IETF Logo Mail Archive

Re: [apps-discuss] [pkix] PKIX text encodings

"Miller, Timothy J." <tmiller@mitre.org> Mon, 30 January 2012 13:06 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3047921F86D1; Mon, 30 Jan 2012 05:06:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.499
X-Spam-Level:
X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffY4rm1sEeSZ; Mon, 30 Jan 2012 05:06:28 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 783BB21F86C4; Mon, 30 Jan 2012 05:06:28 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C964421B0926; Mon, 30 Jan 2012 08:06:27 -0500 (EST)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id BABB721B094C; Mon, 30 Jan 2012 08:06:27 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.10]) by IMCCAS02.MITRE.ORG ([129.83.29.79]) with mapi id 14.01.0339.001; Mon, 30 Jan 2012 08:06:27 -0500
From: "Miller, Timothy J." <tmiller@mitre.org>
To: "mrex@sap.com" <mrex@sap.com>, Paul Hoffman <paul.hoffman@vpnc.org>
Thread-Topic: [pkix] PKIX text encodings
Thread-Index: AQHM3VUNcMLmsjko+UWci5xLcgDxQpYk1JcA
Date: Mon, 30 Jan 2012 13:06:26 +0000
Message-ID: <CB4BF105.3DF9%tmiller@mitre.org>
In-Reply-To: <201201280037.q0S0bjqe004577@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.14.0.111121
x-originating-ip: [172.31.0.115]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0E6AEC8B15E8824ABDABAAF9370EC85B@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 30 Jan 2012 08:03:36 -0800
Cc: "simon@josefsson.org" <simon@josefsson.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [apps-discuss] [pkix] PKIX text encodings
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2012 13:06:29 -0000

> Any reasonable ASN.1 decoder can reliably tell apart [...]


While any ASN.1 decoder + a little logic can discern one ASN.1 encoded
object from another, it would *really* help *non-decoding* applications to
have simple magic numbers when serializing ASN.1 to a file.

This has been a long-standing pet peeve of mine since I was asked to write
a scanner to find PKCS#12 files.  There's enough variation in encoding
that it's a real PITA to do a lightweight decode and still have a
reasonable false positive rate.

-- T

On 1/27/12 6:37 PM, "Martin Rex" <mrex@sap.com> wrote:

>Paul Hoffman wrote:
>> 
>> Martin Rex wrote:
>> >
>> > the Label that is used within '-----BEGIN <some-label>----'
>> > should be ignored on the receiver side, and all implemented formats
>> > should be tried, that are applicable for the requested operation.
>> 
>> This would cause things like private keys and public keys to be mixed
>>up.
>
>Not necessarily.  If your ASN.1 decoder can not distinguish your private
>from your public key, then you have a whole different kind of problem.
>
>
>>
>> I propose this is not a good idea from a security perspective.
>
>Huh?  That textual label is not integrity protected in any way,
>so how should this be a security problem?
>
>This is really only about convenience for admins.
>
>
>>
>> Instead, Simon might add some text saying that some applications
>> sometimes ignore the label in order to be more liberal, but in doing
>> so can cause problems with systems that assume those labels are
>>important.
>
>HUH?  How could being liberal on *INPUT* possibly cause problems?
>
>Any reasonable ASN.1 decoder can reliably tell apart
>  - X.509 certificates
>  - private keys
>  - encrypted private keys
>  - pkcs10 requests
>  - crls
>  - pkcs7/cms 
>  - pkcs7/cms as certificate bag
>  - pkcs7/cms as crl bag
>  - pkcs12
>
>So any implementation that is ignoring the explicit label, will have to
>use the implicit label from successfuly ASN.1 decode of the types
>of objects that are applicable for the requested operation.
>
>
>Microsoft seems to ignore the label.  If you double-click on
>a pkcs7 file (extension .p7s or .p7b) it will be PEM-decoded independent
>of what label is used.  Same for certificate (.cer).
>
>
>I find it much more confusing when only a few, but non-unique labels
>are accepted:
>OpenSSL seems to accept certs with "X509 CERTIFICATE" and "CERTIFICATE"
>and PKCS7 as "PKCS7" or "CERTIFICATE" but _not_ "X509 CERTIFICATE"
>
>
>> 
>> Just a thought: we define *new* labels that do what we think everyone
>> should do, such as multiple items in the block. There would not be much
>> uptake on those new labels in the short run, but could become the
>> standard 20 years from now.
>
>For OUTPUT we should try to find an reuse the most commonly used label,
>because the installed base is going to be with us another 10+ years.
>
>
>-Martin
>_______________________________________________
>pkix mailing list
>pkix@ietf.org
>https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email