IETF Logo Mail Archive

Re: [pkix] [Errata Held for Document Update] RFC7030 (4384)

Russ Housley <housley@vigilsec.com> Thu, 20 August 2020 17:44 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B61F53A0E5A for <pkix@ietfa.amsl.com>; Thu, 20 Aug 2020 10:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NuzIbKX7WV9l for <pkix@ietfa.amsl.com>; Thu, 20 Aug 2020 10:44:41 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF6DE3A0E57 for <pkix@ietf.org>; Thu, 20 Aug 2020 10:44:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 431F8300B8F for <pkix@ietf.org>; Thu, 20 Aug 2020 13:44:38 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id R9X85rlgsiND for <pkix@ietf.org>; Thu, 20 Aug 2020 13:44:35 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 824DE3005D5; Thu, 20 Aug 2020 13:44:34 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <003a01d6768c$3927ffb0$ab77ff10$@augustcellars.com>
Date: Thu, 20 Aug 2020 13:44:35 -0400
Cc: RFC Editor <rfc-editor@rfc-editor.org>, pierce.leonberger@baesystems.com, pritikin@cisco.com, Peter Yee <peter@akayla.com>, "Roman D. Danyliw" <rdd@cert.org>, IETF PKIX <pkix@ietf.org>, IESG <iesg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <952AD34E-B031-4B81-B7BA-638898F53738@vigilsec.com>
References: <20200819195855.074DCF4078A@rfc-editor.org> <895a0e46-c26c-8f01-39a2-23097cc548f9@lounge.org> <003a01d6768c$3927ffb0$ab77ff10$@augustcellars.com>
To: Dan Harkins <dharkins@lounge.org>
X-Mailer: Apple Mail (2.3445.104.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/2BaGIiUb9tneSHNEtEhRDlgJIj8>
Subject: Re: [pkix] [Errata Held for Document Update] RFC7030 (4384)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 17:44:44 -0000


> 
>> The following errata report has been held for document update for 
>> RFC7030, "Enrollment over Secure Transport".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid4384
>> 
>> --------------------------------------
>> Status: Held for Document Update
>> Type: Technical
>> 
>> Reported by: Pierce Leonberger <pierce.leonberger@baesystems.com>
>> Date Reported: 2015-06-02
>> Held by: Roman Danyliw (IESG)
>> 
>> Section: 4.5.2
>> 
>> Original Text
>> -------------
>> CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
>> 
>> AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, attribute Attribute }
>> 
>> Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>>      type   ATTRIBUTE.&id({IOSet}),
>>      values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) }
>> 
>> Corrected Text
>> --------------
>> AttrOrOID ::= CHOICE {
>>       oid OBJECT IDENTIFIER,
>>       attribute Attribute{YouNeedToDefineOrReferenceAnObjectSet}
>> }
>> 
>> Notes
>> -----
>> 1. The AttrOrOID CHOICE was started with a '(' versus a '{'.
>> 
>> 2. Attribute{} is a parameterized type and you are missing the parameter reference within the AttrOrOID CHOICE for "attribute".
> 
>   "YouNeedToDefined...." needs to be a list of OIDs I believe. Since this is a request to someone on how to generate a CSR, the OIDs should be the ones that would be useful when giving such instruction. For instance:
> 
> [JLS] YouNeedToDefined needs to be an ObjectSet of Attributes.  An attribute is going to have both an OID and a Type in it.
> 
>   - "Generate a CSR with a public key from p384, add your serialNumber
>      as an extReq, include challengePassword, and sign the whole thing
>      with ECDSA and SHA384"
> 
>   - "Generate a CSR with RSA and a key that is 4096 bits, include
>      challengePassword and sign the whole thing with RSA and SHA512"
> 
> So how about this:
> 
>   AttrOrOID ::= CHOICE {
>        oid OBJECT IDENTIFER,
>        attribute AttrSet
>   }
> 
>   AttrSet ATTRIBUTE ::= { challengePassword, id-ecPublicKey, rsaEncryption,
>                           extReq, ecdsa-with-SHA256, ecdsa-with-SHA384,
>                           ecdsa-with-SHA512, SHA256, SHA384, SHA512, ... }
> 
> [JLS]
> Items like challengePassword can be imported from RFC 2985.  However id-ecPublicKey is an OID so the ATTRIBUTE would need to be defined
> att-ecPublicKey ::= ATTRIBUTE ::= { WITH SYNTAX ECParameters ID id-ecPublicKey }
> 
> Making an ASN.1 module would shake out which are needed to be defined as attributes.  I would use SHA256 in the oid choice myself.  Having an value set there would be useful so that people know which values go in which choices.

Please see the ASN.1 module in draft-ietf-lamps-rfc7030est-clarify.

Russ

v2.23.0 | Report a Bug | By Email