Re: [Anima-bootstrap] Voucher signing method

Kent Watsen <kwatsen@juniper.net> Wed, 03 May 2017 01:25 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2418312EAE9; Tue, 2 May 2017 18:25:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20GpvlPZ4hWT; Tue, 2 May 2017 18:25:39 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0110.outbound.protection.outlook.com [104.47.40.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B93261296CD; Tue, 2 May 2017 18:22:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IeqaVuEOinmfk/GqhoGctzLReSmJUW8jz1yED2kjsSU=; b=fDCbS3mFi0l6Nu7IXT5LnTtT1I4KrCPXzCAbvtGANPzla4zjG2AczbpsoonmPKP0S1Px1S0QK3g+ogUTP+Wgs/t5VTk5lN6VL7Cnj5UrrpvhQO2E68yj1FqxmyQ5SNt3GxSFA/Ve0I0jo34zST+VuFbDXkZF8imBtn5qi1g/Gyk=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1444.namprd05.prod.outlook.com (10.160.117.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1075.1; Wed, 3 May 2017 01:22:57 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1075.010; Wed, 3 May 2017 01:22:58 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>, "anima@ietf.org" <anima@ietf.org>
CC: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Thread-Topic: [Anima-bootstrap] Voucher signing method
Thread-Index: AQHSw6vLF2XUnWVoW0q/VYcsqILMZg==
Date: Wed, 3 May 2017 01:22:57 +0000
Message-ID: <88FB0F4F-2816-4BCE-A775-EBEE1CFCC0CD@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1444; 7:SDvTH7DHWAWgWaUteYaVjCysAyjwTXJ4Dc09ae2nSf5F1IF1Gxcs5D+2kD2tMoI+Lpdgshvp9WjGR7tWpcdfbYyGW2chS1bwYdIWzxLiuLWgaYz+5du2VIwmH7rFL9jH6rsz6tmFZFgQUs5BVa/3Ykv98OwvLj0Eyvgfuof5N4iVvZivHjiGT7K/w5N/bt6hf7wCfADaPcuXYJRsEO/q1ucVxkd5CWab9Mq4B5IN8HLmi2SeuWuUh0+JWhMy25GAXXyATvhR3nukUFsMeiz4XeUcDvW5v3hD/awXPqKJvyFRB21BPoLV9GECG39iMsz2BZdLa3SBgVtu0R5vWUu1xg==
x-ms-office365-filtering-correlation-id: b4fa0524-0c4c-43a9-8ee1-08d491c2eead
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:BN3PR0501MB1444;
x-microsoft-antispam-prvs: <BN3PR0501MB14448B60B5D9315F098C0FCBA5160@BN3PR0501MB1444.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:BN3PR0501MB1444; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1444;
x-forefront-prvs: 029651C7A1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39400400002)(39860400002)(39840400002)(39450400003)(99286003)(6306002)(6246003)(38730400002)(53946003)(53936002)(54356999)(25786009)(50986999)(6512007)(4326008)(2900100001)(189998001)(86362001)(6486002)(77096006)(305945005)(6506006)(6436002)(4001350100001)(8936002)(122556002)(66066001)(83506001)(36756003)(2906002)(6116002)(8676002)(5660300001)(3846002)(82746002)(102836003)(81166006)(229853002)(575784001)(3660700001)(478600001)(2501003)(3280700002)(33656002)(83716003)(579004)(473944003)(414714003)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1444; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <569B29BC7E9EA0489F7CDC93118EFD97@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2017 01:22:57.7929 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1444
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/sMRliflygXwRwUWaU4max7gej6M>
Subject: Re: [Anima-bootstrap] Voucher signing method
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 01:25:42 -0000

I've had some time now to investigate JWS, in particular, reproducing some examples in RFCs 7515 and 7520 using nothing but shell scripts and the `openssl` command line utility.

I want to like JWS, but I wish the header was in a more technology-neutral format, it being JSON seems weird to me.  Had this been done, it would be a nice general-purpose signature format.  Size wise, JWS grows the size of the data 33% when b64 encoding it for the "compact serialization" form, which is actually a 65-character alphabet including '.'.  It seems that a binary header could've also allowed for a binary payload and signature, which would've been perfect, in my opinion.  [Of course, the entire binary blob could still be base64url-encoded for those that want it, without forcing it on those that don’t]

The example voucher you obtained from mcr wasn't as trimmed down as it could've been, using the -noattr and -nocert options, which is one reason the asn1parse dump looks as busy as it does.  Another being that the owner/domain-cert-trusted-ca encode very different certs (is one ec while the other is rsa?)

In the end, JWS appears to be just another signature format with its own set of peculiarities.  And given that we already have to support ASN.1 (the voucher encodes both an X.509 cert as well as a X.509 certificate chain), not to mention the need for the MASA to have a PKIX infrastructure, it's not clear to me if this is a good trade at all.

Lastly, as mentioned before, my netconf zerotouch draft uses CMS/PKCS7 elsewhere.  While it would be trivial to update the draft to use a JWS-based format, it would be awkward for clients to have to consider it at all.

Kent


-----ORIGINAL MESSAGE-----

Folks, in Chicago we discussed the signing method for vouchers. 

Because the voucher is JSON, and there is expectation of a CBOR encoding for future work, there is an open discussion point about using the JWS/COSE signing methods; if not JWT/CWT. There was brief discussion of this at IETF98 and one person indicated they liked PKCS7, others indicates JWT and others did not speak up. Fully meeting minutes might provide more information but my recollection was that we’d move the discussion to the list. This thread is for that discussion. 

The current text of draft-ietf-anima-voucher-02 is:

> The voucher is signed a PKCS#7 SignedData structure, as specified by Section 9.1
> of [RFC2315], encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.


For concrete discussion, the proposed change is:

> The voucher is a JWT [RFC7519] signed token.


I’ve updated my tooling that was used during the IETF98 hackathon to support a JWT token format; I did this as homework to be informed for the discussion. 

MY POSITION: is that I appreciate the simplicity of the JWS signing and feel it is a good match for us. It was easy enough to implement, was a refreshing change from the ASN1 complexity of PKCS7, and seems to provide a good path toward CBOR/COSE in a future document without maintaining PKCS7/CMS technical debt or revisiting/rewriting too much. 

QUESTION FOR THE WORKING GROUP: What is your position? Why? 

What follows is a dump of the raw JWS before signing (the equivalent PKCS7/CMS structure would be the SignedData asn1 structures which is hard to capture). After that is an encoded and signed voucher. Further below is an example of a PKCS7 signed voucher. 

Please note these characteristics:

a) From JWT RFC7519 "JWTs are always represented using the JWS Compact Serialization”. There are some JWT headers that overlap with voucher fields. I’m using JWT here; but the distinction between JWS/JWT is not fundamental to our discussion. The important point is JWS vs PKCS7. 

b) I’ve added the x5c header to the JWS. This is used to carry the certificate chain of the signer. Our current voucher format indicates PKCS7 which supports an equivalent field called “CertificateSet structure”. Its in the BRSKI document that we specify "The entire certificate chain, up to and including the Domain CA, MUST be included in the CertificateSet structure”. With the transition to JWT we’d be specifying that the x5c header be fully populated up to an including the Domain CA etc. 

c) From these examples we can’t directly compare size encodings. I don’t think this is a significant aspect of the conversation but can create comparable examples if folks feel that is necessary. 

The dumps:

A debug dump of the JWT form before encoding:
{
   "typ": "JWT",
   "alg": "ES256",
   "x5c": ["MIIBdjCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjArMRYwFAYDVQQKDA1DaXNjbyBTeXN0ZW1zMREwDwYDVQQDDAhWZW5kb3JDQTAeFw0xNzA0MDMxNTE1NDVaFw0xODA0MDMxNTE1NDVaMC0xFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxEzARBgNVBAMMClZlbmRvck1BU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT9GTrDd0GWgwcuSy8LCn0waMeknpLznajZzqWlLhrPwshgIPIPvbyY6IyCo4uBYU/e4OO6TQD9UVLlyU5R6cA6ozAwLjALBgNVHQ8EBAMCBaAwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwCgYIKoZIzj0EAwIDRwAwRAIgAQ8YR2IdLodEE8k+JxpBOIAGuzCeT9BmFOVhFUb8eJMCIC23Goss6manRjNSmh6+2oB9tsRbjmnnwuMlDXR8fzug", "MIIBnTCCAUOgAwIBAgIJAK9Pd5G+/r0UMAoGCCqGSM49BAMCMCsxFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxETAPBgNVBAMMCFZlbmRvckNBMB4XDTE3MDQwMzE0MTAwNVoXDTE4MDQwMzE0MTAwNVowKzEWMBQGA1UECgwNQ2lzY28gU3lzdGVtczERMA8GA1UEAwwIVmVuZG9yQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASunsQL2PVOSFWWp0oCjlqF8iVPPpEgJct931CZQ6assp07otmfgZqXsk1JYRTlKCGjROxrAiVRQsB54ioA0yu0o1AwTjAdBgNVHQ4EFgQUR4oEpb4YFuelkMrQjlnKtM01ovEwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEA+SSOhiNQ23RWA76kZ/2u70FCpU8OsU7X9IRiWGDgIAgCIFLu8FnJuqPx10sgHvIzqI5BgOcwCa5vFQZdCDBHIx18"]
}
.
{
   "ietf-voucher:voucher": {
       "assertion": "logging",
       "domain-cert-trusted-ca": "-----BEGIN CERTIFICATE-----\nMIIBUjCB+qADAgECAgkAwP4qKsGyQlYwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAwwM\nZXN0RXhhbXBsZUNBMB4XDTE3MDMyNTIyMTc1MFoXDTE4MDMyNTIyMTc1MFowFzEV\nMBMGA1UEAwwMZXN0RXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nRVrNlEN2ocYscAILBU7NggABo0JgA1rEGdYdCQj1nHKL6xKONJIUfBibe6iMVYd3\nRUmPwaPiHNZJ98kRwHIwnKMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU+dVX\naXoucU1godNF0bycS1U5W54wCgYIKoZIzj0EAwIDRwAwRAIgNsCGjpEjuvz6OKJ/\n3rOvMc2ZfDhD02K+0PCVFJGCQGwCIAzf3BS6x9kKSROJJvxDSpg0QK9+b9LSFkbZ\nM1PW98AN\n-----END CERTIFICATE-----\n",
       "nonce": "ea7102e8e88f119e",
       "serial-number": "PID:1 SN:widget1",
       "serial-number-issuer": "36097E3DEA39316EA4CE5C695BE905E78AF2FB5A",
       "version": "1"
   }
}
.
[signature goes here]

As per JWT RFC7519 this is what it looks like after URL-safe encoding. You can see that now the signature is included  (look to the second to last line to see the second “.” followed by a valid signature): 

eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsICAgICJ4NWMiOlsiTUlJQmRqQ0NBUjJnQXdJQkFnSUJBVEFLQmdncWhrak9QUVFEQWpBck1SWXdGQVlEVlFRS0RBMURhWE5qYnlCVGVYTjBaVzF6TVJFd0R3WURWUVFEREFoV1pXNWtiM0pEUVRBZUZ3MHhOekEwTURNeE5URTFORFZhRncweE9EQTBNRE14TlRFMU5EVmFNQzB4RmpBVUJnTlZCQW9NRFVOcGMyTnZJRk41YzNSbGJYTXhFekFSQmdOVkJBTU1DbFpsYm1SdmNrMUJVMEV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVQ5R1RyRGQwR1dnd2N1U3k4TENuMHdhTWVrbnBMem5halp6cVdsTGhyUHdzaGdJUElQdmJ5WTZJeUNvNHVCWVUvZTRPTzZUUUQ5VVZMbHlVNVI2Y0E2b3pBd0xqQUxCZ05WSFE4RUJBTUNCYUF3SHdZRFZSMGpCQmd3Rm9BVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdBUThZUjJJZExvZEVFOGsrSnhwQk9JQUd1ekNlVDlCbUZPVmhGVWI4ZUpNQ0lDMjNHb3NzNm1hblJqTlNtaDYrMm9COXRzUmJqbW5ud3VNbERYUjhmenVnIiwiTUlJQm5UQ0NBVU9nQXdJQkFnSUpBSzlQZDVHKy9yMFVNQW9HQ0NxR1NNNDlCQU1DTUNzeEZqQVVCZ05WQkFvTURVTnBjMk52SUZONWMzUmxiWE14RVRBUEJnTlZCQU1NQ0ZabGJtUnZja05CTUI0WERURTNNRFF3TXpFME1UQXdOVm9YRFRFNE1EUXdNekUwTVRBd05Wb3dLekVXTUJRR0ExVUVDZ3dOUTJselkyOGdVM2x6ZEdWdGN6RVJNQThHQTFVRUF3d0lWbVZ1Wkc5eVEwRXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBU3Vuc1FMMlBWT1NGV1dwMG9DamxxRjhpVlBQcEVnSmN0OTMxQ1pRNmFzc3AwN290bWZnWnFYc2sxSllSVGxLQ0dqUk94ckFpVlJRc0I1NGlvQTB5dTBvMUF3VGpBZEJnTlZIUTRFRmdRVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdId1lEVlIwakJCZ3dGb0FVUjRvRXBiNFlGdWVsa01yUWpsbkt0TTAxb3ZFd0RBWURWUjBUQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUVBK1NTT2hpTlEyM1JXQTc2a1ovMnU3MEZDcFU4T3NVN1g5SVJpV0dEZ0lBZ0NJRkx1OEZuSnVxUHgxMHNnSHZJenFJNUJnT2N3Q2E1dkZRWmRDREJISXgxOCJdfQ.eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJsb2dnaW5nIiwiZG9tYWluLWNlcnQtdHJ1c3RlZC1jYSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJQlVqQ0IrcUFEQWdFQ0Fna0F3UDRxS3NHeVFsWXdDZ1lJS29aSXpqMEVBd0l3RnpFVk1CTUdBMVVFQXd3TVxuWlhOMFJYaGhiWEJzWlVOQk1CNFhEVEUzTURNeU5USXlNVGMxTUZvWERURTRNRE15TlRJeU1UYzFNRm93RnpFVlxuTUJNR0ExVUVBd3dNWlhOMFJYaGhiWEJzWlVOQk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVxuUlZyTmxFTjJvY1lzY0FJTEJVN05nZ0FCbzBKZ0ExckVHZFlkQ1FqMW5IS0w2eEtPTkpJVWZCaWJlNmlNVllkM1xuUlVtUHdhUGlITlpKOThrUndISXduS012TUMwd0RBWURWUjBUQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVK2RWWFxuYVhvdWNVMWdvZE5GMGJ5Y1MxVTVXNTR3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnTnNDR2pwRWp1dno2T0tKL1xuM3JPdk1jMlpmRGhEMDJLKzBQQ1ZGSkdDUUd3Q0lBemYzQlM2eDlrS1NST0pKdnhEU3BnMFFLOStiOUxTRmtiWlxuTTFQVzk4QU5cbi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS1cbiIsIm5vbmNlIjoiZWE3MTAyZThlODhmMTE5ZSIsInNlcmlhbC1udW1iZXIiOiJQSUQ6MSBTTjp3aWRnZXQxIiwic2VyaWFsLW51bWJlci1pc3N1ZXIiOiIzNjA5N0UzREVBMzkzMTZFQTRDRTVDNjk1QkU5MDVFNzhBRjJGQjVBIiwidmVyc2lvbiI6IjEifX0.QkTUpcxv6Ng6ylyWYnlqun-5SFhD1XwLIW1kD7Y9dNwioheNMcVnowkELl_EMClyOWuLvvWuoCHAcWz_UA0IGw


Here is an equivalent PKCS7 voucher via asn1 dump. You’d have to look at the binary if you really want to decode it. This voucher was generated by MCR during the hackathon: 

pritikin@ubuntu:~/src/brski-project/brski_msgs$ openssl asn1parse -in mcr.voucher.txt.pkcs7
    0:d=0  hl=4 l=2706 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=2691 cons: cont [ 0 ]        
   19:d=2  hl=4 l=2687 cons: SEQUENCE          
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=  15 cons: SET               
   28:d=4  hl=2 l=  13 cons: SEQUENCE          
   30:d=5  hl=2 l=   9 prim: OBJECT            :sha256
   41:d=5  hl=2 l=   0 prim: NULL              
   43:d=3  hl=4 l=1644 cons: SEQUENCE          
   47:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   58:d=4  hl=4 l=1629 cons: cont [ 0 ]        
   62:d=5  hl=4 l=1625 prim: OCTET STRING      :{"ietf-voucher:voucher":{"nonce":"62a2e7693d82fcda2624de58fb6722e5","created-on":"2017-01-01T00:00:00.000Z","device-identifier":"00-d0-e5-f2-00-01","assertion":"logged","owner":"MIIEEzCCAvugAwIBAgIJAK6rFouvk+7YMA0GCSqGSIb3DQEBCwUAMIGfMQsw\nCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdh\nMRowGAYDVQQKDBFPd25lciBFeGFtcGxlIE9uZTERMA8GA1UECwwITm90IFZl\ncnkxGzAZBgNVBAMMEm93bmVyMS5leGFtcGxlLmNvbTEhMB8GCSqGSIb3DQEJ\nARYSb3duZXIxQGV4YW1wbGUuY29tMB4XDTE3MDMyNTE2MjkzNFoXDTE3MDQy\nNDE2MjkzNFowgZ8xCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8w\nDQYDVQQHDAZPdHRhd2ExGjAYBgNVBAoMEU93bmVyIEV4YW1wbGUgT25lMREw\nDwYDVQQLDAhOb3QgVmVyeTEbMBkGA1UEAwwSb3duZXIxLmV4YW1wbGUuY29t\nMSEwHwYJKoZIhvcNAQkBFhJvd25lcjFAZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4QYAEnTtXgiKqsfSVYkgkHddFcP34\nOU3YP7ibrsgx0i9cyj7xOzWHOF2PsoKBgTRH75MSMhTl5UidrCszlluK+qp4\nd3Zg31oQM/HDmyRJyRpY+PC1n5Vx/Mj5VagRQbqG7XTDQCfCrhqIKrKBTuPQ\n4vYKeL0tQk4UJlPIoZXEmBk5dkn/Fzl9AfIZSvUzQ1QAhQ9oaLz5Nf5MWHPK\nUY+6b2zA/yQaXduPrVuxp7xCj11C/Ljlhl1/Hx16MJrV33MCbd+RKW711D/3\n0XlWSqEprdbKbqw8WMPjuJ1aoX8aQEWoL+xbomRQQJJoFaMPlzgdDcfoAHDU\nTsxd0+FN8pFHAgMBAAGjUDBOMB0GA1UdDgQWBBSqp5TwQtHsQy9oYLZb0D5W\n+licHDAfBgNVHSMEGDAWgBSqp5TwQtHsQy9oYLZb0D5W+licHDAMBgNVHRME\nBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBgSQGacjwxmbRrrBhW63gY5KaW\nim76rG45p3uh9A8WUfMWryCUufrFOm/QEJnlUUK3QX4KEVj2eywb9gsfkiCE\nyaJzxe665Q2BrWwe3rGVkAhO/fn8upec4E1ASc31ASaF8m+pYqCCPSflL5kV\nMefHG4lEs3XJkHceClRzyXvjb5Kj/u02C5YCjcALYd8/kcSbf4joe1GufvKF\n5wvPBPkRVfbW2KagL+jw62j+8U6oB7FbxtFyqQP1YoZGia9MkPKnK+yg5o/0\ncZ57hgk4mQmM1i82RrUZQVoBP3CD5LdBJZfJoXstRlXe6dX7+TisdSAspp5e\nhNm0BcqdLK+z8ntt\n"}}
 1691:d=3  hl=4 l= 557 cons: cont [ 0 ]        
 1695:d=4  hl=4 l= 553 cons: SEQUENCE          
 1699:d=5  hl=4 l= 431 cons: SEQUENCE          
 1703:d=6  hl=2 l=   3 cons: cont [ 0 ]        
 1705:d=7  hl=2 l=   1 prim: INTEGER           :02
 1708:d=6  hl=2 l=   1 prim: INTEGER           :01
 1711:d=6  hl=2 l=  10 cons: SEQUENCE          
 1713:d=7  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA256
 1723:d=6  hl=2 l=  77 cons: SEQUENCE          
 1725:d=7  hl=2 l=  18 cons: SET               
 1727:d=8  hl=2 l=  16 cons: SEQUENCE          
 1729:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
 1741:d=9  hl=2 l=   2 prim: IA5STRING         :ca
 1745:d=7  hl=2 l=  25 cons: SET               
 1747:d=8  hl=2 l=  23 cons: SEQUENCE          
 1749:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
 1761:d=9  hl=2 l=   9 prim: IA5STRING         :sandelman
 1772:d=7  hl=2 l=  28 cons: SET               
 1774:d=8  hl=2 l=  26 cons: SEQUENCE          
 1776:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 1781:d=9  hl=2 l=  19 prim: UTF8STRING        :Unstrung Highway CA
 1802:d=6  hl=2 l=  30 cons: SEQUENCE          
 1804:d=7  hl=2 l=  13 prim: UTCTIME           :160507023655Z
 1819:d=7  hl=2 l=  13 prim: UTCTIME           :180507023655Z
 1834:d=6  hl=2 l=  77 cons: SEQUENCE          
 1836:d=7  hl=2 l=  18 cons: SET               
 1838:d=8  hl=2 l=  16 cons: SEQUENCE          
 1840:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
 1852:d=9  hl=2 l=   2 prim: IA5STRING         :ca
 1856:d=7  hl=2 l=  25 cons: SET               
 1858:d=8  hl=2 l=  23 cons: SEQUENCE          
 1860:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
 1872:d=9  hl=2 l=   9 prim: IA5STRING         :sandelman
 1883:d=7  hl=2 l=  28 cons: SET               
 1885:d=8  hl=2 l=  26 cons: SEQUENCE          
 1887:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 1892:d=9  hl=2 l=  19 prim: UTF8STRING        :Unstrung Highway CA
 1913:d=6  hl=2 l= 118 cons: SEQUENCE          
 1915:d=7  hl=2 l=  16 cons: SEQUENCE          
 1917:d=8  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
 1926:d=8  hl=2 l=   5 prim: OBJECT            :secp384r1
 1933:d=7  hl=2 l=  98 prim: BIT STRING        
 2033:d=6  hl=2 l=  99 cons: cont [ 3 ]        
 2035:d=7  hl=2 l=  97 cons: SEQUENCE          
 2037:d=8  hl=2 l=  15 cons: SEQUENCE          
 2039:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 2044:d=9  hl=2 l=   1 prim: BOOLEAN           :255
 2047:d=9  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
 2054:d=8  hl=2 l=  14 cons: SEQUENCE          
 2056:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 2061:d=9  hl=2 l=   1 prim: BOOLEAN           :255
 2064:d=9  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:03020106
 2070:d=8  hl=2 l=  29 cons: SEQUENCE          
 2072:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 2077:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414258EDF2D51788F0CEC872A22FBD4FEBE0676EB07
 2101:d=8  hl=2 l=  31 cons: SEQUENCE          
 2103:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 2108:d=9  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014258EDF2D51788F0CEC872A22FBD4FEBE0676EB07
 2134:d=5  hl=2 l=  10 cons: SEQUENCE          
 2136:d=6  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA256
 2146:d=5  hl=2 l= 104 prim: BIT STRING        
 2252:d=3  hl=4 l= 454 cons: SET               
 2256:d=4  hl=4 l= 450 cons: SEQUENCE          
 2260:d=5  hl=2 l=   1 prim: INTEGER           :01
 2263:d=5  hl=2 l=  82 cons: SEQUENCE          
 2265:d=6  hl=2 l=  77 cons: SEQUENCE          
 2267:d=7  hl=2 l=  18 cons: SET               
 2269:d=8  hl=2 l=  16 cons: SEQUENCE          
 2271:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
 2283:d=9  hl=2 l=   2 prim: IA5STRING         :ca
 2287:d=7  hl=2 l=  25 cons: SET               
 2289:d=8  hl=2 l=  23 cons: SEQUENCE          
 2291:d=9  hl=2 l=  10 prim: OBJECT            :domainComponent
 2303:d=9  hl=2 l=   9 prim: IA5STRING         :sandelman
 2314:d=7  hl=2 l=  28 cons: SET               
 2316:d=8  hl=2 l=  26 cons: SEQUENCE          
 2318:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 2323:d=9  hl=2 l=  19 prim: UTF8STRING        :Unstrung Highway CA
 2344:d=6  hl=2 l=   1 prim: INTEGER           :01
 2347:d=5  hl=2 l=  13 cons: SEQUENCE          
 2349:d=6  hl=2 l=   9 prim: OBJECT            :sha256
 2360:d=6  hl=2 l=   0 prim: NULL              
 2362:d=5  hl=3 l= 228 cons: cont [ 0 ]        
 2365:d=6  hl=2 l=  24 cons: SEQUENCE          
 2367:d=7  hl=2 l=   9 prim: OBJECT            :contentType
 2378:d=7  hl=2 l=  11 cons: SET               
 2380:d=8  hl=2 l=   9 prim: OBJECT            :pkcs7-data
 2391:d=6  hl=2 l=  28 cons: SEQUENCE          
 2393:d=7  hl=2 l=   9 prim: OBJECT            :signingTime
 2404:d=7  hl=2 l=  15 cons: SET               
 2406:d=8  hl=2 l=  13 prim: UTCTIME           :170325220308Z
 2421:d=6  hl=2 l=  47 cons: SEQUENCE          
 2423:d=7  hl=2 l=   9 prim: OBJECT            :messageDigest
 2434:d=7  hl=2 l=  34 cons: SET               
 2436:d=8  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:552DD2EE5CBC4C7C4D207F98A2519F031EE10074D674265A7DD0CA73E68BE57D
 2470:d=6  hl=2 l= 121 cons: SEQUENCE          
 2472:d=7  hl=2 l=   9 prim: OBJECT            :S/MIME Capabilities
 2483:d=7  hl=2 l= 108 cons: SET               
 2485:d=8  hl=2 l= 106 cons: SEQUENCE          
 2487:d=9  hl=2 l=  11 cons: SEQUENCE          
 2489:d=10 hl=2 l=   9 prim: OBJECT            :aes-256-cbc
 2500:d=9  hl=2 l=  11 cons: SEQUENCE          
 2502:d=10 hl=2 l=   9 prim: OBJECT            :aes-192-cbc
 2513:d=9  hl=2 l=  11 cons: SEQUENCE          
 2515:d=10 hl=2 l=   9 prim: OBJECT            :aes-128-cbc
 2526:d=9  hl=2 l=  10 cons: SEQUENCE          
 2528:d=10 hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
 2538:d=9  hl=2 l=  14 cons: SEQUENCE          
 2540:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
 2550:d=10 hl=2 l=   2 prim: INTEGER           :80
 2554:d=9  hl=2 l=  13 cons: SEQUENCE          
 2556:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
 2566:d=10 hl=2 l=   1 prim: INTEGER           :40
 2569:d=9  hl=2 l=   7 cons: SEQUENCE          
 2571:d=10 hl=2 l=   5 prim: OBJECT            :des-cbc
 2578:d=9  hl=2 l=  13 cons: SEQUENCE          
 2580:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
 2590:d=10 hl=2 l=   1 prim: INTEGER           :28
 2593:d=5  hl=2 l=  10 cons: SEQUENCE          
 2595:d=6  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA256
 2605:d=5  hl=2 l= 103 prim: OCTET STRING      [HEX DUMP]:3065023100E60EAF73A69826077CF6B760AF9BD1C9BF723D0E84812B06B5A8B7C252362394D98E1B5B4C02D8ACD8DA5BD2248D51EA02306B5BDBDFFBB022A1E039A1847259D2E0AA332E12D24053B3E7ECA6D18EA821E29A53D93EE3BA4DE7D8C594C51736511C

And this is the “encoded” form:
-----BEGIN PKCS7-----
MIIKkgYJKoZIhvcNAQcCoIIKgzCCCn8CAQExDzANBglghkgBZQMEAgEFADCCBmwG
CSqGSIb3DQEHAaCCBl0EggZZeyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJub25j
ZSI6IjYyYTJlNzY5M2Q4MmZjZGEyNjI0ZGU1OGZiNjcyMmU1IiwiY3JlYXRlZC1v
biI6IjIwMTctMDEtMDFUMDA6MDA6MDAuMDAwWiIsImRldmljZS1pZGVudGlmaWVy
IjoiMDAtZDAtZTUtZjItMDAtMDEiLCJhc3NlcnRpb24iOiJsb2dnZWQiLCJvd25l
ciI6Ik1JSUVFekNDQXZ1Z0F3SUJBZ0lKQUs2ckZvdXZrKzdZTUEwR0NTcUdTSWIz
RFFFQkN3VUFNSUdmTVFzd1xuQ1FZRFZRUUdFd0pEUVRFUU1BNEdBMVVFQ0F3SFQy
NTBZWEpwYnpFUE1BMEdBMVVFQnd3R1QzUjBZWGRoXG5NUm93R0FZRFZRUUtEQkZQ
ZDI1bGNpQkZlR0Z0Y0d4bElFOXVaVEVSTUE4R0ExVUVDd3dJVG05MElGWmxcbmNu
a3hHekFaQmdOVkJBTU1FbTkzYm1WeU1TNWxlR0Z0Y0d4bExtTnZiVEVoTUI4R0NT
cUdTSWIzRFFFSlxuQVJZU2IzZHVaWEl4UUdWNFlXMXdiR1V1WTI5dE1CNFhEVEUz
TURNeU5URTJNamt6TkZvWERURTNNRFF5XG5OREUyTWprek5Gb3dnWjh4Q3pBSkJn
TlZCQVlUQWtOQk1SQXdEZ1lEVlFRSURBZFBiblJoY21sdk1ROHdcbkRRWURWUVFI
REFaUGRIUmhkMkV4R2pBWUJnTlZCQW9NRVU5M2JtVnlJRVY0WVcxd2JHVWdUMjVs
TVJFd1xuRHdZRFZRUUxEQWhPYjNRZ1ZtVnllVEViTUJrR0ExVUVBd3dTYjNkdVpY
SXhMbVY0WVcxd2JHVXVZMjl0XG5NU0V3SHdZSktvWklodmNOQVFrQkZoSnZkMjVs
Y2pGQVpYaGhiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdcblNJYjNEUUVCQVFVQUE0
SUJEd0F3Z2dFS0FvSUJBUUM0UVlBRW5UdFhnaUtxc2ZTVllrZ2tIZGRGY1AzNFxu
T1UzWVA3aWJyc2d4MGk5Y3lqN3hPeldIT0YyUHNvS0JnVFJINzVNU01oVGw1VWlk
ckNzemxsdUsrcXA0XG5kM1pnMzFvUU0vSERteVJKeVJwWStQQzFuNVZ4L01qNVZh
Z1JRYnFHN1hURFFDZkNyaHFJS3JLQlR1UFFcbjR2WUtlTDB0UWs0VUpsUElvWlhF
bUJrNWRrbi9Gemw5QWZJWlN2VXpRMVFBaFE5b2FMejVOZjVNV0hQS1xuVVkrNmIy
ekEveVFhWGR1UHJWdXhwN3hDajExQy9MamxobDEvSHgxNk1KclYzM01DYmQrUktX
NzExRC8zXG4wWGxXU3FFcHJkYkticXc4V01QanVKMWFvWDhhUUVXb0wreGJvbVJR
UUpKb0ZhTVBsemdkRGNmb0FIRFVcblRzeGQwK0ZOOHBGSEFnTUJBQUdqVURCT01C
MEdBMVVkRGdRV0JCU3FwNVR3UXRIc1F5OW9ZTFpiMEQ1V1xuK2xpY0hEQWZCZ05W
SFNNRUdEQVdnQlNxcDVUd1F0SHNReTlvWUxaYjBENVcrbGljSERBTUJnTlZIUk1F
XG5CVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmdTUUdhY2p3eG1i
UnJyQmhXNjNnWTVLYVdcbmltNzZyRzQ1cDN1aDlBOFdVZk1XcnlDVXVmckZPbS9R
RUpubFVVSzNRWDRLRVZqMmV5d2I5Z3Nma2lDRVxueWFKenhlNjY1UTJCcld3ZTNy
R1ZrQWhPL2ZuOHVwZWM0RTFBU2MzMUFTYUY4bStwWXFDQ1BTZmxMNWtWXG5NZWZI
RzRsRXMzWEprSGNlQ2xSenlYdmpiNUtqL3UwMkM1WUNqY0FMWWQ4L2tjU2JmNGpv
ZTFHdWZ2S0ZcbjV3dlBCUGtSVmZiVzJLYWdMK2p3NjJqKzhVNm9CN0ZieHRGeXFR
UDFZb1pHaWE5TWtQS25LK3lnNW8vMFxuY1o1N2hnazRtUW1NMWk4MlJyVVpRVm9C
UDNDRDVMZEJKWmZKb1hzdFJsWGU2ZFg3K1Rpc2RTQXNwcDVlXG5oTm0wQmNxZExL
K3o4bnR0XG4ifX2gggItMIICKTCCAa+gAwIBAgIBATAKBggqhkjOPQQDAjBNMRIw
EAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAa
BgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwHhcNMTYwNTA3MDIzNjU1WhcNMTgw
NTA3MDIzNjU1WjBNMRIwEAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZ
FglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwdjAQBgcq
hkjOPQIBBgUrgQQAIgNiAASqSixrp/Zj0Omnzho8bLONYgrPsxrL3DTmJkqiyZ4T
we/LK3+/iwBgWnohKrOVvO1POtaDHdBuiUjX2CBM66Fg18NSyvwzEJEtFLutFL7S
cjDYA8JzPLClw0zt/YBad+CjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
BAQDAgEGMB0GA1UdDgQWBBQljt8tUXiPDOyHKiL71P6+BnbrBzAfBgNVHSMEGDAW
gBQljt8tUXiPDOyHKiL71P6+BnbrBzAKBggqhkjOPQQDAgNoADBlAjB6dhfujag2
xQEgOUr19iWwAyOhu9nHUfcqXhGb6i3nDuKfeIU7Am/WzvAAmqAWXyQCMQDTLKaN
vf2k//JcW+4+xapVhW83t8UdlMk0+Eoe/YnKPj/a1WIOuzzh6zJtCYjlimYxggHG
MIIBwgIBATBSME0xEjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkW
CXNhbmRlbG1hbjEcMBoGA1UEAwwTVW5zdHJ1bmcgSGlnaHdheSBDQQIBATANBglg
hkgBZQMEAgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
DQEJBTEPFw0xNzAzMjUyMjAzMDhaMC8GCSqGSIb3DQEJBDEiBCBVLdLuXLxMfE0g
f5iiUZ8DHuEAdNZ0Jlp90Mpz5ovlfTB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqG
SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB
KDAKBggqhkjOPQQDAgRnMGUCMQDmDq9zppgmB3z2t2Cvm9HJv3I9DoSBKwa1qLfC
UjYjlNmOG1tMAtis2Npb0iSNUeoCMGtb29/7sCKh4DmhhHJZ0uCqMy4S0kBTs+fs
ptGOqCHimlPZPuO6TefYxZTFFzZRHA==
-----END PKCS7-----


_______________________________________________
Anima-bootstrap mailing list
Anima-bootstrap@ietf.org
https://www.ietf.org/mailman/listinfo/anima-bootstrap