrbLDFw4rXAxZuE=3D >> -----END PRIVATE KEY------ >>=20 >> ASN.1 dump of this private key in section 10.3: >>=20 >> The same item dumped as ASN.1 yields: >>=20 >> 0 114: SEQUENCE { >> 2 1: INTEGER 1 >> 5 5: SEQUENCE { >> 7 3: OBJECT IDENTIFIER '1 3 101 112' >> : } >> 12 34: OCTET STRING, encapsulates { >> : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 >> : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 >> : 58 42 >> : } >> 48 31: [0] { >> 50 29: SEQUENCE { >> 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20' >> 64 15: SET { >> 66 13: UTF8String 'Curdle Chairs' >> : } >> : } >> : } >> 81 33: [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B >> 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66 >> E1 >> : } >>=20 >>=20 >> Corrected Text >> -------------- >> Correct definition in section 7: >>=20 >> OneAsymmetricKey ::=3D SEQUENCE { >> version Version, >> privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, >> privateKey PrivateKey, >> attributes [0] Attributes OPTIONAL, >> ..., >> [[2: publicKey [1] PublicKey OPTIONAL ]], >> ... >> } >>=20 >> Example key in section 7 and 10.3: >>=20 >> -----BEGIN PRIVATE KEY----- >> MHQCAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC >> oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzoSMDIQAZv0QJaYTN/oVB >> usFn3DuWyFCGqjC2tssMXDitcDFm4Q=3D=3D >> -----END PRIVATE KEY----- >>=20 >>=20 >> ASN.1 dump of this private key in section 10.3: >>=20 >> 0 116: SEQUENCE { >> 2 1: INTEGER 1 >> 5 5: SEQUENCE { >> 7 3: OBJECT IDENTIFIER '1 3 101 112' >> : } >> 12 34: OCTET STRING, encapsulates { >> : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 >> : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 >> : 58 42 >> : } >> 48 31: [0] { >> 50 29: SEQUENCE { >> 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20' >> 64 15: SET { >> 66 13: UTF8String 'Curdle Chairs' >> : } >> : } >> : } >> 81 35: [1] { >> 83 33: BIT STRING { >> 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B >> 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66 >> E1 >> } >> } >> : } >>=20 >>=20 >> Notes >> ----- >> OneAsymmetricKey is defined in RFC 5958. It does NOT define = attributes and publicKey as IMPLICIT. >>=20 >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or rejected. >> When a decision is reached, the verifying party can log in to change >> the status and edit the report, if necessary. >>=20 >> -------------------------------------- >> RFC8410 (draft-ietf-curdle-pkix-10) >> -------------------------------------- >> Title : Algorithm Identifiers for Ed25519, Ed448, = X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure >> Publication Date : August 2018 >> Author(s) : S. Josefsson, J. Schaad >> Category : PROPOSED STANDARD >> Source : CURves, Deprecating and a Little more = Encryption >> Area : Security >> Stream : IETF >> Verifying Party : IESG >>=20 >> _______________________________________________ >> Curdle mailing list >> Curdle@ietf.org >> https://www.ietf.org/mailman/listinfo/curdle >=20 >=20 >=20 > ________________________________ >=20 > Utimaco IS GmbH > Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, = www.utimaco.com > Seat: Aachen =E2=80=93 Registergericht Aachen HRB 18922 > VAT ID No.: DE 815 496 496 > Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, = Martin Stamm CFO >=20 > This communication is confidential. If you are not the intended = recipient, any use, interference with, disclosure or copying of this = material is unauthorised and prohibited. Please inform us immediately = and destroy the email. From nobody Thu Nov 25 13:02:45 2021 Return-Path: X-Original-To: curdle@ietfa.amsl.com Delivered-To: curdle@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A1D93A086F for ; Thu, 25 Nov 2021 13:02:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-kalE7svkVz for ; Thu, 25 Nov 2021 13:02:38 -0800 (PST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06F443A0875 for ; Thu, 25 Nov 2021 13:02:37 -0800 (PST) Received: from mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1APL2FVa010278 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 25 Nov 2021 16:02:20 -0500 Date: Thu, 25 Nov 2021 13:02:15 -0800 From: Benjamin Kaduk To: Russ Housley Cc: Daniel Minder , Simon Josefsson , "Roman D. Danyliw" , "daniel.migault@ericsson.com" , Rich Salz , "curdle@ietf.org" , RFC Editor Message-ID: <20211125210215.GK93060@mit.edu> References: <20211116105357.21FA01FCF52@rfc-editor.org> <5E5DECA1-8701-4E45-84D2-0C03D6438C69@vigilsec.com> <1940223ae4324f15a84963142aeddf8c@utimaco.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Archived-At: Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (6738) X-BeenThere: curdle@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "List for discussion of potential new security area wg." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2021 21:02:43 -0000 Hi Russ, Daniel, I updated the errata report in-place but left it in state "reported". Can you please confirm that the current version is accurate? I think it would qualify to mark as "verified" (rather than "hold for document update") since the correction is clear and unambiguous. Thanks, Ben On Tue, Nov 16, 2021 at 10:55:24AM -0500, Russ Housley wrote: > I do think it is appropriate to make the one change noted below. > > Since the ASN.1 module at the end of the document does not reference OneAsymmetricKey in any way, this error in the body of the document did not impact the implementation that I did in any way. > > Russ > > > > On Nov 16, 2021, at 10:11 AM, Daniel Minder wrote: > > > > Russ, > > > > you are right. It seems I completely missed that header. > > Since in section 7 there is no complete module definition and the "DEFINITIONS IMPLICIT TAGS" is missing here, one could perfectly argue that the "IMPLICIT" statement could be included for clarity. > > > > I thought I came across a PKCS#8 / OneAsymmetricKey example in another RFC or a standard tool, but I cannot find it anymore. I was probably wrong here, too. > > > > Please excuse the disturbance. I'm ok to reject the errata completely. > > > > Thanks, > > Daniel > > > > -----Original Message----- > > From: Russ Housley > > Sent: Dienstag, 16. November 2021 15:13 > > To: Daniel Minder > > Cc: Simon Josefsson ; Roman D. Danyliw ; Ben Kaduk ; daniel.migault@ericsson.com; Rich Salz ; curdle@ietf.org; RFC Editor > > Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (6738) > > > > Daniel: > > > > RFC 5958 imports the definition of ATTRIBUTE from the PKIX-CommonTypes-2009 module in RFC 5912. > > > > You will see at the top of the ASN.1 module in RFC 5958 the phrase "DEFINITIONS IMPLICIT TAGS". This means that the definitions use implicit tagging unless the definition itself includes "EXPLICIT" to override the module default. > > > > However, the PKIX-CommonTypes-2009 module in RFC 5912 has the phrase "DEFINITIONS EXPLICIT TAGS". Thus, the Attributes SEQUENCE should have explicit tags as shown in the examples > > > > Therefore, the only correction needed is the incorrect quote from RFC 5958 in Section 7 of RFC 8410. > > > > ORIGINAL TEXT: > > > > OneAsymmetricKey ::= SEQUENCE { > > version Version, > > privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > > privateKey PrivateKey, > > attributes [0] IMPLICIT Attributes OPTIONAL, > > ..., > > [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]], > > ... > > } > > > > CORRECTED TEXT: > > > > OneAsymmetricKey ::= SEQUENCE { > > version Version, > > privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > > privateKey PrivateKey, > > attributes [0] Attributes OPTIONAL, > > ..., > > [[2: publicKey [1] PublicKey OPTIONAL ]], > > ... > > } > > > > Hope this helps, > > Russ > > > > > >> On Nov 16, 2021, at 5:53 AM, RFC Errata System wrote: > >> > >> The following errata report has been submitted for RFC8410, "Algorithm > >> Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure". > >> > >> -------------------------------------- > >> You may review the report below and at: > >> https://www.rfc-editor.org/errata/eid6738 > >> > >> -------------------------------------- > >> Type: Technical > >> Reported by: Daniel Minder > >> > >> Section: 7 and 10.3 > >> > >> Original Text > >> ------------- > >> Section 7 says > >> > >> OneAsymmetricKey ::= SEQUENCE { > >> version Version, > >> privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > >> privateKey PrivateKey, > >> attributes [0] IMPLICIT Attributes OPTIONAL, > >> ..., > >> [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]], > >> ... > >> } > >> > >> 2nd example given in both section 7 and section 10.3: > >> > >> -----BEGIN PRIVATE KEY----- > >> MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC > >> oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB > >> Z9w7lshQhqowtrbLDFw4rXAxZuE= > >> -----END PRIVATE KEY------ > >> > >> ASN.1 dump of this private key in section 10.3: > >> > >> The same item dumped as ASN.1 yields: > >> > >> 0 114: SEQUENCE { > >> 2 1: INTEGER 1 > >> 5 5: SEQUENCE { > >> 7 3: OBJECT IDENTIFIER '1 3 101 112' > >> : } > >> 12 34: OCTET STRING, encapsulates { > >> : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 > >> : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 > >> : 58 42 > >> : } > >> 48 31: [0] { > >> 50 29: SEQUENCE { > >> 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20' > >> 64 15: SET { > >> 66 13: UTF8String 'Curdle Chairs' > >> : } > >> : } > >> : } > >> 81 33: [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B > >> 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66 > >> E1 > >> : } > >> > >> > >> Corrected Text > >> -------------- > >> Correct definition in section 7: > >> > >> OneAsymmetricKey ::= SEQUENCE { > >> version Version, > >> privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > >> privateKey PrivateKey, > >> attributes [0] Attributes OPTIONAL, > >> ..., > >> [[2: publicKey [1] PublicKey OPTIONAL ]], > >> ... > >> } > >> > >> Example key in section 7 and 10.3: > >> > >> -----BEGIN PRIVATE KEY----- > >> MHQCAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC > >> oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzoSMDIQAZv0QJaYTN/oVB > >> usFn3DuWyFCGqjC2tssMXDitcDFm4Q== > >> -----END PRIVATE KEY----- > >> > >> > >> ASN.1 dump of this private key in section 10.3: > >> > >> 0 116: SEQUENCE { > >> 2 1: INTEGER 1 > >> 5 5: SEQUENCE { > >> 7 3: OBJECT IDENTIFIER '1 3 101 112' > >> : } > >> 12 34: OCTET STRING, encapsulates { > >> : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 > >> : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 > >> : 58 42 > >> : } > >> 48 31: [0] { > >> 50 29: SEQUENCE { > >> 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20' > >> 64 15: SET { > >> 66 13: UTF8String 'Curdle Chairs' > >> : } > >> : } > >> : } > >> 81 35: [1] { > >> 83 33: BIT STRING { > >> 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B > >> 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66 > >> E1 > >> } > >> } > >> : } > >> > >> > >> Notes > >> ----- > >> OneAsymmetricKey is defined in RFC 5958. It does NOT define attributes and publicKey as IMPLICIT. > >> > >> Instructions: > >> ------------- > >> This erratum is currently posted as "Reported". If necessary, please > >> use "Reply All" to discuss whether it should be verified or rejected. > >> When a decision is reached, the verifying party can log in to change > >> the status and edit the report, if necessary. > >> > >> -------------------------------------- > >> RFC8410 (draft-ietf-curdle-pkix-10) > >> -------------------------------------- > >> Title : Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure > >> Publication Date : August 2018 > >> Author(s) : S. Josefsson, J. Schaad > >> Category : PROPOSED STANDARD > >> Source : CURves, Deprecating and a Little more Encryption > >> Area : Security > >> Stream : IETF > >> Verifying Party : IESG > >> > >> _______________________________________________ > >> Curdle mailing list > >> Curdle@ietf.org > >> https://www.ietf.org/mailman/listinfo/curdle > > > > > > > > ________________________________ > > > > Utimaco IS GmbH > > Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com > > Seat: Aachen – Registergericht Aachen HRB 18922 > > VAT ID No.: DE 815 496 496 > > Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Martin Stamm CFO > > > > This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email. >