rfc9373.original		rfc9373.txt
	IPSECME R. Moskowitz		Internet Engineering Task Force (IETF) R. Moskowitz
	Internet-Draft HTT Consulting		Request for Comments: 9373 HTT Consulting
	Intended status: Standards Track T. Kivinen		Category: Standards Track T. Kivinen
	Expires: 7 July 2023		ISSN: 2070-1721
	M. Richardson		M. Richardson
	Sandelman		Sandelman
	3 January 2023		March 2023
	EdDSA value for IPSECKEY		EdDSA value for IPSECKEY
	draft-moskowitz-ipsecme-ipseckey-eddsa-09
	Abstract		Abstract
	This document assigns a value for EdDSA Public Keys to the IPSECKEY		This document assigns a value for Edwards-Curve Digital Signature
	IANA registry.		Algorithm (EdDSA) Public Keys to the "IPSECKEY Resource Record
			Parameters" registry.
	Status of This Memo		Status of This Memo
	This Internet-Draft is submitted in full conformance with the		This is an Internet Standards Track document.
	provisions of BCP 78 and BCP 79.
	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		This document is a product of the Internet Engineering Task Force
	and may be updated, replaced, or obsoleted by other documents at any		(IETF). It represents the consensus of the IETF community. It has
	time. It is inappropriate to use Internet-Drafts as reference		received public review and has been approved for publication by the
	material or to cite them other than as "work in progress."		Internet Engineering Steering Group (IESG). Further information on
			Internet Standards is available in Section 2 of RFC 7841.
	This Internet-Draft will expire on 7 July 2023.		Information about the current status of this document, any errata,
			and how to provide feedback on it may be obtained at
			https://www.rfc-editor.org/info/rfc9373.
	Copyright Notice		Copyright Notice
	Copyright (c) 2023 IETF Trust and the persons identified as the		Copyright (c) 2023 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents (https://trustee.ietf.org/		Provisions Relating to IETF Documents
	license-info) in effect on the date of publication of this document.		(https://trustee.ietf.org/license-info) in effect on the date of
	Please review these documents carefully, as they describe your rights		publication of this document. Please review these documents
	and restrictions with respect to this document. Code Components		carefully, as they describe your rights and restrictions with respect
	extracted from this document must include Revised BSD License text as		to this document. Code Components extracted from this document must
	described in Section 4.e of the Trust Legal Provisions and are		include Revised BSD License text as described in Section 4.e of the
	provided without warranty as described in the Revised BSD License.		Trust Legal Provisions and are provided without warranty as described
			in the Revised BSD License.
	Table of Contents		Table of Contents
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2		1. Introduction
	2. IPSECKEY support for EdDSA . . . . . . . . . . . . . . . . . 2		2. IPSECKEY Support for EdDSA
	3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 2		3. IANA Considerations
	3.1. IANA IPSECKEY Registry Update . . . . . . . . . . . . . . 2		3.1. Update to the IANA IPSECKEY Registry
	3.1.1. Reformat Algorithm Type Field Subregistry . . . . . . 3		3.1.1. Reformat the Algorithm Type Field Registry
	3.1.2. Add to Algorithm Type Field Subregistry . . . . . . . 3		3.1.2. Add to the Algorithm Type Field Registry
	4. Security Considerations . . . . . . . . . . . . . . . . . . . 3		4. Security Considerations
	5. References . . . . . . . . . . . . . . . . . . . . . . . . . 3		5. References
	5.1. Normative References . . . . . . . . . . . . . . . . . . 3		5.1. Normative References
	5.2. Informative References . . . . . . . . . . . . . . . . . 4		5.2. Informative References
	Appendix A. IPSECKEY EdDSA example . . . . . . . . . . . . . . . 4		Appendix A. IPSECKEY EdDSA Example
	Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 4		Acknowledgments
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4		Authors' Addresses
	1. Introduction		1. Introduction
	IPSECKEY [RFC4025) is a resource record (RR) for the Domain Name		IPSECKEY [RFC4025] is a resource record (RR) for the Domain Name
	System (DNS) that is used to store public keys for use in IP security		System (DNS) that is used to store public keys for use in IP security
	(IPsec) systems. The IPSECKEY RR relies on the IPSECKEY Algorithm		(IPsec) systems. The IPSECKEY RR relies on the IPSECKEY "Algorithm
	Type Field registry [IANA-IPSECKEY] to enumerate the permissible		Type Field" registry [IANA-IPSECKEY] to enumerate the permissible
	formats for the public keys.		formats for the public keys.
	This document adds support for Edwards-Curve Digital Security		This document adds support for Edwards-Curve Digital Security
	Algorithm (EdDSA) public keys in the format defined in [RFC8080] to		Algorithm (EdDSA) public keys in the format defined in [RFC8080] to
	the IPSECKEY RR.		the IPSECKEY RR.
	2. IPSECKEY support for EdDSA		2. IPSECKEY Support for EdDSA
	When using the EdDSA public key in the IPSECKEY RR, then the value		When using the EdDSA public key in the IPSECKEY RR, the value 4 is
	TBD1 is used as an algorithm and the public key is formatted as		used as an algorithm and the public key is formatted as specified in
	specified in Section 3 of the "Edwards-Curve Digital Security		"Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC"
	Algorithm (EdDSA) for DNSSEC" ([RFC8080]) document.		(Section 3 of [RFC8080]).
	Value Description Format description Reference		+=======+=====================+======================+===========+
			| Value | Description | Format Description | Reference |
			+=======+=====================+======================+===========+
			| 4 | An EdDSA Public Key | [RFC8080], Section 3 | This RFC |
			+-------+---------------------+----------------------+-----------+
	TBD1 An EdDSA Public Key [RFC8080], Sec. 3 [ThisRFC]		Table 1
	3. IANA Considerations		3. IANA Considerations
	3.1. IANA IPSECKEY Registry Update		3.1. Update to the IANA IPSECKEY Registry
	3.1.1. Reformat Algorithm Type Field Subregistry
	This document requests IANA to add a new field "Format description"		3.1.1. Reformat the Algorithm Type Field Registry
	to the "Algorithm Type Field" subregistry of the "IPSECKEY Resource
	Record Parameters" [IANA-IPSECKEY]. Also, this document requests
	IANA to update the "Description" field in existing entries of that
	registry to explicitly state that is for "Public" keys:
	Value Description Format description Reference		Per this document, IANA has added the "Format Description" field to
	0 No Public key is present [RFC4025]		the "Algorithm Type Field" registry of the "IPSECKEY Resource Record
	1 A DSA Public Key [RFC2536], Sec. 2 [RFC4025]		Parameters" [IANA-IPSECKEY]. In addition, IANA has updated the
	2 A RSA Public Key [RFC3110], Sec. 2 [RFC4025]		"Description" field in existing entries of that registry to
	3 An ECDSA Public Key [RFC6605], Sec. 4 [RFC8005]		explicitly state that they are for "Public" keys:
	IANA is requested to update the reference of that registry by adding		+=======+==========================+====================+===========+
	the RFC number to be assigned to this document.		| Value | Description | Format Description | Reference |
			+=======+==========================+====================+===========+
			| 0 | No Public key | | [RFC4025] |
			| | is present | | |
			+-------+--------------------------+--------------------+-----------+
			| 1 | A DSA Public | [RFC2536], | [RFC4025] |
			| | Key | Section 2 | |
			+-------+--------------------------+--------------------+-----------+
			| 2 | An RSA Public | [RFC3110], | [RFC4025] |
			| | Key | Section 2 | |
			+-------+--------------------------+--------------------+-----------+
			| 3 | An ECDSA | [RFC6605], | [RFC8005] |
			| | Public Key | Section 4 | |
			+-------+--------------------------+--------------------+-----------+
	3.1.2. Add to Algorithm Type Field Subregistry		Table 2
	Further, this document requests IANA to make the following addition		IANA added a reference to this document to the "Algorithm Type Field"
	to the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY]		registry.
	registry:
	IPSECKEY:		3.1.2. Add to the Algorithm Type Field Registry
	This document defines the new IPSECKEY value TBD1 (suggested: 4)
	(Section 2) in the "Algorithm Type Field" subregistry of the
	"IPSECKEY Resource Record Parameters" registry.
	Value Description Format description Reference		Further, IANA has made the following addition to the "Algorithm Type
			Field" registry within the "IPSECKEY Resource Record Parameters"
			[IANA-IPSECKEY]:
	TBD1 An EdDSA Public Key [RFC8080], Sec. 3 [ThisRFC]		+=======+=====================+======================+===========+
			| Value | Description | Format Description | Reference |
			+=======+=====================+======================+===========+
			| 4 | An EdDSA Public Key | [RFC8080], Section 3 | This RFC |
			+-------+---------------------+----------------------+-----------+
			Table 3
	4. Security Considerations		4. Security Considerations
	No new issues than [RFC4025] describes.		The security considerations discussed in [RFC4025] apply. This
			document does not introduce any new security considerations.
	5. References		5. References
	5.1. Normative References		5.1. Normative References
	[IANA-IPSECKEY]		[IANA-IPSECKEY]
	IANA, "IPSECKEY Resource Record Parameters",		IANA, "IPSECKEY Resource Record Parameters",
	<https://www.iana.org/assignments/ipseckey-rr-parameters/		<https://www.iana.org/assignments/ipseckey-rr-parameters>.
	ipseckey-rr-parameters.xhtml>.
	[RFC8080] Sury, O., Edmonds, R., and RFC Publisher, "Edwards-Curve		[RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security
	Digital Security Algorithm (EdDSA) for DNSSEC", RFC 8080,		Algorithm (EdDSA) for DNSSEC", RFC 8080,
	DOI 10.17487/RFC8080, February 2017,		DOI 10.17487/RFC8080, February 2017,
	<https://www.rfc-editor.org/info/rfc8080>.		<https://www.rfc-editor.org/info/rfc8080>.
	5.2. Informative References		5.2. Informative References
	[RFC4025] Richardson, M. and RFC Publisher, "A Method for Storing		[RFC2536] Eastlake 3rd, D., "DSA KEYs and SIGs in the Domain Name
	IPsec Keying Material in DNS", RFC 4025,		System (DNS)", RFC 2536, DOI 10.17487/RFC2536, March 1999,
	DOI 10.17487/RFC4025, March 2005,		<https://www.rfc-editor.org/info/rfc2536>.
	<https://www.rfc-editor.org/info/rfc4025>.
	Appendix A. IPSECKEY EdDSA example		[RFC3110] Eastlake 3rd, D., "RSA/SHA-1 SIGs and RSA KEYs in the
			Domain Name System (DNS)", RFC 3110, DOI 10.17487/RFC3110,
			May 2001, <https://www.rfc-editor.org/info/rfc3110>.
	The following is an example of an IPSECKEY RR with an EdDSA public		[RFC4025] Richardson, M., "A Method for Storing IPsec Keying
	key base64 encode with no gateway:		Material in DNS", RFC 4025, DOI 10.17487/RFC4025, March
			2005, <https://www.rfc-editor.org/info/rfc4025>.
			[RFC6605] Hoffman, P. and W.C.A. Wijngaards, "Elliptic Curve Digital
			Signature Algorithm (DSA) for DNSSEC", RFC 6605,
			DOI 10.17487/RFC6605, April 2012,
			<https://www.rfc-editor.org/info/rfc6605>.
			[RFC8005] Laganier, J., "Host Identity Protocol (HIP) Domain Name
			System (DNS) Extension", RFC 8005, DOI 10.17487/RFC8005,
			October 2016, <https://www.rfc-editor.org/info/rfc8005>.
			Appendix A. IPSECKEY EdDSA Example
			The following is an example of an IPSECKEY RR with no gateway, and an
			EdDSA public key. It uses the IPSECKEY presentation format which is
			base64.
	foo.example.com. IN IPSECKEY (		foo.example.com. IN IPSECKEY (
	10 0 4 . 3WTXgUvpn1RlCXnm80gGY2LZ/ErUUEZtZ33IDi8yfhM= )		10 0 4 . 3WTXgUvpn1RlCXnm80gGY2LZ/ErUUEZtZ33IDi8yfhM= )
	The associated EdDSA private key (in hex):		The associated EdDSA private key (in hex) is as follows:
	c7be71a45cbf87785f639dc4fd1c82637c21b5e02488939976ece32b9268d0b7		c7be71a45cbf87785f639dc4fd1c82637c21b5e02488939976ece32b9268d0b7
	Acknowledgments		Acknowledgments
	Thanks to Security Area director, Paul Wouters, for initial review.		Thanks to the Security Area Director, Paul Wouters, for his initial
	And Security Area director, Roman Danyliw, for final reviews and		review. Also, thanks to Security Area Director, Roman Danyliw, for
	draft shepherding.		his final reviews and document shepherding.
	Authors' Addresses		Authors' Addresses
	Robert Moskowitz		Robert Moskowitz
	HTT Consulting		HTT Consulting
	Oak Park, MI 48237		Oak Park, MI 48237
	United States of America		United States of America
	Email: rgm@labs.htt-consult.com		Email: rgm@labs.htt-consult.com
	Tero Kivinen		Tero Kivinen
End of changes. 32 change blocks.
	90 lines changed or deleted		121 lines changed or added
This html diff was produced by rfcdiff 1.48.