IETF Logo Mail Archive

Re: [Netconf] PKCS7 --> CMS

Kent Watsen <kwatsen@juniper.net> Tue, 06 February 2018 20:40 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B723212D871 for <netconf@ietfa.amsl.com>; Tue, 6 Feb 2018 12:40:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.194
X-Spam-Level:
X-Spam-Status: No, score=-1.194 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D48P-esGkr7h for <netconf@ietfa.amsl.com>; Tue, 6 Feb 2018 12:40:15 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6A1212D870 for <netconf@ietf.org>; Tue, 6 Feb 2018 12:40:14 -0800 (PST)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w16KdMkB017153; Tue, 6 Feb 2018 12:40:14 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=+yzEZmxvLIq7KgBRREm9G66zwr/yC5OmNVs33zpHdjA=; b=EJt1iOBOTCaHdE0xW5OUrhTNUwXyVu2B6tmGVfDNNnJ6U5wyZYNLCSesxQ0HynpXAXX/ 8OefM7OXwQOFwJRd+3wL3g8RryyrsTJ5MA9FwRoQSQxu2NSIHePeDl+b/UZZ0jLkyfem Q85x6zUyn8IrdIrbDA/evdC8UQqUZepa70w0+uQHNRFO1tge4opL9x5/QX4lyZdzrKHG t6GMoQW33NN/BrtbzkteRsjslj1jyZ7gwGA+JF8t6yAMXxvcCC7YGofTmJHpVExkwS5X EohQFx/I5J1dzLvLsNH4MRprt5g4zD+RnERNQDoKihl8M0tYVXl5CwVpYqi152Yg0zvz kQ==
Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp0054.outbound.protection.outlook.com [216.32.180.54]) by mx0b-00273201.pphosted.com with ESMTP id 2fyk9v00ym-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 06 Feb 2018 12:40:13 -0800
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3002.namprd05.prod.outlook.com (10.168.177.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.485.3; Tue, 6 Feb 2018 20:40:11 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) by DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) with mapi id 15.20.0485.009; Tue, 6 Feb 2018 20:40:11 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Russ Housley <housley@vigilsec.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: PKCS7 --> CMS
Thread-Index: AQHTn2r+sWuRsc2AIUqmrIh1BY2swKOXpbyA///c+YA=
Date: Tue, 06 Feb 2018 20:40:11 +0000
Message-ID: <939B57F5-C38D-4E95-BDC1-FC01FA06DB97@juniper.net>
References: <8616F4BC-65CE-4187-8135-C5DF4C83D924@juniper.net> <DD343969-332F-46AF-8637-3D5B757B5EB1@vigilsec.com>
In-Reply-To: <DD343969-332F-46AF-8637-3D5B757B5EB1@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3002; 7:ZzRQ0wMw2qgAL9QGskovu6LFPUkcQIXxCZd6/DT/6bg5BT0cHGZlzppxqm4euBd6zYZ6J8ZLGvvTmj+YMpH3e1E2SQT6Cb0J2lNk2dcnyJGwBvCdAQk1eZ3OIa85rF6XEuhHqlYwcE5uHRRz4uR8YIJkRONri0PQJdjGSXhitrS1ITro3vsMrBm3JkX83jaF1uJzHn0lGWkpzpj5KdB5EWcHUm3eAQ/WFsAzK6hIYYMfvIkgBPGNfc4sVdvqf9io
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 5f2a6146-8ab9-4fca-5889-08d56da1d175
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR05MB3002;
x-ms-traffictypediagnostic: DM5PR05MB3002:
x-microsoft-antispam-prvs: <DM5PR05MB300252CA1F7F2C1C089981DAA5FD0@DM5PR05MB3002.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(138986009662008);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(3002001)(3231101)(2400082)(944501161)(10201501046)(93006095)(93001095)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:DM5PR05MB3002; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3002;
x-forefront-prvs: 0575F81B58
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39850400004)(366004)(346002)(39380400002)(376002)(199004)(189003)(102836004)(316002)(33656002)(3660700001)(5660300001)(6436002)(82746002)(58126008)(186003)(97736004)(105586002)(3280700002)(8676002)(77096007)(76176011)(53936002)(14454004)(3846002)(66066001)(26005)(2900100001)(83716003)(99286004)(6506007)(53546011)(6512007)(59450400001)(6246003)(86362001)(6116002)(478600001)(2906002)(81166006)(81156014)(83506002)(229853002)(7736002)(6916009)(2950100002)(25786009)(68736007)(6486002)(8936002)(106356001)(305945005)(4326008)(36756003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3002; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: q2KOpcRyRY76OyjVeaq+nliP38OtSB7YWmzHuVF/OWIxKhWHO2/qNYtu34qMmzqq7sBb/QXOXmPjq5NxIfLH+w==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <2D74C62D96C0F147940BDAE7347863A6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 5f2a6146-8ab9-4fca-5889-08d56da1d175
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2018 20:40:11.3927 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3002
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-06_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802060258
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/hetiCC_faCPM1zvAC0IMVcCBB-0>
Subject: Re: [Netconf] PKCS7 --> CMS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 20:40:17 -0000

Russ,

I like it.  I didn't know that it was possible to set the top-level content
type value like that.  Is the net-result still considered a CMS structure?

Thanks,
Kent


===== original message =====

I suggest that ContentInfo is always present, then for the signed case:

      ContentInfo {
        contentType          id-signedData, -- (1.2.840.113549.1.7.2)
        content              SignedData
      }

      SignedData {
        version              CMSVersion, -- always set to 3
        digestAlgorithms     DigestAlgorithmIdentifiers, -- Only one
        encapContentInfo     EncapsulatedContentInfo,
        certificates         CertificateSet, -- Signer cert. path
        crls                 CertificateRevocationLists, -- Optional
        signerInfos          SET OF SignerInfo -- Only one
      }

      SignerInfo {
        version              CMSVersion, -- always set to 3
        sid                  SignerIdentifier,
        digestAlgorithm      DigestAlgorithmIdentifier,
        signedAttrs          SignedAttributes, -- Required
        signatureAlgorithm   SignatureAlgorithmIdentifier,
        signature            SignatureValue,
        unsignedAttrs        UnsignedAttributes -- Optional
      }

      EncapsulatedContentInfo {
        eContentType         <your-netconf-content-type>
        eContent             OCTET STRING
      }                            -- Contains the content

The unsigned case:

      ContentInfo {
        contentType          <your-netconf-content-type>
        content              -- Contains the content
      }

Russ


> On Feb 6, 2018, at 11:53 AM, Kent Watsen <kwatsen@juniper.net> wrote:
> 
> Hi Russ,
> 
> I'm looking into switching from PKCS7 to CMS change in the NETCONF
> zerotouch draft.  This update would be similar to the change to the
> ANIMA voucher draft.  However, I noticed that RFC 5652 says in 
> Section 5.2:
> 
>   "In the degenerate case where there are no signers, the
>   EncapsulatedContentInfo value being "signed" is irrelevant.  In this
>   case, the content type within the EncapsulatedContentInfo value being
>   "signed" MUST be id-data (as defined in Section 4), and the content
>   field of the EncapsulatedContentInfo value MUST be omitted."
> 
>   Note, this text is similar to the last paragraph in RFC 2315 Section 
>   9.1, though there it is just a "recommendation" that the value be
>   omitted.
> 
> This is a problem for the NETCONF zerotouch draft, where we currently
> have a PKCS7 object that is sometimes signed.  We choose this approach
> because then, in all cases, a PKCS7 object is being communicated.  But
> it's no longer allowed in CMS?
> 
> Questions:
> 
> 1) Can the zerotouch draft explicitly allow the "eContent" field 
>   again for the degenerate case?
> 
> 2) If having a eContent value for the degenerate case is no longer
>   allowed, can we use it as grounds for not migrating to CMS?
> 
> 3) Are there any other generic "envelop" structure that can be 
>   "sometimes signed"?
> 
> 
> Thanks,
> Kent
> 
> 
>

v2.23.0 | Report a Bug | By Email