Re: [Anima] BRSKI#43, serial-number

Toerless Eckert <tte@cs.fau.de> Thu, 03 September 2020 17:01 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 775DF3A10D0 for <anima@ietfa.amsl.com>; Thu, 3 Sep 2020 10:01:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WcFTh9kSgTW5 for <anima@ietfa.amsl.com>; Thu, 3 Sep 2020 10:01:05 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98C333A10C7 for <anima@ietf.org>; Thu, 3 Sep 2020 10:01:05 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id E77A654860F; Thu, 3 Sep 2020 19:00:59 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id DF6B6440059; Thu, 3 Sep 2020 19:00:59 +0200 (CEST)
Date: Thu, 3 Sep 2020 19:00:59 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "anima@ietf.org" <anima@ietf.org>
Message-ID: <20200903170059.GA21861@faui48f.informatik.uni-erlangen.de>
References: <20200901112112.GA15609@faui48f.informatik.uni-erlangen.de> <21905.1599011029@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <21905.1599011029@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/oOH8wxKb-Q--ac6N1d9Euyhb4ug>
Subject: Re: [Anima] BRSKI#43, serial-number
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2020 17:01:09 -0000

inline..

a) Wrt. X.520: From ITU's page:

| This text was produced through a joint activity with ISO and IEC. 
| According to the agreement with our partners, this document is only available through payment.

Of course, ITU shouldn't enter into such partnership, but given how common
public-private partnerships are in western governments, its hardly unusual.

Given how all certificate work in IETF is based off X.500 certificates, it would be
a great job for the IETF/ITU-T liaison to see how IETF work could get free access
to the according ITU-T documents.

b) I am confused about your text up to the diff -24 to -43. Is there an executive
   summary how this relates to the issue i brought up ?

c) Of course, you are welcome trying to avoid X.520 and instead step into X520SerialNumber,
   so your diff is fine to me.

   [ The fixes i am proposing to Ben re serialNumber in ACP
     will attempt to avoid X520SerialNumber because i don't even understand how this
     explicit tagging works and no CLI/document has ever used these terms
     (except for the ASN.1 rfcs about them].

d) I am mostly wondering if/how changes like this would go into the final BRSKI RFC
   given its state in RFC editor queue. I don't understand what type of text
   fixes will be accepted as just editorial, not requiring the whole shebang of
   IETF process steps we're just doing for the other BRSKI fix....

Cheers
    Toerless

> I seem to remember requests for clarification many months, and I wonder if it
> was part of a different piece.
>     https://mailarchive.ietf.org/arch/msg/anima/mBNQoRCTECyQ0G-D9AnEWgLaHUc/
>     https://mailarchive.ietf.org/arch/msg/anima/vpItLADnu-2Ea-uB0A9fHjia4hw
> 
> confusingly, we discussed rfc5280 4.2.1.2 a bunch, but not 4.1.2.2.
> It looks like as a result of the thread starting at:
> ** https://mailarchive.ietf.org/arch/msg/anima/oR0POVwZ24EZEVD3S4XCXdNmtSE/
> and specifically https://mailarchive.ietf.org/arch/msg/anima/8Ys6ctjFeyINat_BGg860b04I3E/
> That made me rewrite that section, and it appears that I did too quick a
> search of RFC5280.
> 
> It's a tribute to this Internet thing we built that the tinyurl.com in the **
> noted email leads to:
>   https://www.ietf.org/rfcdiff?url1=draft-ietf-anima-bootstrapping-keyinfra-24&url2=https://raw.githubusercontent.com/anima-wg/anima-bootstrap/master/dtbootstrap-anima-keyinfra.txt
> 
> Which works great, and show you the text that got replaced.
> However, the above link will likely give you a different result as I'm about
> to push the fix to the fix.
> 
> Try, instead:
>   https://www.ietf.org/rfcdiff?url1=draft-ietf-anima-bootstrapping-keyinfra-24&url2=draft-ietf-anima-bootstrapping-keyinfra-43


> Toerless Eckert <tte@cs.fau.de> wrote:
>     > BRSKI section 2.3.1:
> 
>     > | The serialNumber field is defined in [RFC5280].  That specification
>     > | allows for the field to be omitted if there is a good technical
>     > | reason.  IDevID certificates for use with this protocol are REQUIRED
>     > | to include the "serialNumber" attribute with the device's unique
>     > | serial number (from [IDevID] section 7.2.8, and [RFC5280] section
>     > | 4.1.2.2's list of standard attributes).
> 
>     > The serialNumber field defined in [RFC5280] 4.1.2.2 is not the subject
>     > DN serialNumber (a string) that we want to talk about, but the certificate serial
>     > number (a number). That serialNumber string is actually defined in [X.520],
>     > for which BRSKI does unfortunately not have a reference. See for example
>     > [RFC4519] used in BRSKI as an example for a serialNumber, it point correctly
>     > to [X.520].
> 
> X.520 is behind an impossible to use paywall. From what I can tell, it's
> actually run on a for-profit basis within each national boundary, and the one
> within my national boundary is incompetent.
> I am of the opinion that the ITU is violating the UN convention on human
> rights when they do this.
> So, to me, any X520 reference will result in less understanding rather than more.

On Tue, Sep 01, 2020 at 09:43:49PM -0400, Michael Richardson wrote:
> 
> I find the text in 2.3.1 paragraph two of BRSKI, which you quote to be startlingly wrong.
> As you say, that's not the id-at-serialNumber we were looking for, and the
> one we want is defined in RFC5280 as X520SerialNumber.
> 
> The example of RFC4519, section 2.31 is a correct reference.
> 
>     > Aka: I am not sure exactly what the minimum editorial fix is:
> 
>     > "The serialNumber field is defined in [RFC5280]"
> 
>     > This is AFAIK not correct unless A.1 definition of X520SerialNumber can
>     > be represented as definition of serialNumber. More easily, serialNumber is
>     > defined in [X.520]
> 
>     > "and [RFC5280] section 4.1.2.2's list of standard attributes"
> 
>     > this is wrong.
> 
>     > "and [RFC5280] section A.1's list of standard attributes"
> 
> https://github.com/anima-wg/anima-bootstrap/commit/c7a7eb46e78d761c5cb0f50a9dfa95f820d74b99
> 
> commit c7a7eb46e78d761c5cb0f50a9dfa95f820d74b99
> Author: Michael Richardson <mcr@sandelman.ca>
> Date:   Tue Sep 1 21:25:05 2020 -0400
> 
>     fix section 2.3.1 to point at X520SerialNumber
> 
> diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml
> index d655d69..9739945 100644
> --- a/dtbootstrap-anima-keyinfra.xml
> +++ b/dtbootstrap-anima-keyinfra.xml
> @@ -799,18 +799,24 @@ INSERT_TEXT_FROM_FILE component-diagram.txt END
>            </t>
> 
>            <t>
> -            The serialNumber field is defined in <xref target="RFC5280" />.
> -            That specification allows for the field to be omitted if there is
> -            a good technical reason. IDevID certificates for use
> -            with this protocol are REQUIRED to include the "serialNumber" attribute with the device's
> -            unique serial number
> -            (from <xref target="IDevID" /> section 7.2.8, and
> -            <xref target="RFC5280" /> section 4.1.2.2's list of standard
> -            attributes).
> -          </t>
> -          <t>
> -            The serialNumber field is used as follows by the pledge to build the
> -            "serial-number" that is placed in the voucher-request.
> +            There is a (certificate) serialNumber field is defined in <xref
> +            target="RFC5280" /> section 4.1.2.2.  In the ASN.1, this is
> +            referred to as the CertificateSerialNumber.  This field is NOT
> +            relevant to this specification.  Do not confuse this field with
> +            the "serial-number" defined by this document, or by
> +            <xref target="IDevID" /> and <xref target="RFC4519" /> section
> +            2.31.
> +          </t>
> +
> +          <t>
> +            The device serial number is defined in <xref target="RFC5280" />
> +            section A.1 and A.2 as the X520SerialNumber, with the OID tag
> +            id-at-serialNumber.
> +          </t>
> +          <t>
> +            The device serial number field (X520SerialNumber) is used as
> +            follows by the pledge to build the "serial-number" that is placed
> +            in the voucher-request.
>              In order to build it, the fields need to be converted into a
>              serial-number of "type string".
>            </t>
> @@ -821,8 +827,7 @@ INSERT_TEXT_FROM_FILE component-diagram.txt END
>            </t>
>            <t>
>              Due to the reality of existing device identity provisioning
> -            processes, some
> -            manufacturers have stored serial-numbers in other
> +            processes, some manufacturers have stored serial-numbers in other
>              fields. Registrar's SHOULD be configurable, on a per-manufacturer
>              basis, to look for serial-number equivalents in other fields.
>            </t>
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 



> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima


-- 
---
tte@cs.fau.de