[Netconf] PKCS7 --> CMS
Kent Watsen <kwatsen@juniper.net> Tue, 06 February 2018 16:53 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B8012E87B for <netconf@ietfa.amsl.com>; Tue, 6 Feb 2018 08:53:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.195
X-Spam-Level:
X-Spam-Status: No, score=-1.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0QaaChvr22vn for <netconf@ietfa.amsl.com>; Tue, 6 Feb 2018 08:53:24 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 830DE12D865 for <netconf@ietf.org>; Tue, 6 Feb 2018 08:53:24 -0800 (PST)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w16GnOaJ000884; Tue, 6 Feb 2018 08:53:23 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=QqkIGXnymruXTB4C2f4QBZrDoe3izBSknDAVekBNkJ4=; b=SF6N4McBG7PO8t+rclu2OSycEElNifqf/5jb6Qq+Mv1esoU8kkQk2fsp0cKxJbcWaByc kCGWB/38T1L8qym+kciZrU/rlIcn6Bkr4Zy1g7zhMmKrsumXoDneHcDa0yWFQZi7vZH3 i3ExdkNVJSnJEbKZhQk6yJRgqNNpg2etTjlcL5mlcaU76S/bX24lhR1p3RocTIbRqnWg wZnO3ZGyOhZqPH8th1NxxHpX9bRTh6MSGTbk17bkAX+B6O9kWz9chsfV0P7iGcFNbt6C 9u3V68foSCq/9+nnA4QrpfQMcSnUe1aTJevVs/y2jqTNFZZc2gcLRldgC9/2UVcTFG1N 5Q==
Received: from nam01-bn3-obe.outbound.protection.outlook.com (mail-bn3nam01lp0179.outbound.protection.outlook.com [216.32.180.179]) by mx0b-00273201.pphosted.com with ESMTP id 2fye9ur7eu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 06 Feb 2018 08:53:23 -0800
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB2857.namprd05.prod.outlook.com (10.168.175.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.485.3; Tue, 6 Feb 2018 16:53:21 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) by DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) with mapi id 15.20.0485.009; Tue, 6 Feb 2018 16:53:21 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Russ Housley <housley@vigilsec.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: PKCS7 --> CMS
Thread-Index: AQHTn2r+sWuRsc2AIUqmrIh1BY2swA==
Date: Tue, 06 Feb 2018 16:53:21 +0000
Message-ID: <8616F4BC-65CE-4187-8135-C5DF4C83D924@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB2857; 7:9NT1gqQNttJkbynLWE8X4wrEbMoQAV4cwWpLDhlrML5t05PKzEdqylgYYvHrWOifhMTafGRCC5bpIFl0bludwSPd71OKiIGeii2vOw7ojcywBjYX3hOKn4RUQHW0DhaTzHXyS5fSd/w8XUbZ75on4vSs4EB9uQqOsTWQ+Jn1EzWATQGlAxWTnWEvGYNjjrIfHvAkpoR7BTQYSNGL2XswgQcf/DKuy2CcFMAYlY8iaku7sjbtIf3zQEwcYQYRXdA5
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 900ef12f-dff6-44b1-c19c-08d56d82217b
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR05MB2857;
x-ms-traffictypediagnostic: DM5PR05MB2857:
x-microsoft-antispam-prvs: <DM5PR05MB2857042D156068C89A9B3EBCA5FD0@DM5PR05MB2857.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(3231101)(2400082)(944501161)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:DM5PR05MB2857; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB2857;
x-forefront-prvs: 0575F81B58
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(376002)(39380400002)(346002)(366004)(189003)(199004)(14454004)(59450400001)(6506007)(102836004)(82746002)(97736004)(4326008)(25786009)(83716003)(86362001)(8676002)(81156014)(81166006)(8936002)(68736007)(105586002)(36756003)(2906002)(66066001)(6436002)(186003)(3280700002)(83506002)(3660700001)(106356001)(7736002)(5660300001)(6512007)(6916009)(53936002)(6486002)(77096007)(26005)(305945005)(58126008)(2900100001)(316002)(3846002)(6116002)(478600001)(33656002)(99286004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB2857; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: /X1BQl89A+M5tWyH5DxTMzx+PyKOXgLA3T2nb7T7f7p32In/d8WU3dn+8Bq4FSoPL6nIW27GjpEFoDxgKmqoGw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <FD2511E94F72E943BD212096208D5C93@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 900ef12f-dff6-44b1-c19c-08d56d82217b
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2018 16:53:21.7415 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB2857
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-06_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=804 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802060212
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/bQ2Sor3eVtNCYHp61jUPmQwwNOE>
Subject: [Netconf] PKCS7 --> CMS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 16:53:26 -0000
Hi Russ, I'm looking into switching from PKCS7 to CMS change in the NETCONF zerotouch draft. This update would be similar to the change to the ANIMA voucher draft. However, I noticed that RFC 5652 says in Section 5.2: "In the degenerate case where there are no signers, the EncapsulatedContentInfo value being "signed" is irrelevant. In this case, the content type within the EncapsulatedContentInfo value being "signed" MUST be id-data (as defined in Section 4), and the content field of the EncapsulatedContentInfo value MUST be omitted." Note, this text is similar to the last paragraph in RFC 2315 Section 9.1, though there it is just a "recommendation" that the value be omitted. This is a problem for the NETCONF zerotouch draft, where we currently have a PKCS7 object that is sometimes signed. We choose this approach because then, in all cases, a PKCS7 object is being communicated. But it's no longer allowed in CMS? Questions: 1) Can the zerotouch draft explicitly allow the "eContent" field again for the degenerate case? 2) If having a eContent value for the degenerate case is no longer allowed, can we use it as grounds for not migrating to CMS? 3) Are there any other generic "envelop" structure that can be "sometimes signed"? Thanks, Kent
- [Netconf] PKCS7 --> CMS Kent Watsen
- Re: [Netconf] PKCS7 --> CMS Russ Housley
- Re: [Netconf] PKCS7 --> CMS Kent Watsen
- Re: [Netconf] PKCS7 --> CMS Russ Housley
- Re: [Netconf] PKCS7 --> CMS Kent Watsen
- Re: [Netconf] PKCS7 --> CMS Russ Housley
- Re: [Netconf] PKCS7 --> CMS Kent Watsen
- Re: [Netconf] PKCS7 --> CMS Kent Watsen
- Re: [Netconf] PKCS7 --> CMS Mahesh Jethanandani
- Re: [Netconf] PKCS7 --> CMS Kent Watsen
- Re: [Netconf] PKCS7 --> CMS Sean Leonard
- Re: [Netconf] PKCS7 --> CMS Kent Watsen
- Re: [Netconf] PKCS7 --> CMS Sean Leonard