Re: [Anima] AUTH48 request for CSR example

Eliot Lear <lear@cisco.com> Wed, 14 April 2021 09:15 UTC

Return-Path: <lear@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC5083A173F for <anima@ietfa.amsl.com>; Wed, 14 Apr 2021 02:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.498
X-Spam-Level:
X-Spam-Status: No, score=-9.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzHsm1_jMdWi for <anima@ietfa.amsl.com>; Wed, 14 Apr 2021 02:15:12 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED43A3A173A for <anima@ietf.org>; Wed, 14 Apr 2021 02:15:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14086; q=dns/txt; s=iport; t=1618391712; x=1619601312; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=Z3XrVb6ezXTKEYJI9hexeKsk9Q3A99+emm6A3NPX2nw=; b=KScFpdgFpk4MSIKAKHva87XYq+bzkfqnhaArY3ub9CRAxaabAD7TpN+U LsLmIL9l26WsqtWPNCkDu4Dmy0BmtDnWDM9mSrIZb9WOzUYAjKeOfXN1n fS//WJ2WWbCtiC433CYrxRErxO5TyFbykFkq4rIbWMc9CcNyqhk+ihKLx Y=;
X-Files: signature.asc : 488
X-IronPort-AV: E=Sophos;i="5.82,221,1613433600"; d="asc'?scan'208,217";a="32601202"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Apr 2021 09:15:10 +0000
Received: from [10.61.144.115] ([10.61.144.115]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 13E9F8jQ000607 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 14 Apr 2021 09:15:09 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <954E5ED0-1C2A-40B6-B945-0523AC81C4BF@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_EAFD3444-8334-40C0-BC00-D1B6DAF7F048"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Wed, 14 Apr 2021 11:15:08 +0200
In-Reply-To: <CANMZLAY0hOrvJfD6aZvvxPOZ_+CWUYK0SUgCmNPBOukhhReLrA@mail.gmail.com>
Cc: Esko Dijk <esko.dijk@iotconsultancy.nl>, Michael Richardson <mcr@sandelman.ca>, "Max Pritikin (pritikin)" <pritikin@cisco.com>, lamps@ietf.org, "Michael H. Behringer" <Michael.H.Behringer@gmail.com>, Toerless Eckert <tte+ietf@cs.fau.de>, Kent Watsen <kent+ietf@watsen.net>, Anima WG <anima@ietf.org>, Mudumbai Ranganathan <mranga@gmail.com>
To: Brian Carpenter <brian.e.carpenter@gmail.com>
References: <20210410172514.1FB5CF407BD@rfc-editor.org> <6001.1618358164@localhost> <AM8P190MB0979E356A70D0CD7EB1B3C82FD4E9@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM> <CANMZLAY0hOrvJfD6aZvvxPOZ_+CWUYK0SUgCmNPBOukhhReLrA@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.115, [10.61.144.115]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/736GcqwJTeZYrYo9_MAS_0ktZaU>
Subject: Re: [Anima] AUTH48 request for CSR example
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 09:15:18 -0000

No.

> On 14 Apr 2021, at 11:04, Brian Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
> Is this worth the extra delay? A change like this is hardly editorial & I do not think we want to wait for a mini last call. I am against any non-essential change.
> 
> Regards,
>     Brian Carpenter
>     (via tiny screen & keyboard)
> 
> On Wed, 14 Apr 2021, 20:27 Esko Dijk, <esko.dijk@iotconsultancy.nl <mailto:esko.dijk@iotconsultancy.nl>> wrote:
> Hi,
> 
> It would be a good idea to add a practical example of the CSR attributes response. Is there a particular reason to have an example with very little content in it i.e. 1 root-level attribute only ?
> In RFC 7030:
>    The structure of the CSR Attributes Response SHOULD, to the greatest
>    extent possible, reflect the structure of the CSR it is requesting.
> 
> So I would expect to have a data structure that defines for example what Subject DN attributes the client should include. Or particular choice of crypto system, signature scheme etc.
> Given the amount of confusion around this particular data structure, examples would be good. Or maybe explain why having a "minimal" CSR attributes response is a good thing?
> I can imagine it is good if the Registrar puts as little as possible requirements on the Pledge how to structure its CSR and only MUST-have fields (like ACP related ones?) are indicated.
> 
> Here another example:
> 
> 30 30 06 03 55 04 03 06 03 55 04 05 06 03 55 04 0A 06 08 2A 86 48 CE 3D 04 03 02 30 15 06 07 2A 86 48 CE 3D 02 01 31 0A 06 08 2A 86 48 CE 3D 03 01 07
> 
> SEQUENCE (5 elem)
>   OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
>   OBJECT IDENTIFIER 2.5.4.5 serialNumber (X.520 DN component)
>   OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
>   OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
>   SEQUENCE (2 elem)
>     OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
>     SET (1 elem)
>       OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)
> 
> Not sure whether this is better or worse, in terms of usage of CSR attributes in practice. But it is more clear at least from an explanation point of view, what this data was intended for.
> 
> Esko
> 
> -----Original Message-----
> From: Michael Richardson <mcr@sandelman.ca <mailto:mcr@sandelman.ca>>
> Sent: Wednesday, April 14, 2021 01:56
> To: anima@ietf.org <mailto:anima@ietf.org>; lamps@ietf.org <mailto:lamps@ietf.org>; Esko Dijk <esko.dijk@iotconsultancy.nl <mailto:esko.dijk@iotconsultancy.nl>>; Mudumbai Ranganathan <mranga@gmail.com <mailto:mranga@gmail.com>>
> Cc: pritikin@cisco.com <mailto:pritikin@cisco.com>; tte+ietf@cs.fau.de <mailto:tte%2Bietf@cs.fau.de>; Michael.H.Behringer@gmail.com <mailto:Michael.H.Behringer@gmail.com>; kent+ietf@watsen.net <mailto:kent%2Bietf@watsen.net>
> Subject: AUTH48 request for CSR example
> 
> https://github.com/anima-wg/anima-bootstrap/issues/20 <https://github.com/anima-wg/anima-bootstrap/issues/20> asks me to provide an
> example of a CSR attributes reply.  I have one, it looks like:
> 
> obiwan-[files/product/00-D0-E5-F2-00-02](2.6.6) mcr 11413 %openssl asn1parse -in csrattr.der -inform der
>     0:d=0  hl=2 l=  72 cons: SEQUENCE
>     2:d=1  hl=2 l=  70 cons: SEQUENCE
>     4:d=2  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
>     9:d=2  hl=2 l=  63 cons: SET
>    11:d=3  hl=2 l=  61 cons: SEQUENCE
>    13:d=4  hl=2 l=  59 cons: cont [ 1 ]
>    15:d=5  hl=2 l=  57 prim: UTF8STRING        :rfcSELF+fd739fc23c3440112233445500000000+@acp.example.com <mailto:rfcSELF%2Bfd739fc23c3440112233445500000000%2B@acp.example.com>
> 
> I don't know if this worth adding.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr@sandelman.ca <mailto:mcr@sandelman.ca>  http://www.sandelman.ca/ <http://www.sandelman.ca/>        |   ruby on rails    [
> 
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org <mailto:Anima@ietf.org>
> https://www.ietf.org/mailman/listinfo/anima <https://www.ietf.org/mailman/listinfo/anima>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima