From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: David Howells <dhowells@redhat.com>
Cc: zohar@linux.vnet.ibm.com, linux-ima-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org, jmorris@namei.org,
rusty@rustcorp.com.au, keyrings@linux-nfs.org,
linux-kernel@vger.kernel.org, dmitry.kasatkin@gmail.com
Subject: Re: [PATCH 3/4] module: search the key only by keyid
Date: Fri, 03 Oct 2014 17:00:04 +0300 [thread overview]
Message-ID: <542EABE4.9000101@samsung.com> (raw)
In-Reply-To: <13201.1412343605@warthog.procyon.org.uk>
On 03/10/14 16:40, David Howells wrote:
> Dmitry Kasatkin <d.kasatkin@samsung.com> wrote:
>
>> BTW. But actually why signer is needed to find the key?
>> Every key has unique fingerprint.
> The SKID is by no means guaranteed unique, is not mandatory and has no defined
> algorithm for generating it.
SKID is unique. SKID == SHA1(PK)
I understand that it may be missing for someone. But if it presents in
the certificate it should not be a problem...
>> Or you say that different certificates might have the same PK?
>> What I would consider strange. But anyway, if PK is the same, then
>> verification succeed.
> Do note: We *do* need to get away from using SKIDs. We have situations where
> we have to use a key that doesn't have one.
>
> David
I understand that... What I claim is that if there is a SKID, it is
unique and enough to identify certificate in the keyring...
Integrity subsystem uses partial SKID and it MUST NOT be broken for
compatibility.
Dmitry
next prev parent reply other threads:[~2014-10-03 14:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-03 9:09 [PATCH 0/4] KEYS fixes Dmitry Kasatkin
2014-10-03 9:09 ` [PATCH 1/4] KEYS: handle error code encoded in pointer Dmitry Kasatkin
2014-10-03 12:46 ` David Howells
2014-10-03 9:09 ` [PATCH 2/4] KEYS: provide pure subject key identifier (fingerprint) as key id Dmitry Kasatkin
2014-10-06 13:51 ` David Howells
2014-10-03 9:09 ` [PATCH 3/4] module: search the key only by keyid Dmitry Kasatkin
2014-10-03 12:46 ` David Howells
2014-10-03 12:49 ` Dmitry Kasatkin
2014-10-03 12:53 ` Dmitry Kasatkin
2014-10-03 13:08 ` Dmitry Kasatkin
2014-10-03 13:40 ` David Howells
2014-10-03 14:00 ` Dmitry Kasatkin [this message]
2014-10-06 12:44 ` James Morris
2014-10-06 17:14 ` Dmitry Kasatkin
2014-10-06 19:39 ` Mimi Zohar
2014-10-03 9:09 ` [PATCH 4/4] integrity: do zero padding of the key id Dmitry Kasatkin
2014-10-03 10:43 ` [PATCH 0/4] KEYS fixes Dmitry Kasatkin
2014-10-03 14:19 ` Mimi Zohar
2014-10-03 15:54 ` [PATCH] X.509: If available, use the raw subjKeyId to form the key description David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=542EABE4.9000101@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox