[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on draft-ietf-ltans-dssc-01.txt

To: "Turner, Sean P." <turners@xxxxxxxx>
Subject: Re: comment on draft-ietf-ltans-dssc-01.txt
From: Thomas Kunz <thomas.kunz@xxxxxxxxxxxxxxxxx>
Date: Wed, 05 Dec 2007 17:01:46 +0100
Cc: ietf-ltans@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-ltans/mail-archive/>
List-id: <ietf-ltans.imc.org>
List-unsubscribe: <mailto:ietf-ltans-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-ltans@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

The problem with your suggested syntax is the definition of the ourconstraints. If we used the RFC3280 AlgorithmIdentifier structure, wewould integrate the constraints as follows:


AlgorithmValidityInfo ::= SEQUENCE {
	identifier  AlgorithmIdentifier,
	constraint  CHOICE {
                       exact  [0] OCTET STRING,
                       min    [1] OCTET STRING,
                       max    [2] OCTET STRING,
                       range  [3] Range,
                       other  [4] OtherConstraints
	validity    Validity OPTIONAL,
	information Information OPTIONAL }

It's not possible to determine constraints for more than one parameter(e.g. p > 1024 and q > 160 in case of DSA).Additionally defining ranges is impossible (e.g. modulus < 2048 andmodulus > 1024).



so & tk


Turner, Sean P. schrieb:

I'm only commenting on the Parameter structure in the ASN.1. I think that it
might be better to change Algorithm to be a sequence of algorithmIdentifier,
validity, and information - call it AlgorithmValidityInfo. I suggest this
for two reasons:

1. The AlgorithmIdentifier structure that is used to assign an algorithm's
object identifier also define the parameters. So it probably makes sense to
reuse this structure.

2. The parameters structures for some of the newer algorithms is quite
complicated. For example,  RSASSA-PSS [RFC4055] and ECC Algs [RFC3279]
aren't just an OID they are nested structure.

(not sure how to do it in XML)

Replace:

Algorithm ::= SEQUENCE {
        algorithmIdentifier  AlgID,
        parameters           [0] SEQUENCE OF Parameter  OPTIONAL,
        validity             [1] Validity,
        information          [2] SEQUENCE OF UTF8String OPTIONAL
   }

   AlgID ::= SEQUENCE {
        name  UTF8String,
        oid   [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
        uri   [1] SEQUENCE OF IA5String OPTIONAL
   }

   Parameter ::= SEQUENCE {
        name        UTF8String,
        constraint  CHOICE {
                      exact  [0] OCTET STRING,
                      min    [1] OCTET STRING,
                      max    [2] OCTET STRING,
                      range  [3] Range,
                      other  [4] OtherConstraints
        }
   }

With:

AlgorithmValidityInfo ::= SEQUENCE {
 identifier  AlgorithmIdentifier,
 validity    Validity OPTIONAL,
 information Information OPTIONAL }

Validity ::= SEQUENCE {
  start  [0] GeneralizedTime OPTIONAL,
  end    [1] GeneralizedTime OPTIONAL }

Information ::= SEQUENCE SIZE (1..MAX) OF UTF8String

-- From RFC3280
AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
                                -- contains a value of the type
                                -- registered for use with the
                                -- algorithm object identifier value

spt

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- RE: comment on draft-ietf-ltans-dssc-01.txt
  - From: Turner, Sean P.

References:
- comment on draft-ietf-ltans-dssc-01.txt
  - From: Turner, Sean P.

Prev by Date: Re: comment on draft-ietf-ltans-dssc-01.txt
Next by Date: RE: comment on draft-ietf-ltans-dssc-01.txt
Previous by thread: Re: comment on draft-ietf-ltans-dssc-01.txt
Next by thread: RE: comment on draft-ietf-ltans-dssc-01.txt
Index(es):
- Date
- Thread