Re: [Anima] AUTH48 request for CSR example

Brian Carpenter <brian.e.carpenter@gmail.com> Wed, 14 April 2021 09:04 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A48423A16C7 for <anima@ietfa.amsl.com>; Wed, 14 Apr 2021 02:04:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3d38uwt6ueZy for <anima@ietfa.amsl.com>; Wed, 14 Apr 2021 02:04:50 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0BDB3A16C6 for <anima@ietf.org>; Wed, 14 Apr 2021 02:04:49 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id n138so32043767lfa.3; Wed, 14 Apr 2021 02:04:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=th67OcL9AR49MAsKYvodqBVOGUd972eM/xWBzatyDgI=; b=IvXFPFgd9QpfE883zUZ0SG+mhiQ1uoFfPlxIWtwUUyvPCSJj5Lar+GwldbDdDPHFKu huJyIXLPcsbpqIfPRPb2Hd1CeTiVVqdBZV14zz3/PBbeHjeI3CmMkVoIGqUKKDBrH2dL AAZ+TJGLrTbkBThcdiiCGCyHbOSLmbfpMxYrquI8LaphiGNJfD3HfTCip8htpbU3P/lW bLvicrZpg2aY3+HjrGM9tau8I0f7xuJSwnUy/OBw8JLE+UOfKmHZIy4OKgqWrUFs4ncY R79ZbXJ/8NlKFtfPICDbjhtbGZ77zhojzBKRaAzupK4h/vaR6RSj5h/PJRlxoTbm2FHj 4q4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=th67OcL9AR49MAsKYvodqBVOGUd972eM/xWBzatyDgI=; b=rqlyh4tONKCty+rZL/fu/iAWXPBlVVQOs3dwWr4vr2oCweb83ojMIU3zE5pvHE9IWE /1avmEcw2J0C5VpOYFLBhKg5iMeuxKIBebnRoBhII6W6RyyjI2OYxzQrFf/DpplLltN3 WioDLyt0jzVl7vwJp52G//WUYbXZF+G4m95F7ZqstZ5ETVuTIniJO06QoAeTWxx9upLe zalcqKGBSl8aD2nz19RAnHY152Fni+6cN+X6mOAzldAxBjthnyEcxlLgp1peUZaO9O7x +PRSwK5nSp+79k+OYbKCX+GyqKNY81VfjBtnjO/iiGPaR0Ha5WAeRufVangJbSmS/Fwd VMcQ==
X-Gm-Message-State: AOAM530eV63lbR6cOu1/1lstWtQ6pz+RvLngq08t5ePSxEYCIAMSmE7z 9TwryTVnG0w4931JUSARsk0YEF1PISbOH3pr310=
X-Google-Smtp-Source: ABdhPJwNn6NyhcMvw8AAzpxeIDeSTSh5k5tCrqhUHa4RVFCangAbrWfDAd2t/s69mg3iVp30YvoHVcOfP4Zq9XBWJps=
X-Received: by 2002:a05:6512:c04:: with SMTP id z4mr11188201lfu.156.1618391087150; Wed, 14 Apr 2021 02:04:47 -0700 (PDT)
MIME-Version: 1.0
References: <20210410172514.1FB5CF407BD@rfc-editor.org> <6001.1618358164@localhost> <AM8P190MB0979E356A70D0CD7EB1B3C82FD4E9@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <AM8P190MB0979E356A70D0CD7EB1B3C82FD4E9@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
From: Brian Carpenter <brian.e.carpenter@gmail.com>
Date: Wed, 14 Apr 2021 21:04:35 +1200
Message-ID: <CANMZLAY0hOrvJfD6aZvvxPOZ_+CWUYK0SUgCmNPBOukhhReLrA@mail.gmail.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: Michael Richardson <mcr@sandelman.ca>, Anima WG <anima@ietf.org>, lamps@ietf.org, Mudumbai Ranganathan <mranga@gmail.com>, Toerless Eckert <tte+ietf@cs.fau.de>, "Max Pritikin (pritikin)" <pritikin@cisco.com>, Kent Watsen <kent+ietf@watsen.net>, "Michael H. Behringer" <Michael.H.Behringer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000db7a8d05bfeb09da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/eeitHn3QwMV6t3Nm3wpacFrGxAc>
Subject: Re: [Anima] AUTH48 request for CSR example
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 09:04:56 -0000

Is this worth the extra delay? A change like this is hardly editorial & I
do not think we want to wait for a mini last call. I am against any
non-essential change.

Regards,
    Brian Carpenter
    (via tiny screen & keyboard)

On Wed, 14 Apr 2021, 20:27 Esko Dijk, <esko.dijk@iotconsultancy.nl> wrote:

> Hi,
>
> It would be a good idea to add a practical example of the CSR attributes
> response. Is there a particular reason to have an example with very little
> content in it i.e. 1 root-level attribute only ?
> In RFC 7030:
>    The structure of the CSR Attributes Response SHOULD, to the greatest
>    extent possible, reflect the structure of the CSR it is requesting.
>
> So I would expect to have a data structure that defines for example what
> Subject DN attributes the client should include. Or particular choice of
> crypto system, signature scheme etc.
> Given the amount of confusion around this particular data structure,
> examples would be good. Or maybe explain why having a "minimal" CSR
> attributes response is a good thing?
> I can imagine it is good if the Registrar puts as little as possible
> requirements on the Pledge how to structure its CSR and only MUST-have
> fields (like ACP related ones?) are indicated.
>
> Here another example:
>
> 30 30 06 03 55 04 03 06 03 55 04 05 06 03 55 04 0A 06 08 2A 86 48 CE 3D 04
> 03 02 30 15 06 07 2A 86 48 CE 3D 02 01 31 0A 06 08 2A 86 48 CE 3D 03 01 07
>
> SEQUENCE (5 elem)
>   OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
>   OBJECT IDENTIFIER 2.5.4.5 serialNumber (X.520 DN component)
>   OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
>   OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA
> algorithm with SHA256)
>   SEQUENCE (2 elem)
>     OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key
> type)
>     SET (1 elem)
>       OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named
> elliptic curve)
>
> Not sure whether this is better or worse, in terms of usage of CSR
> attributes in practice. But it is more clear at least from an explanation
> point of view, what this data was intended for.
>
> Esko
>
> -----Original Message-----
> From: Michael Richardson <mcr@sandelman.ca>
> Sent: Wednesday, April 14, 2021 01:56
> To: anima@ietf.org; lamps@ietf.org; Esko Dijk <esko.dijk@iotconsultancy.nl>nl>;
> Mudumbai Ranganathan <mranga@gmail.com>
> Cc: pritikin@cisco.com; tte+ietf@cs.fau.de; Michael.H.Behringer@gmail.com;
> kent+ietf@watsen.net
> Subject: AUTH48 request for CSR example
>
> https://github.com/anima-wg/anima-bootstrap/issues/20 asks me to provide
> an
> example of a CSR attributes reply.  I have one, it looks like:
>
> obiwan-[files/product/00-D0-E5-F2-00-02](2.6.6) mcr 11413 %openssl
> asn1parse -in csrattr.der -inform der
>     0:d=0  hl=2 l=  72 cons: SEQUENCE
>     2:d=1  hl=2 l=  70 cons: SEQUENCE
>     4:d=2  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative
> Name
>     9:d=2  hl=2 l=  63 cons: SET
>    11:d=3  hl=2 l=  61 cons: SEQUENCE
>    13:d=4  hl=2 l=  59 cons: cont [ 1 ]
>    15:d=5  hl=2 l=  57 prim: UTF8STRING        :
> rfcSELF+fd739fc23c3440112233445500000000+@acp.example.com
>
> I don't know if this worth adding.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
>
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>