Re: [pkix] a question of cert (and OCSP) extension syntax

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 31 March 2015 08:48 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 645B41B2B4B for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 01:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WU04w8iB7GoZ for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 01:48:22 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20C241A914D for <pkix@ietf.org>; Tue, 31 Mar 2015 01:48:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 575BABED1; Tue, 31 Mar 2015 09:48:19 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3emCX_0EU5I; Tue, 31 Mar 2015 09:48:17 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.29.244]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id BE010BEBB; Tue, 31 Mar 2015 09:48:16 +0100 (IST)
Message-ID: <551A5F4B.1050703@cs.tcd.ie>
Date: Tue, 31 Mar 2015 09:48:11 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Peter Yee <peter@akayla.com>, pkix@ietf.org
References: <00d201d06b68$779e2c90$66da85b0$@akayla.com>
In-Reply-To: <00d201d06b68$779e2c90$66da85b0$@akayla.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/55COZwQT_jnHRqxw6sl-pfyci_o>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 08:48:25 -0000

Hi Peter,

On 31/03/15 05:09, Peter Yee wrote:
> We've been doing ASN.1 for more than 20 years.  Is it really that hard to
> encode things as ASN.1?  

But that's not the question. The question is whether or not it is
reasonable for the IETF to object if someone (or some wg) has chosen
to use another encoding style for an X.509 extnValue?

> I understand that text encoding is readable and
> even fashionable, but it's not like ASN.1 is the bugbear it's made out to
> be.

In the case in hand in trans, we're not dealing with text encoding
but with TLS style encoding, since trans has to use both forms, they
have chosen to use the TLS style for an X.509 extension value. In
other words, this is not an ASN.1 hate situation.

If one wanted to generalise from the trans case, I think you'd ask
the question this way: when defining an X.509 extension for protocol
foo, is it reasonable that the extnValue uses the encoding style
of protocol foo, (wrapped in an OCTET STRING)?

S.


> 
> 		-Peter
> 
>> From: Russ Housley <housley@vigilsec.com>
>> Date: March 30, 2015 11:21:37 AM EDT
>> To: Rob Stradling <rob.stradling@comodo.com>
>> Cc: IETF PKIX <pkix@ietf.org>
>> Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
>>
>> Rob:
>>
>>> I think it's only "wrong" and "weird" if you take the view that "if it
> could conceivably be constructed in ASN.1, then it MUST be constructed in
> ASN.1".  I don't take that view.
>>
>> Certificates are ASN.1, and RFC 5280 (and its predecessors) say that
> extensions are OCTET STRING wrapped ASN.1 structures.  From section 4.2 of
> RFC 2459:
>>
>> 	Each extension includes an OID and an ASN.1 structure.
>>
>> Russ
> 
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
> 
>