[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [KEYPROV] Extending the PSKC Algorithm Profiles
Hannes,
I believe we discussed this on some call while back and that we
preferred Option 2 where the OCRA suite would be appended to the URN.
Philip
-----Original Message-----
From: keyprov-bounces at ietf.org [mailto:keyprov-bounces at ietf.org] On
Behalf Of Hannes Tschofenig
Sent: Monday, August 03, 2009 11:09 AM
To: 'KEYPROV'
Subject: [KEYPROV] Extending the PSKC Algorithm Profiles
Hi all,
In a review of the PSKC document a question regarding the registration
of
new PSKC algorithm profiles came up. The example here is the OCRA
algorithm.
Note that there is a document (although a bit out-dated already) that
defines a new of PSKC algorithm profiles, see
http://tools.ietf.org/id/draft-hoyer-keyprov-pskc-algorithm-profiles-00.
txt
There are essentially two approaches for defining algorithm profiles. In
the
first version below new XML elements are defined that do not exist in
PSKC
to carry parameters of the OCRA algorithm, namely information about a
hash
function and information about the truncation size.
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0" Id="exampleID1"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:ocra="urn:ietf:params:xml:ns:keyprov:pskc#ocra">
<KeyPackage>
<DeviceInfo>
<Manufacturer>Manufacturer</Manufacturer>
<SerialNo>987654321</SerialNo>
<UserId>DC=example-bank,DC=net</UserId>
</DeviceInfo>
<CryptoModuleInfo>
<Id>CM_ID_001</Id>
</CryptoModuleInfo>
<Key Id="12345678"
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#ocra">
<Issuer>Issuer</Issuer>
<UserId>UID=jsmith,DC=example-bank,DC=net</UserId>
<AlgorithmParameters>
<ResponseFormat Length="8" Encoding="DECIMAL"/>
<ocra:hashFunction>http://www.w3.org/2001/04/xmlenc#sha256</ocra:hashFun
ctio
n>
<ocra:TruncationSize>8</ocra:TruncationSize>
</AlgorithmParameters>
<Data>
<Secret>
<PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</KeyPackage>
</KeyContainer>
In the second example, the registered algorithm URN contains the
parameter
encoding. This requires more URNs to be registered but does not require
new
XML elements to be defined.
Regarding the URN registration I believe that the full set of URNs need
to
be registered and it would not be sufficient to just register
urn:ietf:params:xml:ns:keyprov:pskc#ocra and to just attach the other
parameters. Maybe someone knows more about this aspect.
<?xml version="1.0" encoding="UTF-8"?>
<KeyContainer Version="1.0" Id="exampleID1"
xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
<KeyPackage>
<DeviceInfo>
<Manufacturer>Manufacturer</Manufacturer>
<SerialNo>987654321</SerialNo>
<UserId>DC=example-bank,DC=net</UserId>
</DeviceInfo>
<CryptoModuleInfo>
<Id>CM_ID_001</Id>
</CryptoModuleInfo>
<Key Id="12345678"
Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#ocra:sha256:8">
<Issuer>Issuer</Issuer>
<UserId>UID=jsmith,DC=example-bank,DC=net</UserId>
<AlgorithmParameters>
<ResponseFormat Length="8" Encoding="DECIMAL"/>
</AlgorithmParameters>
<Data>
<Secret>
<PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
</PlainValue>
</Secret>
<Counter>
<PlainValue>0</PlainValue>
</Counter>
</Data>
</Key>
</KeyPackage>
</KeyContainer>
Both options are possible; it might be a matter of taste which one to
apply
and the extension style should be chosen in the
http://tools.ietf.org/id/draft-hoyer-keyprov-pskc-algorithm-profiles-00.
txt
document.
Ciao
Hannes
PS: Note that some new algorithm profiles might not require any XML
elements
to be defined nor multiple URNs to be registered. It very much depends
on
the specific algorithm profile but I have chosen OCRA since the issue
came
up there.
_______________________________________________
KEYPROV mailing list
KEYPROV at ietf.org
https://www.ietf.org/mailman/listinfo/keyprov