Re: [pkix] a question of cert (and OCSP) extension syntax
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 31 March 2015 08:48 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 645B41B2B4B for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 01:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WU04w8iB7GoZ for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 01:48:22 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20C241A914D for <pkix@ietf.org>; Tue, 31 Mar 2015 01:48:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 575BABED1; Tue, 31 Mar 2015 09:48:19 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3emCX_0EU5I; Tue, 31 Mar 2015 09:48:17 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.29.244]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id BE010BEBB; Tue, 31 Mar 2015 09:48:16 +0100 (IST)
Message-ID: <551A5F4B.1050703@cs.tcd.ie>
Date: Tue, 31 Mar 2015 09:48:11 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Peter Yee <peter@akayla.com>, pkix@ietf.org
References: <00d201d06b68$779e2c90$66da85b0$@akayla.com>
In-Reply-To: <00d201d06b68$779e2c90$66da85b0$@akayla.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/55COZwQT_jnHRqxw6sl-pfyci_o>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 08:48:25 -0000
Hi Peter, On 31/03/15 05:09, Peter Yee wrote: > We've been doing ASN.1 for more than 20 years. Is it really that hard to > encode things as ASN.1? But that's not the question. The question is whether or not it is reasonable for the IETF to object if someone (or some wg) has chosen to use another encoding style for an X.509 extnValue? > I understand that text encoding is readable and > even fashionable, but it's not like ASN.1 is the bugbear it's made out to > be. In the case in hand in trans, we're not dealing with text encoding but with TLS style encoding, since trans has to use both forms, they have chosen to use the TLS style for an X.509 extension value. In other words, this is not an ASN.1 hate situation. If one wanted to generalise from the trans case, I think you'd ask the question this way: when defining an X.509 extension for protocol foo, is it reasonable that the extnValue uses the encoding style of protocol foo, (wrapped in an OCTET STRING)? S. > > -Peter > >> From: Russ Housley <housley@vigilsec.com> >> Date: March 30, 2015 11:21:37 AM EDT >> To: Rob Stradling <rob.stradling@comodo.com> >> Cc: IETF PKIX <pkix@ietf.org> >> Subject: Re: [pkix] a question of cert (and OCSP) extension syntax >> >> Rob: >> >>> I think it's only "wrong" and "weird" if you take the view that "if it > could conceivably be constructed in ASN.1, then it MUST be constructed in > ASN.1". I don't take that view. >> >> Certificates are ASN.1, and RFC 5280 (and its predecessors) say that > extensions are OCTET STRING wrapped ASN.1 structures. From section 4.2 of > RFC 2459: >> >> Each extension includes an OID and an ASN.1 structure. >> >> Russ > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > >
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla