Re: [Anima] AUTH48 request for CSR example

Esko Dijk <esko.dijk@iotconsultancy.nl> Wed, 14 April 2021 08:27 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D73E83A1480 for <anima@ietfa.amsl.com>; Wed, 14 Apr 2021 01:27:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9pIfy3NaczD for <anima@ietfa.amsl.com>; Wed, 14 Apr 2021 01:27:08 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70128.outbound.protection.outlook.com [40.107.7.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 630D53A14F8 for <anima@ietf.org>; Wed, 14 Apr 2021 01:27:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X3zEHSU4bq97VRrSuxBMANJymqpmqe/al/oYt6NyBBBnt7SLNcxiLdAX8xDw2MoLVJQ3gToPrenVb1apk7HBMUiTmIsg4ueISEkXOtLfLnSPRr1sWUg1J89mYcDnBCTg14mh3avKAm1P98/u5Ekr+4omgCOvx+911vPc7WNg5pUVHUr+anyIkoarRhT4PxLb8db053gUFV6si3QODpUn3klIoTMlYm5/sUpKITkzz3Vb1iWrNoPMvyDHpC9ZJVcEv+kJROJR3PIWg6UwoHz5Qpf6tJk8h5RtpcNQpyZPh7sZr5LyFFKVEhJ6AcZCaYcZyci9Xi2M2sW/j1pimOoqjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ghw405Ky7aybka1RnprZoOpGrZzPWWWK7pa70PUm1GI=; b=EYoNttqXiMdkUZMAbO10+REUL+IAcPQDF6AiAdSdYNwCkXdKfGS0F/VpeZMCCQ1aBETB1uEEnfcz5P9mBE5n9R1txw8iWb/07AN+TqvbNjLoPEfqOB7rCUXMeuBW0KLsgqlW5LM+NYOm9MJfCPFqIAj9eqYmatBHczMdxmkItGyPnMBbYXE23aydxzowpIILeNv5WTPxtBrQu3aw5zSz0wqdGxkMuWNRCxc5iL/xQT/+p/7rHE8ROQARD/8m0OQAWr3JFYoiF9uICqUiZ9MgZ+4+XGqSMcNrx0/S2uVEIaPtzkLbuhGJvbL3e+a7QE/AkDzYUPL1FVSUu5UrC89qKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ghw405Ky7aybka1RnprZoOpGrZzPWWWK7pa70PUm1GI=; b=jsYK6ltsyLslddccCxpje2VLUKFGwuMpPuTi3kQVw29J/Zw2/yeL3oJHNMZF2/U8pHa1yktHuwN+ZAXhBxNJZc/WafPxCIx80YrmPlk3WlRf9fv9VoqKXT+Raj/znnZAAwc8MxVKgOfyM1Ybdf7MxJXBcRYgiAkj5a4u6nVGzds=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM9P190MB1524.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:3eb::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16; Wed, 14 Apr 2021 08:26:58 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::6415:492c:7afa:f296]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::6415:492c:7afa:f296%5]) with mapi id 15.20.4042.016; Wed, 14 Apr 2021 08:26:58 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Michael Richardson <mcr@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>, "lamps@ietf.org" <lamps@ietf.org>, Mudumbai Ranganathan <mranga@gmail.com>
CC: "pritikin@cisco.com" <pritikin@cisco.com>, "tte+ietf@cs.fau.de" <tte+ietf@cs.fau.de>, "Michael.H.Behringer@gmail.com" <Michael.H.Behringer@gmail.com>, "kent+ietf@watsen.net" <kent+ietf@watsen.net>
Thread-Topic: AUTH48 request for CSR example
Thread-Index: AQHXMMCUwBZ63cjcqkmtVsALiw6fP6qzp9ww
Date: Wed, 14 Apr 2021 08:26:58 +0000
Message-ID: <AM8P190MB0979E356A70D0CD7EB1B3C82FD4E9@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <20210410172514.1FB5CF407BD@rfc-editor.org> <6001.1618358164@localhost>
In-Reply-To: <6001.1618358164@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [2001:1c02:3103:f500:4c8a:ff15:68b0:e4ae]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2f534fbd-a840-4f8d-7512-08d8ff1f123b
x-ms-traffictypediagnostic: AM9P190MB1524:
x-microsoft-antispam-prvs: <AM9P190MB1524703283385A342D10E15BFD4E9@AM9P190MB1524.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 09ppFOPJ4Qa4n/S569uzwI2voXOp4+nVNkUCRKpQVrww1JhDEujirF0OhHy3DS6SNq6VXPkKjfj01qET5G7BwpvlK+XlCszKVi3CCx99y17/lyfsMv6nouGET6DLqDMz+lNZXmMShKffV5DPCImh4kLDRCI1IU2CKz4C6ufNSOGKDRcO5I0OL5+PF/ud06dUr1ueF9xCXezK6y6x9IwI1857on04rFVeeZKOgfIY1Qixw1PHAHXQr6ebaFgfcN+bUZMJT9NsJZdm73CfKPO68AD8KzQxTG47+iDVYplnCj8Vrb6/aXZXlfMgSIRsMGsMrt/83kYctcXNx1ZA6JjfcFcSlmyD4OEVV0RNLFz6W79HV3Z2wSU8NMBgNJQwx+Y0FTiw28uOQpJ1ZibS5Du3GjunyUadx7EFl01rrvuI9hzTwaMnmbIlHVFrmILd/kHtYS85bq1EAzYl8wQycSiuusYHulmMyWZSijFdt6/p08XscqfUMiu0cvthQmEoX3fB68/iuDW646rMaJLduAsdNkl4lg7YHGHZrNhXI/nzzP5MJTvJ1ASQxj0xp/U4NYZ/eKW/b9E6P4EuAPG0OEgVZxLZ1UMPCm24rcepxlQkzAMf3F0jwvqfeJecCWm6nNBrL/h4uqzaSOX4xg2DnX6ZelJGlQiV6Ymj2MmeDp9FGMTo/Jqwax3wnYekN5AXTJpVEbTyPYyN2kuXMzCK6dcTdy4TFy2zFVAsHUf6waxbIq5IoM74NNZsaYLHnN/5wVmPrrvYMMMRpsa15nKV8V//gQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(39830400003)(366004)(136003)(376002)(396003)(9686003)(478600001)(44832011)(66446008)(83380400001)(4326008)(71200400001)(2906002)(53546011)(86362001)(186003)(55016002)(76116006)(52536014)(38100700002)(966005)(66946007)(122000001)(54906003)(66556008)(7696005)(8676002)(316002)(110136005)(33656002)(6506007)(66476007)(5660300002)(64756008)(8936002)(473944003)(414714003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?N29aNFkxaHF4Q0NBTU1ONUNFV1RTcFVqNmcrK2dxbjdTZzBVVkcvL2wrdHRD?= =?utf-8?B?ZXluYTlsM1Uwd3U1Y0UvcTByV2FYZmNlNnBZaFFlUjcwTWljeW5JSjFJTjlK?= =?utf-8?B?bWhlWkN5SEd6UG40aXdnbnRUc3A2cnIxc3JISEUwSkxOVXNuUklOY25NRSsw?= =?utf-8?B?YmxmWEh0Q2lCRFNibExteEJNandJN3VYc0p0N2UyeFF6bkpReFc5MWI0TEY0?= =?utf-8?B?RWdraHZzV3RKTnVXT0hoZ2wzMXIvc2NLdVVMd3lzNW54Zk9PZ1FZNVFFamM1?= =?utf-8?B?aU1xQVZGeXlrNEQyK3E0NGFucUFZVE5vYWtYS1BDUU9vcnhTN1g1L2sxS2xF?= =?utf-8?B?M2JQdTd0NHhsSFphTk1zL0c4ZktJRkNvQ1BjUTNOclZRaEZYNUozTW14REli?= =?utf-8?B?akV0cjgrT1FMRWRBaG1UZ0FvbUJiMU5ONE5sVnlHaVVzTHBYMldvRHFnbFNj?= =?utf-8?B?MVEvZGlPTDdhdWRsczNTUGRreW9WTlNkRmFmT29nZlVrOElacTNwemRTbG9w?= =?utf-8?B?cmsrdXB1Mng2emw4Nm95ajV4YTJTaEF6UlRRd1VVTy9Ib1paSzdGcG5oZEJk?= =?utf-8?B?UXhZTWdHUHdFTnd2RndUSTRDR1d2MVRzMVJYQTdPZGVDOUpSaFFsME1meEVw?= =?utf-8?B?dzBUMDBTNUpDUFV4K1hob2dFbjdvYUd2QkdBeGVBalNvaHJLVTduaUsvN2k0?= =?utf-8?B?cWtKUm9kNzhnV0IzRnRnb0tINms0SzduOU1heXZQTFBqdVVaRDR2ZzFVWUVK?= =?utf-8?B?NXVxQy9JRG5qcEtIeXRCUnhGRElHNzFJREVZQ1p6OGxienF1dFVEUjVxWVNZ?= =?utf-8?B?WEs4Y29Ub1lFUU5Ra0Eyc1Qwd3lUK0NsRVBUVnlSbWNUelplSTNTRkVheXFI?= =?utf-8?B?TlpyL0lnekt3UFZUMHl3K1VRODNGWkUwWTU3WEx1YVNPbXl3RVZkcG9Selp2?= =?utf-8?B?TlNXUXluTzBZTlhBZ01TTlpVZ0YxdFJXbmVSbXcwVDdiKzJ2OEs2NjJuTGhF?= =?utf-8?B?S1NPRE9odFpibzZxRi9lRlJjRWVhYVQzWmZSbFkxdkRucEtta25IYTM3WllH?= =?utf-8?B?Si9rM3lBYlFSQzUvWXdGelNYd1NNL2E3THdidmZENHhzU0xUdS9GcWQ3U2tC?= =?utf-8?B?L3J4QkpZUkk2ZjUxZGtzT3lZTW01ZkxUN2JxU3dNS3pKU2x5OTc4WFJmZnNa?= =?utf-8?B?dXNDOTRVU09pYjIxVG9TcXdDaGh4OHN3cUJ3MkJjSGcvYmJQSmpKcnVGNjRn?= =?utf-8?B?Y3k5MmFkRFBlY1pBb0E1b3pKNjhaTm9ua3ljTzJLQjlZY1hSTW5QdnlRWkVl?= =?utf-8?B?TjFCU09JbHpuOGR1NjBtZnpLSVJzM256a1JFSk1iK2tZNmI1VE1ydnd4WWJR?= =?utf-8?B?ZkQ3Z1FMN3ovQWU3azlJcUVHWnZlWTNkaGJSTVU2bHdjZVdMOUNyQ3RLdlRu?= =?utf-8?B?OEg4cU8rRzE1RnlKcWsyM1B1dlM5ZFY3OTF1eHFzSnhuWUpLSitXUkJZdHNL?= =?utf-8?B?eDd6cnNWcmJOaDhJRm50RE53S01KRHJEUWU4Q0dmQlFPdDBvbzkwMm9XSnVq?= =?utf-8?B?WmZ0TDhVMUE5L1hsR1ZWSlRkNGpJdmk5K0Y2RWxXb3phQXZrK1dBUktvUVlE?= =?utf-8?B?RTZ2OUFwV1pkWXdqUkZqQU8reTlTVEF2Vno0MG44SzFXbnlnYnpGM0E5NTlS?= =?utf-8?B?bWZrUGpXbWJpU0V2a1IwNVk0OFZvK0d0UC9yS2dabmNRNjZOS0RLb1R2UEVj?= =?utf-8?B?OUF5c0lncVZYWXJRNkh3KzQ4TWlZS1gvZ2pXamx6Nnd1SDlQM01RMXAzcGdv?= =?utf-8?B?OSsyNzJ5eDRYVExsSDdicFRjT1p4N25CZEM1UVFmKzZ6YnlneFh6M2pRbXQ0?= =?utf-8?Q?eAst1mwfPXzQO?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2f534fbd-a840-4f8d-7512-08d8ff1f123b
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2021 08:26:58.6227 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Jbc2Y3+2nMi32uzC9LNFox3BC0Tj1ewNVU/QVlusVd9IoIFTqOk5O+9nRkzRDITOK6PA++M1iZUFF6Cp9UE/kllImZB4Q/Z6lam9N4KxYUE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1524
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/SolrEveMoP9gf36fVRXj9oRUOn4>
Subject: Re: [Anima] AUTH48 request for CSR example
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 08:27:15 -0000

Hi,

It would be a good idea to add a practical example of the CSR attributes response. Is there a particular reason to have an example with very little content in it i.e. 1 root-level attribute only ?
In RFC 7030:  
   The structure of the CSR Attributes Response SHOULD, to the greatest
   extent possible, reflect the structure of the CSR it is requesting.

So I would expect to have a data structure that defines for example what Subject DN attributes the client should include. Or particular choice of crypto system, signature scheme etc.
Given the amount of confusion around this particular data structure, examples would be good. Or maybe explain why having a "minimal" CSR attributes response is a good thing?
I can imagine it is good if the Registrar puts as little as possible requirements on the Pledge how to structure its CSR and only MUST-have fields (like ACP related ones?) are indicated.

Here another example:

30 30 06 03 55 04 03 06 03 55 04 05 06 03 55 04 0A 06 08 2A 86 48 CE 3D 04 03 02 30 15 06 07 2A 86 48 CE 3D 02 01 31 0A 06 08 2A 86 48 CE 3D 03 01 07

SEQUENCE (5 elem)
  OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
  OBJECT IDENTIFIER 2.5.4.5 serialNumber (X.520 DN component)
  OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
  OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
    SET (1 elem)
      OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)

Not sure whether this is better or worse, in terms of usage of CSR attributes in practice. But it is more clear at least from an explanation point of view, what this data was intended for.

Esko

-----Original Message-----
From: Michael Richardson <mcr@sandelman.ca> 
Sent: Wednesday, April 14, 2021 01:56
To: anima@ietf.org; lamps@ietf.org; Esko Dijk <esko.dijk@iotconsultancy.nl>nl>; Mudumbai Ranganathan <mranga@gmail.com>
Cc: pritikin@cisco.com; tte+ietf@cs.fau.de; Michael.H.Behringer@gmail.com; kent+ietf@watsen.net
Subject: AUTH48 request for CSR example

https://github.com/anima-wg/anima-bootstrap/issues/20 asks me to provide an
example of a CSR attributes reply.  I have one, it looks like:

obiwan-[files/product/00-D0-E5-F2-00-02](2.6.6) mcr 11413 %openssl asn1parse -in csrattr.der -inform der
    0:d=0  hl=2 l=  72 cons: SEQUENCE
    2:d=1  hl=2 l=  70 cons: SEQUENCE
    4:d=2  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
    9:d=2  hl=2 l=  63 cons: SET
   11:d=3  hl=2 l=  61 cons: SEQUENCE
   13:d=4  hl=2 l=  59 cons: cont [ 1 ]
   15:d=5  hl=2 l=  57 prim: UTF8STRING        :rfcSELF+fd739fc23c3440112233445500000000+@acp.example.com

I don't know if this worth adding.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [