Re: [Anima-bootstrap] Voucher signing method
Kent Watsen <kwatsen@juniper.net> Wed, 03 May 2017 01:25 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2418312EAE9; Tue, 2 May 2017 18:25:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20GpvlPZ4hWT; Tue, 2 May 2017 18:25:39 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0110.outbound.protection.outlook.com [104.47.40.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B93261296CD; Tue, 2 May 2017 18:22:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IeqaVuEOinmfk/GqhoGctzLReSmJUW8jz1yED2kjsSU=; b=fDCbS3mFi0l6Nu7IXT5LnTtT1I4KrCPXzCAbvtGANPzla4zjG2AczbpsoonmPKP0S1Px1S0QK3g+ogUTP+Wgs/t5VTk5lN6VL7Cnj5UrrpvhQO2E68yj1FqxmyQ5SNt3GxSFA/Ve0I0jo34zST+VuFbDXkZF8imBtn5qi1g/Gyk=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1444.namprd05.prod.outlook.com (10.160.117.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1075.1; Wed, 3 May 2017 01:22:57 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1075.010; Wed, 3 May 2017 01:22:58 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>, "anima@ietf.org" <anima@ietf.org>
CC: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Thread-Topic: [Anima-bootstrap] Voucher signing method
Thread-Index: AQHSw6vLF2XUnWVoW0q/VYcsqILMZg==
Date: Wed, 03 May 2017 01:22:57 +0000
Message-ID: <88FB0F4F-2816-4BCE-A775-EBEE1CFCC0CD@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1444; 7:SDvTH7DHWAWgWaUteYaVjCysAyjwTXJ4Dc09ae2nSf5F1IF1Gxcs5D+2kD2tMoI+Lpdgshvp9WjGR7tWpcdfbYyGW2chS1bwYdIWzxLiuLWgaYz+5du2VIwmH7rFL9jH6rsz6tmFZFgQUs5BVa/3Ykv98OwvLj0Eyvgfuof5N4iVvZivHjiGT7K/w5N/bt6hf7wCfADaPcuXYJRsEO/q1ucVxkd5CWab9Mq4B5IN8HLmi2SeuWuUh0+JWhMy25GAXXyATvhR3nukUFsMeiz4XeUcDvW5v3hD/awXPqKJvyFRB21BPoLV9GECG39iMsz2BZdLa3SBgVtu0R5vWUu1xg==
x-ms-office365-filtering-correlation-id: b4fa0524-0c4c-43a9-8ee1-08d491c2eead
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:BN3PR0501MB1444;
x-microsoft-antispam-prvs: <BN3PR0501MB14448B60B5D9315F098C0FCBA5160@BN3PR0501MB1444.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:BN3PR0501MB1444; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1444;
x-forefront-prvs: 029651C7A1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39400400002)(39860400002)(39840400002)(39450400003)(99286003)(6306002)(6246003)(38730400002)(53946003)(53936002)(54356999)(25786009)(50986999)(6512007)(4326008)(2900100001)(189998001)(86362001)(6486002)(77096006)(305945005)(6506006)(6436002)(4001350100001)(8936002)(122556002)(66066001)(83506001)(36756003)(2906002)(6116002)(8676002)(5660300001)(3846002)(82746002)(102836003)(81166006)(229853002)(575784001)(3660700001)(478600001)(2501003)(3280700002)(33656002)(83716003)(579004)(473944003)(414714003)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1444; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <569B29BC7E9EA0489F7CDC93118EFD97@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2017 01:22:57.7929 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1444
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/sMRliflygXwRwUWaU4max7gej6M>
Subject: Re: [Anima-bootstrap] Voucher signing method
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 01:25:42 -0000
I've had some time now to investigate JWS, in particular, reproducing some examples in RFCs 7515 and 7520 using nothing but shell scripts and the `openssl` command line utility. I want to like JWS, but I wish the header was in a more technology-neutral format, it being JSON seems weird to me. Had this been done, it would be a nice general-purpose signature format. Size wise, JWS grows the size of the data 33% when b64 encoding it for the "compact serialization" form, which is actually a 65-character alphabet including '.'. It seems that a binary header could've also allowed for a binary payload and signature, which would've been perfect, in my opinion. [Of course, the entire binary blob could still be base64url-encoded for those that want it, without forcing it on those that don’t] The example voucher you obtained from mcr wasn't as trimmed down as it could've been, using the -noattr and -nocert options, which is one reason the asn1parse dump looks as busy as it does. Another being that the owner/domain-cert-trusted-ca encode very different certs (is one ec while the other is rsa?) In the end, JWS appears to be just another signature format with its own set of peculiarities. And given that we already have to support ASN.1 (the voucher encodes both an X.509 cert as well as a X.509 certificate chain), not to mention the need for the MASA to have a PKIX infrastructure, it's not clear to me if this is a good trade at all. Lastly, as mentioned before, my netconf zerotouch draft uses CMS/PKCS7 elsewhere. While it would be trivial to update the draft to use a JWS-based format, it would be awkward for clients to have to consider it at all. Kent -----ORIGINAL MESSAGE----- Folks, in Chicago we discussed the signing method for vouchers. Because the voucher is JSON, and there is expectation of a CBOR encoding for future work, there is an open discussion point about using the JWS/COSE signing methods; if not JWT/CWT. There was brief discussion of this at IETF98 and one person indicated they liked PKCS7, others indicates JWT and others did not speak up. Fully meeting minutes might provide more information but my recollection was that we’d move the discussion to the list. This thread is for that discussion. The current text of draft-ietf-anima-voucher-02 is: > The voucher is signed a PKCS#7 SignedData structure, as specified by Section 9.1 > of [RFC2315], encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. For concrete discussion, the proposed change is: > The voucher is a JWT [RFC7519] signed token. I’ve updated my tooling that was used during the IETF98 hackathon to support a JWT token format; I did this as homework to be informed for the discussion. MY POSITION: is that I appreciate the simplicity of the JWS signing and feel it is a good match for us. It was easy enough to implement, was a refreshing change from the ASN1 complexity of PKCS7, and seems to provide a good path toward CBOR/COSE in a future document without maintaining PKCS7/CMS technical debt or revisiting/rewriting too much. QUESTION FOR THE WORKING GROUP: What is your position? Why? What follows is a dump of the raw JWS before signing (the equivalent PKCS7/CMS structure would be the SignedData asn1 structures which is hard to capture). After that is an encoded and signed voucher. Further below is an example of a PKCS7 signed voucher. Please note these characteristics: a) From JWT RFC7519 "JWTs are always represented using the JWS Compact Serialization”. There are some JWT headers that overlap with voucher fields. I’m using JWT here; but the distinction between JWS/JWT is not fundamental to our discussion. The important point is JWS vs PKCS7. b) I’ve added the x5c header to the JWS. This is used to carry the certificate chain of the signer. Our current voucher format indicates PKCS7 which supports an equivalent field called “CertificateSet structure”. Its in the BRSKI document that we specify "The entire certificate chain, up to and including the Domain CA, MUST be included in the CertificateSet structure”. With the transition to JWT we’d be specifying that the x5c header be fully populated up to an including the Domain CA etc. c) From these examples we can’t directly compare size encodings. I don’t think this is a significant aspect of the conversation but can create comparable examples if folks feel that is necessary. The dumps: A debug dump of the JWT form before encoding: { "typ": "JWT", "alg": "ES256", "x5c": ["MIIBdjCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjArMRYwFAYDVQQKDA1DaXNjbyBTeXN0ZW1zMREwDwYDVQQDDAhWZW5kb3JDQTAeFw0xNzA0MDMxNTE1NDVaFw0xODA0MDMxNTE1NDVaMC0xFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxEzARBgNVBAMMClZlbmRvck1BU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT9GTrDd0GWgwcuSy8LCn0waMeknpLznajZzqWlLhrPwshgIPIPvbyY6IyCo4uBYU/e4OO6TQD9UVLlyU5R6cA6ozAwLjALBgNVHQ8EBAMCBaAwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwCgYIKoZIzj0EAwIDRwAwRAIgAQ8YR2IdLodEE8k+JxpBOIAGuzCeT9BmFOVhFUb8eJMCIC23Goss6manRjNSmh6+2oB9tsRbjmnnwuMlDXR8fzug", "MIIBnTCCAUOgAwIBAgIJAK9Pd5G+/r0UMAoGCCqGSM49BAMCMCsxFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxETAPBgNVBAMMCFZlbmRvckNBMB4XDTE3MDQwMzE0MTAwNVoXDTE4MDQwMzE0MTAwNVowKzEWMBQGA1UECgwNQ2lzY28gU3lzdGVtczERMA8GA1UEAwwIVmVuZG9yQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASunsQL2PVOSFWWp0oCjlqF8iVPPpEgJct931CZQ6assp07otmfgZqXsk1JYRTlKCGjROxrAiVRQsB54ioA0yu0o1AwTjAdBgNVHQ4EFgQUR4oEpb4YFuelkMrQjlnKtM01ovEwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEA+SSOhiNQ23RWA76kZ/2u70FCpU8OsU7X9IRiWGDgIAgCIFLu8FnJuqPx10sgHvIzqI5BgOcwCa5vFQZdCDBHIx18"] } . { "ietf-voucher:voucher": { "assertion": "logging", "domain-cert-trusted-ca": "-----BEGIN CERTIFICATE-----\nMIIBUjCB+qADAgECAgkAwP4qKsGyQlYwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAwwM\nZXN0RXhhbXBsZUNBMB4XDTE3MDMyNTIyMTc1MFoXDTE4MDMyNTIyMTc1MFowFzEV\nMBMGA1UEAwwMZXN0RXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nRVrNlEN2ocYscAILBU7NggABo0JgA1rEGdYdCQj1nHKL6xKONJIUfBibe6iMVYd3\nRUmPwaPiHNZJ98kRwHIwnKMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU+dVX\naXoucU1godNF0bycS1U5W54wCgYIKoZIzj0EAwIDRwAwRAIgNsCGjpEjuvz6OKJ/\n3rOvMc2ZfDhD02K+0PCVFJGCQGwCIAzf3BS6x9kKSROJJvxDSpg0QK9+b9LSFkbZ\nM1PW98AN\n-----END CERTIFICATE-----\n", "nonce": "ea7102e8e88f119e", "serial-number": "PID:1 SN:widget1", "serial-number-issuer": "36097E3DEA39316EA4CE5C695BE905E78AF2FB5A", "version": "1" } } . [signature goes here] As per JWT RFC7519 this is what it looks like after URL-safe encoding. You can see that now the signature is included (look to the second to last line to see the second “.” followed by a valid signature): eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsICAgICJ4NWMiOlsiTUlJQmRqQ0NBUjJnQXdJQkFnSUJBVEFLQmdncWhrak9QUVFEQWpBck1SWXdGQVlEVlFRS0RBMURhWE5qYnlCVGVYTjBaVzF6TVJFd0R3WURWUVFEREFoV1pXNWtiM0pEUVRBZUZ3MHhOekEwTURNeE5URTFORFZhRncweE9EQTBNRE14TlRFMU5EVmFNQzB4RmpBVUJnTlZCQW9NRFVOcGMyTnZJRk41YzNSbGJYTXhFekFSQmdOVkJBTU1DbFpsYm1SdmNrMUJVMEV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVQ5R1RyRGQwR1dnd2N1U3k4TENuMHdhTWVrbnBMem5halp6cVdsTGhyUHdzaGdJUElQdmJ5WTZJeUNvNHVCWVUvZTRPTzZUUUQ5VVZMbHlVNVI2Y0E2b3pBd0xqQUxCZ05WSFE4RUJBTUNCYUF3SHdZRFZSMGpCQmd3Rm9BVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdBUThZUjJJZExvZEVFOGsrSnhwQk9JQUd1ekNlVDlCbUZPVmhGVWI4ZUpNQ0lDMjNHb3NzNm1hblJqTlNtaDYrMm9COXRzUmJqbW5ud3VNbERYUjhmenVnIiwiTUlJQm5UQ0NBVU9nQXdJQkFnSUpBSzlQZDVHKy9yMFVNQW9HQ0NxR1NNNDlCQU1DTUNzeEZqQVVCZ05WQkFvTURVTnBjMk52SUZONWMzUmxiWE14RVRBUEJnTlZCQU1NQ0ZabGJtUnZja05CTUI0WERURTNNRFF3TXpFME1UQXdOVm9YRFRFNE1EUXdNekUwTVRBd05Wb3dLekVXTUJRR0ExVUVDZ3dOUTJselkyOGdVM2x6ZEdWdGN6RVJNQThHQTFVRUF3d0lWbVZ1Wkc5eVEwRXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBU3Vuc1FMMlBWT1NGV1dwMG9DamxxRjhpVlBQcEVnSmN0OTMxQ1pRNmFzc3AwN290bWZnWnFYc2sxSllSVGxLQ0dqUk94ckFpVlJRc0I1NGlvQTB5dTBvMUF3VGpBZEJnTlZIUTRFRmdRVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdId1lEVlIwakJCZ3dGb0FVUjRvRXBiNFlGdWVsa01yUWpsbkt0TTAxb3ZFd0RBWURWUjBUQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUVBK1NTT2hpTlEyM1JXQTc2a1ovMnU3MEZDcFU4T3NVN1g5SVJpV0dEZ0lBZ0NJRkx1OEZuSnVxUHgxMHNnSHZJenFJNUJnT2N3Q2E1dkZRWmRDREJISXgxOCJdfQ.eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJsb2dnaW5nIiwiZG9tYWluLWNlcnQtdHJ1c3RlZC1jYSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJQlVqQ0IrcUFEQWdFQ0Fna0F3UDRxS3NHeVFsWXdDZ1lJS29aSXpqMEVBd0l3RnpFVk1CTUdBMVVFQXd3TVxuWlhOMFJYaGhiWEJzWlVOQk1CNFhEVEUzTURNeU5USXlNVGMxTUZvWERURTRNRE15TlRJeU1UYzFNRm93RnpFVlxuTUJNR0ExVUVBd3dNWlhOMFJYaGhiWEJzWlVOQk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVxuUlZyTmxFTjJvY1lzY0FJTEJVN05nZ0FCbzBKZ0ExckVHZFlkQ1FqMW5IS0w2eEtPTkpJVWZCaWJlNmlNVllkM1xuUlVtUHdhUGlITlpKOThrUndISXduS012TUMwd0RBWURWUjBUQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVK2RWWFxuYVhvdWNVMWdvZE5GMGJ5Y1MxVTVXNTR3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnTnNDR2pwRWp1dno2T0tKL1xuM3JPdk1jMlpmRGhEMDJLKzBQQ1ZGSkdDUUd3Q0lBemYzQlM2eDlrS1NST0pKdnhEU3BnMFFLOStiOUxTRmtiWlxuTTFQVzk4QU5cbi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS1cbiIsIm5vbmNlIjoiZWE3MTAyZThlODhmMTE5ZSIsInNlcmlhbC1udW1iZXIiOiJQSUQ6MSBTTjp3aWRnZXQxIiwic2VyaWFsLW51bWJlci1pc3N1ZXIiOiIzNjA5N0UzREVBMzkzMTZFQTRDRTVDNjk1QkU5MDVFNzhBRjJGQjVBIiwidmVyc2lvbiI6IjEifX0.QkTUpcxv6Ng6ylyWYnlqun-5SFhD1XwLIW1kD7Y9dNwioheNMcVnowkELl_EMClyOWuLvvWuoCHAcWz_UA0IGw Here is an equivalent PKCS7 voucher via asn1 dump. You’d have to look at the binary if you really want to decode it. This voucher was generated by MCR during the hackathon: pritikin@ubuntu:~/src/brski-project/brski_msgs$ openssl asn1parse -in mcr.voucher.txt.pkcs7 0:d=0 hl=4 l=2706 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 15:d=1 hl=4 l=2691 cons: cont [ 0 ] 19:d=2 hl=4 l=2687 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :01 26:d=3 hl=2 l= 15 cons: SET 28:d=4 hl=2 l= 13 cons: SEQUENCE 30:d=5 hl=2 l= 9 prim: OBJECT :sha256 41:d=5 hl=2 l= 0 prim: NULL 43:d=3 hl=4 l=1644 cons: SEQUENCE 47:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 58:d=4 hl=4 l=1629 cons: cont [ 0 ] 62:d=5 hl=4 l=1625 prim: OCTET STRING :{"ietf-voucher:voucher":{"nonce":"62a2e7693d82fcda2624de58fb6722e5","created-on":"2017-01-01T00:00:00.000Z","device-identifier":"00-d0-e5-f2-00-01","assertion":"logged","owner":"MIIEEzCCAvugAwIBAgIJAK6rFouvk+7YMA0GCSqGSIb3DQEBCwUAMIGfMQsw\nCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdh\nMRowGAYDVQQKDBFPd25lciBFeGFtcGxlIE9uZTERMA8GA1UECwwITm90IFZl\ncnkxGzAZBgNVBAMMEm93bmVyMS5leGFtcGxlLmNvbTEhMB8GCSqGSIb3DQEJ\nARYSb3duZXIxQGV4YW1wbGUuY29tMB4XDTE3MDMyNTE2MjkzNFoXDTE3MDQy\nNDE2MjkzNFowgZ8xCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8w\nDQYDVQQHDAZPdHRhd2ExGjAYBgNVBAoMEU93bmVyIEV4YW1wbGUgT25lMREw\nDwYDVQQLDAhOb3QgVmVyeTEbMBkGA1UEAwwSb3duZXIxLmV4YW1wbGUuY29t\nMSEwHwYJKoZIhvcNAQkBFhJvd25lcjFAZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4QYAEnTtXgiKqsfSVYkgkHddFcP34\nOU3YP7ibrsgx0i9cyj7xOzWHOF2PsoKBgTRH75MSMhTl5UidrCszlluK+qp4\nd3Zg31oQM/HDmyRJyRpY+PC1n5Vx/Mj5VagRQbqG7XTDQCfCrhqIKrKBTuPQ\n4vYKeL0tQk4UJlPIoZXEmBk5dkn/Fzl9AfIZSvUzQ1QAhQ9oaLz5Nf5MWHPK\nUY+6b2zA/yQaXduPrVuxp7xCj11C/Ljlhl1/Hx16MJrV33MCbd+RKW711D/3\n0XlWSqEprdbKbqw8WMPjuJ1aoX8aQEWoL+xbomRQQJJoFaMPlzgdDcfoAHDU\nTsxd0+FN8pFHAgMBAAGjUDBOMB0GA1UdDgQWBBSqp5TwQtHsQy9oYLZb0D5W\n+licHDAfBgNVHSMEGDAWgBSqp5TwQtHsQy9oYLZb0D5W+licHDAMBgNVHRME\nBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBgSQGacjwxmbRrrBhW63gY5KaW\nim76rG45p3uh9A8WUfMWryCUufrFOm/QEJnlUUK3QX4KEVj2eywb9gsfkiCE\nyaJzxe665Q2BrWwe3rGVkAhO/fn8upec4E1ASc31ASaF8m+pYqCCPSflL5kV\nMefHG4lEs3XJkHceClRzyXvjb5Kj/u02C5YCjcALYd8/kcSbf4joe1GufvKF\n5wvPBPkRVfbW2KagL+jw62j+8U6oB7FbxtFyqQP1YoZGia9MkPKnK+yg5o/0\ncZ57hgk4mQmM1i82RrUZQVoBP3CD5LdBJZfJoXstRlXe6dX7+TisdSAspp5e\nhNm0BcqdLK+z8ntt\n"}} 1691:d=3 hl=4 l= 557 cons: cont [ 0 ] 1695:d=4 hl=4 l= 553 cons: SEQUENCE 1699:d=5 hl=4 l= 431 cons: SEQUENCE 1703:d=6 hl=2 l= 3 cons: cont [ 0 ] 1705:d=7 hl=2 l= 1 prim: INTEGER :02 1708:d=6 hl=2 l= 1 prim: INTEGER :01 1711:d=6 hl=2 l= 10 cons: SEQUENCE 1713:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 1723:d=6 hl=2 l= 77 cons: SEQUENCE 1725:d=7 hl=2 l= 18 cons: SET 1727:d=8 hl=2 l= 16 cons: SEQUENCE 1729:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 1741:d=9 hl=2 l= 2 prim: IA5STRING :ca 1745:d=7 hl=2 l= 25 cons: SET 1747:d=8 hl=2 l= 23 cons: SEQUENCE 1749:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 1761:d=9 hl=2 l= 9 prim: IA5STRING :sandelman 1772:d=7 hl=2 l= 28 cons: SET 1774:d=8 hl=2 l= 26 cons: SEQUENCE 1776:d=9 hl=2 l= 3 prim: OBJECT :commonName 1781:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA 1802:d=6 hl=2 l= 30 cons: SEQUENCE 1804:d=7 hl=2 l= 13 prim: UTCTIME :160507023655Z 1819:d=7 hl=2 l= 13 prim: UTCTIME :180507023655Z 1834:d=6 hl=2 l= 77 cons: SEQUENCE 1836:d=7 hl=2 l= 18 cons: SET 1838:d=8 hl=2 l= 16 cons: SEQUENCE 1840:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 1852:d=9 hl=2 l= 2 prim: IA5STRING :ca 1856:d=7 hl=2 l= 25 cons: SET 1858:d=8 hl=2 l= 23 cons: SEQUENCE 1860:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 1872:d=9 hl=2 l= 9 prim: IA5STRING :sandelman 1883:d=7 hl=2 l= 28 cons: SET 1885:d=8 hl=2 l= 26 cons: SEQUENCE 1887:d=9 hl=2 l= 3 prim: OBJECT :commonName 1892:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA 1913:d=6 hl=2 l= 118 cons: SEQUENCE 1915:d=7 hl=2 l= 16 cons: SEQUENCE 1917:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 1926:d=8 hl=2 l= 5 prim: OBJECT :secp384r1 1933:d=7 hl=2 l= 98 prim: BIT STRING 2033:d=6 hl=2 l= 99 cons: cont [ 3 ] 2035:d=7 hl=2 l= 97 cons: SEQUENCE 2037:d=8 hl=2 l= 15 cons: SEQUENCE 2039:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 2044:d=9 hl=2 l= 1 prim: BOOLEAN :255 2047:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF 2054:d=8 hl=2 l= 14 cons: SEQUENCE 2056:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 2061:d=9 hl=2 l= 1 prim: BOOLEAN :255 2064:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106 2070:d=8 hl=2 l= 29 cons: SEQUENCE 2072:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 2077:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414258EDF2D51788F0CEC872A22FBD4FEBE0676EB07 2101:d=8 hl=2 l= 31 cons: SEQUENCE 2103:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 2108:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014258EDF2D51788F0CEC872A22FBD4FEBE0676EB07 2134:d=5 hl=2 l= 10 cons: SEQUENCE 2136:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 2146:d=5 hl=2 l= 104 prim: BIT STRING 2252:d=3 hl=4 l= 454 cons: SET 2256:d=4 hl=4 l= 450 cons: SEQUENCE 2260:d=5 hl=2 l= 1 prim: INTEGER :01 2263:d=5 hl=2 l= 82 cons: SEQUENCE 2265:d=6 hl=2 l= 77 cons: SEQUENCE 2267:d=7 hl=2 l= 18 cons: SET 2269:d=8 hl=2 l= 16 cons: SEQUENCE 2271:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 2283:d=9 hl=2 l= 2 prim: IA5STRING :ca 2287:d=7 hl=2 l= 25 cons: SET 2289:d=8 hl=2 l= 23 cons: SEQUENCE 2291:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 2303:d=9 hl=2 l= 9 prim: IA5STRING :sandelman 2314:d=7 hl=2 l= 28 cons: SET 2316:d=8 hl=2 l= 26 cons: SEQUENCE 2318:d=9 hl=2 l= 3 prim: OBJECT :commonName 2323:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA 2344:d=6 hl=2 l= 1 prim: INTEGER :01 2347:d=5 hl=2 l= 13 cons: SEQUENCE 2349:d=6 hl=2 l= 9 prim: OBJECT :sha256 2360:d=6 hl=2 l= 0 prim: NULL 2362:d=5 hl=3 l= 228 cons: cont [ 0 ] 2365:d=6 hl=2 l= 24 cons: SEQUENCE 2367:d=7 hl=2 l= 9 prim: OBJECT :contentType 2378:d=7 hl=2 l= 11 cons: SET 2380:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data 2391:d=6 hl=2 l= 28 cons: SEQUENCE 2393:d=7 hl=2 l= 9 prim: OBJECT :signingTime 2404:d=7 hl=2 l= 15 cons: SET 2406:d=8 hl=2 l= 13 prim: UTCTIME :170325220308Z 2421:d=6 hl=2 l= 47 cons: SEQUENCE 2423:d=7 hl=2 l= 9 prim: OBJECT :messageDigest 2434:d=7 hl=2 l= 34 cons: SET 2436:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:552DD2EE5CBC4C7C4D207F98A2519F031EE10074D674265A7DD0CA73E68BE57D 2470:d=6 hl=2 l= 121 cons: SEQUENCE 2472:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities 2483:d=7 hl=2 l= 108 cons: SET 2485:d=8 hl=2 l= 106 cons: SEQUENCE 2487:d=9 hl=2 l= 11 cons: SEQUENCE 2489:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc 2500:d=9 hl=2 l= 11 cons: SEQUENCE 2502:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc 2513:d=9 hl=2 l= 11 cons: SEQUENCE 2515:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc 2526:d=9 hl=2 l= 10 cons: SEQUENCE 2528:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc 2538:d=9 hl=2 l= 14 cons: SEQUENCE 2540:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2550:d=10 hl=2 l= 2 prim: INTEGER :80 2554:d=9 hl=2 l= 13 cons: SEQUENCE 2556:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2566:d=10 hl=2 l= 1 prim: INTEGER :40 2569:d=9 hl=2 l= 7 cons: SEQUENCE 2571:d=10 hl=2 l= 5 prim: OBJECT :des-cbc 2578:d=9 hl=2 l= 13 cons: SEQUENCE 2580:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2590:d=10 hl=2 l= 1 prim: INTEGER :28 2593:d=5 hl=2 l= 10 cons: SEQUENCE 2595:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 2605:d=5 hl=2 l= 103 prim: OCTET STRING [HEX DUMP]:3065023100E60EAF73A69826077CF6B760AF9BD1C9BF723D0E84812B06B5A8B7C252362394D98E1B5B4C02D8ACD8DA5BD2248D51EA02306B5BDBDFFBB022A1E039A1847259D2E0AA332E12D24053B3E7ECA6D18EA821E29A53D93EE3BA4DE7D8C594C51736511C And this is the “encoded” form: -----BEGIN PKCS7----- MIIKkgYJKoZIhvcNAQcCoIIKgzCCCn8CAQExDzANBglghkgBZQMEAgEFADCCBmwG CSqGSIb3DQEHAaCCBl0EggZZeyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJub25j ZSI6IjYyYTJlNzY5M2Q4MmZjZGEyNjI0ZGU1OGZiNjcyMmU1IiwiY3JlYXRlZC1v biI6IjIwMTctMDEtMDFUMDA6MDA6MDAuMDAwWiIsImRldmljZS1pZGVudGlmaWVy IjoiMDAtZDAtZTUtZjItMDAtMDEiLCJhc3NlcnRpb24iOiJsb2dnZWQiLCJvd25l ciI6Ik1JSUVFekNDQXZ1Z0F3SUJBZ0lKQUs2ckZvdXZrKzdZTUEwR0NTcUdTSWIz RFFFQkN3VUFNSUdmTVFzd1xuQ1FZRFZRUUdFd0pEUVRFUU1BNEdBMVVFQ0F3SFQy NTBZWEpwYnpFUE1BMEdBMVVFQnd3R1QzUjBZWGRoXG5NUm93R0FZRFZRUUtEQkZQ ZDI1bGNpQkZlR0Z0Y0d4bElFOXVaVEVSTUE4R0ExVUVDd3dJVG05MElGWmxcbmNu a3hHekFaQmdOVkJBTU1FbTkzYm1WeU1TNWxlR0Z0Y0d4bExtTnZiVEVoTUI4R0NT cUdTSWIzRFFFSlxuQVJZU2IzZHVaWEl4UUdWNFlXMXdiR1V1WTI5dE1CNFhEVEUz TURNeU5URTJNamt6TkZvWERURTNNRFF5XG5OREUyTWprek5Gb3dnWjh4Q3pBSkJn TlZCQVlUQWtOQk1SQXdEZ1lEVlFRSURBZFBiblJoY21sdk1ROHdcbkRRWURWUVFI REFaUGRIUmhkMkV4R2pBWUJnTlZCQW9NRVU5M2JtVnlJRVY0WVcxd2JHVWdUMjVs TVJFd1xuRHdZRFZRUUxEQWhPYjNRZ1ZtVnllVEViTUJrR0ExVUVBd3dTYjNkdVpY SXhMbVY0WVcxd2JHVXVZMjl0XG5NU0V3SHdZSktvWklodmNOQVFrQkZoSnZkMjVs Y2pGQVpYaGhiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdcblNJYjNEUUVCQVFVQUE0 SUJEd0F3Z2dFS0FvSUJBUUM0UVlBRW5UdFhnaUtxc2ZTVllrZ2tIZGRGY1AzNFxu T1UzWVA3aWJyc2d4MGk5Y3lqN3hPeldIT0YyUHNvS0JnVFJINzVNU01oVGw1VWlk ckNzemxsdUsrcXA0XG5kM1pnMzFvUU0vSERteVJKeVJwWStQQzFuNVZ4L01qNVZh Z1JRYnFHN1hURFFDZkNyaHFJS3JLQlR1UFFcbjR2WUtlTDB0UWs0VUpsUElvWlhF bUJrNWRrbi9Gemw5QWZJWlN2VXpRMVFBaFE5b2FMejVOZjVNV0hQS1xuVVkrNmIy ekEveVFhWGR1UHJWdXhwN3hDajExQy9MamxobDEvSHgxNk1KclYzM01DYmQrUktX NzExRC8zXG4wWGxXU3FFcHJkYkticXc4V01QanVKMWFvWDhhUUVXb0wreGJvbVJR UUpKb0ZhTVBsemdkRGNmb0FIRFVcblRzeGQwK0ZOOHBGSEFnTUJBQUdqVURCT01C MEdBMVVkRGdRV0JCU3FwNVR3UXRIc1F5OW9ZTFpiMEQ1V1xuK2xpY0hEQWZCZ05W SFNNRUdEQVdnQlNxcDVUd1F0SHNReTlvWUxaYjBENVcrbGljSERBTUJnTlZIUk1F XG5CVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmdTUUdhY2p3eG1i UnJyQmhXNjNnWTVLYVdcbmltNzZyRzQ1cDN1aDlBOFdVZk1XcnlDVXVmckZPbS9R RUpubFVVSzNRWDRLRVZqMmV5d2I5Z3Nma2lDRVxueWFKenhlNjY1UTJCcld3ZTNy R1ZrQWhPL2ZuOHVwZWM0RTFBU2MzMUFTYUY4bStwWXFDQ1BTZmxMNWtWXG5NZWZI RzRsRXMzWEprSGNlQ2xSenlYdmpiNUtqL3UwMkM1WUNqY0FMWWQ4L2tjU2JmNGpv ZTFHdWZ2S0ZcbjV3dlBCUGtSVmZiVzJLYWdMK2p3NjJqKzhVNm9CN0ZieHRGeXFR UDFZb1pHaWE5TWtQS25LK3lnNW8vMFxuY1o1N2hnazRtUW1NMWk4MlJyVVpRVm9C UDNDRDVMZEJKWmZKb1hzdFJsWGU2ZFg3K1Rpc2RTQXNwcDVlXG5oTm0wQmNxZExL K3o4bnR0XG4ifX2gggItMIICKTCCAa+gAwIBAgIBATAKBggqhkjOPQQDAjBNMRIw EAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAa BgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwHhcNMTYwNTA3MDIzNjU1WhcNMTgw NTA3MDIzNjU1WjBNMRIwEAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZ FglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwdjAQBgcq hkjOPQIBBgUrgQQAIgNiAASqSixrp/Zj0Omnzho8bLONYgrPsxrL3DTmJkqiyZ4T we/LK3+/iwBgWnohKrOVvO1POtaDHdBuiUjX2CBM66Fg18NSyvwzEJEtFLutFL7S cjDYA8JzPLClw0zt/YBad+CjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ BAQDAgEGMB0GA1UdDgQWBBQljt8tUXiPDOyHKiL71P6+BnbrBzAfBgNVHSMEGDAW gBQljt8tUXiPDOyHKiL71P6+BnbrBzAKBggqhkjOPQQDAgNoADBlAjB6dhfujag2 xQEgOUr19iWwAyOhu9nHUfcqXhGb6i3nDuKfeIU7Am/WzvAAmqAWXyQCMQDTLKaN vf2k//JcW+4+xapVhW83t8UdlMk0+Eoe/YnKPj/a1WIOuzzh6zJtCYjlimYxggHG MIIBwgIBATBSME0xEjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkW CXNhbmRlbG1hbjEcMBoGA1UEAwwTVW5zdHJ1bmcgSGlnaHdheSBDQQIBATANBglg hkgBZQMEAgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0xNzAzMjUyMjAzMDhaMC8GCSqGSIb3DQEJBDEiBCBVLdLuXLxMfE0g f5iiUZ8DHuEAdNZ0Jlp90Mpz5ovlfTB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFl AwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqG SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB KDAKBggqhkjOPQQDAgRnMGUCMQDmDq9zppgmB3z2t2Cvm9HJv3I9DoSBKwa1qLfC UjYjlNmOG1tMAtis2Npb0iSNUeoCMGtb29/7sCKh4DmhhHJZ0uCqMy4S0kBTs+fs ptGOqCHimlPZPuO6TefYxZTFFzZRHA== -----END PKCS7----- _______________________________________________ Anima-bootstrap mailing list Anima-bootstrap@ietf.org https://www.ietf.org/mailman/listinfo/anima-bootstrap
- [Anima-bootstrap] Voucher signing method Max Pritikin (pritikin)
- Re: [Anima-bootstrap] Voucher signing method peter van der Stok
- Re: [Anima-bootstrap] Voucher signing method Max Pritikin (pritikin)
- Re: [Anima-bootstrap] Voucher signing method Panos Kampanakis (pkampana)
- Re: [Anima-bootstrap] Voucher signing method Max Pritikin (pritikin)
- Re: [Anima-bootstrap] Voucher signing method Kent Watsen
- Re: [Anima-bootstrap] Voucher signing method Max Pritikin (pritikin)
- Re: [Anima-bootstrap] [Anima] Voucher signing met… Max Pritikin (pritikin)
- Re: [Anima-bootstrap] Voucher signing method Kent Watsen
- Re: [Anima-bootstrap] [Anima] Voucher signing met… Max Pritikin (pritikin)
- Re: [Anima-bootstrap] [Anima] Voucher signing met… Kent Watsen
- Re: [Anima-bootstrap] [Anima] Voucher signing met… Max Pritikin (pritikin)
- Re: [Anima-bootstrap] [Anima] Voucher signing met… Max Pritikin (pritikin)
- Re: [Anima-bootstrap] [Anima] Voucher signing met… Kent Watsen
- Re: [Anima-bootstrap] [Anima] Voucher signing met… Michael Richardson
- Re: [Anima-bootstrap] [Anima] Voucher signing met… Michael Richardson
- Re: [Anima-bootstrap] Voucher signing method Kent Watsen
- Re: [Anima-bootstrap] Voucher signing method Kent Watsen
- Re: [Anima-bootstrap] Voucher signing method Max Pritikin (pritikin)