On Thu, Jul 20, 2017 at 06:59:42PM +0200, Juergen Schoenwaelder wrote:
> > - Since crypto algorithms come and go, is it reasonable to have the
> > identities defined in a rather static RFC? Would an IANA maintained
> > identity module perhaps make more sense?
> >
> > <KENT> Unsure, but I wouldn't suspect needing to make that
> > kind of update for a long time. If we were to define a
> > module for algorithm identities, it might lead to us wanting
> > to define every algorithm (not just public-key algs), which
> > could take some time...
>
> I think an IANA maintained registry can be as incomplete or complete
> as the I-D. I understand that the mechanics of working out the proper
> registry can be painful (there likely are already N registries) but
> clearly crypto algorithm identities must be easily extensible.
>
I looked a bit more and you define
identity key-algorithm {
description
"Base identity from which all key-algorithms are derived.";
}
plus a bunch of concrete algorithms. draft-ietf-rtgwg-yang-key-chain-24
defines
identity crypto-algorithm {
description
"Base identity of cryptographic algorithm options.";
}
and then a bunch of concrete algorithms (hashes and symmetric ones).
They also do not expect IANA to maintain things. I would love if
security area people would help us with getting this right, well
perhaps they jump in during secdir review.
/js
--
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
Fax: +49 421 200 3103 <http://www.jacobs-university.de/>