Re: [pkix] Why is the crlNumber an OCTET STRING?

Russ Housley <housley@vigilsec.com> Tue, 20 April 2021 22:04 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB8AF3A1EE9 for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 15:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6U9V1sJrQYRE for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 15:04:41 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A28BB3A1EF8 for <pkix@ietf.org>; Tue, 20 Apr 2021 15:04:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 5E528300B91 for <pkix@ietf.org>; Tue, 20 Apr 2021 18:04:32 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Ab-Ife9pXdiT for <pkix@ietf.org>; Tue, 20 Apr 2021 18:04:31 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 217E8300B02; Tue, 20 Apr 2021 18:04:31 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <1618955894307.55564@cs.auckland.ac.nz>
Date: Tue, 20 Apr 2021 18:04:32 -0400
Cc: IETF PKIX <pkix@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/0easJLxKffxbWDLTvYbK650w5cA>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 22:04:47 -0000


> On Apr 20, 2021, at 5:58 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
> Russ Housley <housley@vigilsec.com> writes:
> 
>> I see nothing about an OCTET STRING ...
> 
> If it's 20 bytes it's an OCTET STRING dressed up as an INTEGER, not a real
> INTEGER.  In particular, if it's something where you'd need to issue 18
> quintillion, 446 quadrillion, 744 trillion, 73 billion, 709 million, 551
> thousand and 615 CRLs to exceed the capacity of an actual integer value
> (assuming 64-bit) then there's something else going on, which is what I was
> trying to find out.  It's not a "monotonically increasing sequence number" any
> more because it's not possible to issue that many CRLs, so what is it?

I do not read it that way at all.  It is saying that relying parties need to the able to handle INTEGER values that are up to 20 octets in size.  Of course RSA keys use INTEGER values that are much bigger than that.  And, the text explains there are various ways that a CRL issuer can assign numbers for different scopes that can lead to larger values.

Russ