IETF Logo Mail Archive

Re: [Netconf] PKCS7 --> CMS

Kent Watsen <kwatsen@juniper.net> Wed, 07 February 2018 01:45 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B961B12D859 for <netconf@ietfa.amsl.com>; Tue, 6 Feb 2018 17:45:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.195
X-Spam-Level:
X-Spam-Status: No, score=-1.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LTGGJvBIJIsg for <netconf@ietfa.amsl.com>; Tue, 6 Feb 2018 17:44:59 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0F3E12DA0A for <netconf@ietf.org>; Tue, 6 Feb 2018 17:44:58 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w171hwLi009385; Tue, 6 Feb 2018 17:44:58 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=OLw896Thj9ksGZovhJ7AQnSRLSIQGJPt4ZP/Br3BPIA=; b=OOcaiIHcQiuKLPbXaR845kO+IlfA9RHq5xfauEtRhd+58T5ooBVR6hBCy6k0VgeIWylc +8RkMj2G9gDJf68/CrbXz+Cxo2ONzkkDYqmDBySrOogtxII+82qOXl8gN04YyXsP8rTQ vPTO/kNdhmxHiuT/Gv/AbppVls5yihtT5cKZvxWbTI4O9cFjJzLxIFpV48/OKNSBfefV CqWo4AdHkPu/pQMXhiMLaBn8rSLNNAut2NUgFYmLrWiCCkmgnLFf6pkEEZ3WpHfyitbh OJio8iCgOShTs/Cp0DpwT6zFnm0AdLqqWuvSzIQBDKuzQjmjEnr68b4UfCBmVsInNanQ ng==
Received: from nam01-bn3-obe.outbound.protection.outlook.com (mail-bn3nam01lp0177.outbound.protection.outlook.com [216.32.180.177]) by mx0a-00273201.pphosted.com with ESMTP id 2fyp5u8674-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 06 Feb 2018 17:44:58 -0800
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3305.namprd05.prod.outlook.com (10.174.191.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.485.3; Wed, 7 Feb 2018 01:44:55 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) by DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) with mapi id 15.20.0485.009; Wed, 7 Feb 2018 01:44:55 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Russ Housley <housley@vigilsec.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: PKCS7 --> CMS
Thread-Index: AQHTn2r+sWuRsc2AIUqmrIh1BY2swKOXpbyA///c+YCAAFWlgP///4CA
Date: Wed, 07 Feb 2018 01:44:55 +0000
Message-ID: <DD42F58C-DC7D-4414-9CE0-6DEA26DC06EA@juniper.net>
References: <8616F4BC-65CE-4187-8135-C5DF4C83D924@juniper.net> <DD343969-332F-46AF-8637-3D5B757B5EB1@vigilsec.com> <939B57F5-C38D-4E95-BDC1-FC01FA06DB97@juniper.net> <46D20605-3B0A-4BA9-8186-625D0FDB9D30@vigilsec.com>
In-Reply-To: <46D20605-3B0A-4BA9-8186-625D0FDB9D30@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3305; 7:wz592jX9uzlNSywbr89bAHNCzvtNXzksE1NyeDq18uFW3vti1pPeI7dZlteMkVlkTw3a4dB8Gv41BknhOIq1CNpq+wKOH7qe8fXXwgRvKN1lFMw+7YeD7IaMDgki8BMmb/BBEQWu3B4STqhvP7a2lorNz8kEIDpOUzePzMRITuwyKyH+QNUQuENeVJ1e3h5RokSMvFAniTummAAFqF8uks2CtMaWPVQ6Pb8jFrKZ/8MMcQihPOiQ9Oi3I9HvWntE
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 1252abbd-84bf-4d7d-4c3c-08d56dcc63e2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR05MB3305;
x-ms-traffictypediagnostic: DM5PR05MB3305:
x-microsoft-antispam-prvs: <DM5PR05MB3305616C1F577044DB1F73D7A5FC0@DM5PR05MB3305.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(138986009662008);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231101)(2400082)(944501161)(93006095)(93001095)(6055026)(6041288)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:DM5PR05MB3305; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3305;
x-forefront-prvs: 0576145E86
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(39380400002)(366004)(376002)(39860400002)(189003)(199004)(377424004)(478600001)(33656002)(3660700001)(6486002)(3280700002)(5660300001)(305945005)(25786009)(7736002)(6916009)(2906002)(8676002)(86362001)(6246003)(4326008)(229853002)(66066001)(53936002)(81166006)(186003)(81156014)(3846002)(105586002)(6116002)(6512007)(6506007)(68736007)(83506002)(99286004)(77096007)(82746002)(8936002)(97736004)(102836004)(6436002)(83716003)(36756003)(26005)(59450400001)(76176011)(53546011)(6346003)(2900100001)(2950100002)(106356001)(93886005)(58126008)(14454004)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3305; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: FNTLrgL+ka7pMVXE3Va4z7pXFeutaNXM0wswxNokkFTRIndozZ4LzW+8qep0aVIF7IPHJ7eIjEwM3caKUeV56g==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <0872B139EF1C5741BC4675FF3ACFF4CE@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 1252abbd-84bf-4d7d-4c3c-08d56dcc63e2
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2018 01:44:55.8542 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3305
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-07_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802070018
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/_34BSARpsD4L9vb8BR5mDzSBkLs>
Subject: Re: [Netconf] PKCS7 --> CMS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 01:45:01 -0000

Hi Russ,

Drilling down a little, I can imagine us defining a couple content types:

	id-ct-zerotouchInformationXML
	id-ct-zerotouchInformationJSON

But, in both cases, the "content" would be just an octet string (i.e.,
an XML or JSON encoded document).  In particular, we would not define
an ASN.1 structure to represent the "zerotouch information" structure.

Is defining two types such as above the expectation or, since it's
just an octet string, perhaps we should use "id-data"?  RFC 5652
section 4 says this about the 'data' type (I added the quotes):

   "The 'data' content type is intended to refer to arbitrary octet
   strings, such as ASCII text files; the interpretation is left to the
   application.  Such strings need not have any internal structure
   (although they could have their own ASN.1 definition or other
   structure)."

Or, do you think we should look to do something even more generic,
such as:

	id-ct-YangEncodedData

      YangEncodedData {
        moduleName           string        // e.g., "ietf-zerotouch-information"
        moduleRevision       string        // e.g., "2017-12-09"
        encoding             enum          // XML, JSON, etc.
        data                 octet string  // the YANG-encoded data
      }

Which would allow for the brokering of any YANG data.  Such a type 
could've, for instance, also been used by the ANIMA voucher draft.

Thoughts?  - anyone?

Kent



===== original message =====

Kent:

Yes.  This is the approach takes for signed firmware packages in RFC 4108.

Russ


> On Feb 6, 2018, at 3:40 PM, Kent Watsen <kwatsen@juniper.net> wrote:
> 
> Russ,
> 
> I like it.  I didn't know that it was possible to set the top-level content
> type value like that.  Is the net-result still considered a CMS structure?
> 
> Thanks,
> Kent
> 
> 
> ===== original message =====
> 
> I suggest that ContentInfo is always present, then for the signed case:
> 
>      ContentInfo {
>        contentType          id-signedData, -- (1.2.840.113549.1.7.2)
>        content              SignedData
>      }
> 
>      SignedData {
>        version              CMSVersion, -- always set to 3
>        digestAlgorithms     DigestAlgorithmIdentifiers, -- Only one
>        encapContentInfo     EncapsulatedContentInfo,
>        certificates         CertificateSet, -- Signer cert. path
>        crls                 CertificateRevocationLists, -- Optional
>        signerInfos          SET OF SignerInfo -- Only one
>      }
> 
>      SignerInfo {
>        version              CMSVersion, -- always set to 3
>        sid                  SignerIdentifier,
>        digestAlgorithm      DigestAlgorithmIdentifier,
>        signedAttrs          SignedAttributes, -- Required
>        signatureAlgorithm   SignatureAlgorithmIdentifier,
>        signature            SignatureValue,
>        unsignedAttrs        UnsignedAttributes -- Optional
>      }
> 
>      EncapsulatedContentInfo {
>        eContentType         <your-netconf-content-type>
>        eContent             OCTET STRING
>      }                            -- Contains the content
> 
> The unsigned case:
> 
>      ContentInfo {
>        contentType          <your-netconf-content-type>
>        content              -- Contains the content
>      }
> 
> Russ
> 
> 
>> On Feb 6, 2018, at 11:53 AM, Kent Watsen <kwatsen@juniper.net> wrote:
>> 
>> Hi Russ,
>> 
>> I'm looking into switching from PKCS7 to CMS change in the NETCONF
>> zerotouch draft.  This update would be similar to the change to the
>> ANIMA voucher draft.  However, I noticed that RFC 5652 says in 
>> Section 5.2:
>> 
>>  "In the degenerate case where there are no signers, the
>>  EncapsulatedContentInfo value being "signed" is irrelevant.  In this
>>  case, the content type within the EncapsulatedContentInfo value being
>>  "signed" MUST be id-data (as defined in Section 4), and the content
>>  field of the EncapsulatedContentInfo value MUST be omitted."
>> 
>>  Note, this text is similar to the last paragraph in RFC 2315 Section 
>>  9.1, though there it is just a "recommendation" that the value be
>>  omitted.
>> 
>> This is a problem for the NETCONF zerotouch draft, where we currently
>> have a PKCS7 object that is sometimes signed.  We choose this approach
>> because then, in all cases, a PKCS7 object is being communicated.  But
>> it's no longer allowed in CMS?
>> 
>> Questions:
>> 
>> 1) Can the zerotouch draft explicitly allow the "eContent" field 
>>  again for the degenerate case?
>> 
>> 2) If having a eContent value for the degenerate case is no longer
>>  allowed, can we use it as grounds for not migrating to CMS?
>> 
>> 3) Are there any other generic "envelop" structure that can be 
>>  "sometimes signed"?
>> 
>> 
>> Thanks,
>> Kent
>> 
>> 
>> 
> 
> 
>

v2.23.0 | Report a Bug | By Email