IETF Logo Mail Archive

Re: [pkix] AuthorityKeyIdentifier and SubjectKeyIdentifier in DRIP X.509 certs

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 14 May 2023 23:31 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7F4C14F747 for <pkix@ietfa.amsl.com>; Sun, 14 May 2023 16:31:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQZHJwt2tqY4 for <pkix@ietfa.amsl.com>; Sun, 14 May 2023 16:31:02 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0246DC151076 for <pkix@ietf.org>; Sun, 14 May 2023 16:31:01 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2170.outbound.protection.outlook.com [104.47.71.170]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-89-LoopV0ERMKyJCv5uTuKYDA-1; Mon, 15 May 2023 09:30:57 +1000
X-MC-Unique: LoopV0ERMKyJCv5uTuKYDA-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY8PR01MB8679.ausprd01.prod.outlook.com (2603:10c6:10:22c::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.30; Sun, 14 May 2023 23:30:56 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::4bfd:5604:b68:1e2e]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::4bfd:5604:b68:1e2e%4]) with mapi id 15.20.6387.030; Sun, 14 May 2023 23:30:56 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] AuthorityKeyIdentifier and SubjectKeyIdentifier in DRIP X.509 certs
Thread-Index: AQHZhrRhPqV53YY5cEutJ02hMAHYka9aaq+O
Date: Sun, 14 May 2023 23:30:56 +0000
Message-ID: <SY4PR01MB625132D16A3FDB3C64E7F2EDEE7B9@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <5728d335-f283-a8ce-b0b4-82a88e5f1525@htt-consult.com>
In-Reply-To: <5728d335-f283-a8ce-b0b4-82a88e5f1525@htt-consult.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY4PR01MB6251:EE_|SY8PR01MB8679:EE_
x-ms-office365-filtering-correlation-id: 1aec3ffc-ae04-414c-c7a3-08db54d34457
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: yzRTHAsUVML0RWEejE/RNHRPGAxYxDw6ShcjYzDw9lOgFJ/nFRf0PJ71yYKHWb7MNMEXcVpTd63T+f+nJs9T0L1zxn5YEYYp2jXkxK+TnNLG1zrmB/5MBOsC0H2bsD5O0UGShdFo9URNaaO55IUdCNjyp5OA6h+zUqf20lJxLVjRNJDXX+UAdHda2iIDEh7+FEXGGLD0nBRvkDIspl1Ym55R1QpFAppx6a3rCruDNYbtfjq73zk0AZH3kj66O9+AQPtwMoxc7yqFm/ayhu3IIUTufvmfpaz//wiRRct2wbqXdblHLY5cGCgwrtk0OljhqSw3jvFNQ/2RRr6UBNvrn0C1w0l7i8w6WakjGdGqj7fSvLZOXaRTEvENDCTGo0R4KznLtHkNB0R/9OTBn1oyVARgpCwfdyqAMzXR/FfXOMn04qEHqIjWBNg5gJFv8kF+u85zzySxlAsFpB7E3cW1O6i+BMRL8LP5qlriPvQgAowrd/3bs0J5d+acrcsdaNkbvK+a2kF4zgV9Mg5x68jyokWGYhxz7NIGWVzh8nqKf3eADq4NhmMXYgUjo+FVwF5yQY/43BBhQn6qhsWq3wiJT+VzDGfkQIJE15XXILvhV6QmL9vR0tmebqq1oBNC7Ijx
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(366004)(39860400002)(136003)(376002)(346002)(451199021)(38100700002)(2906002)(4744005)(52536014)(5660300002)(8676002)(8936002)(786003)(316002)(55016003)(86362001)(64756008)(66446008)(66476007)(66556008)(66946007)(76116006)(38070700005)(41300700001)(122000001)(186003)(9686003)(6506007)(26005)(33656002)(7696005)(71200400001)(478600001)(110136005); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZNBAbvmWsd3LD7yQgjNzcDJSbMSdt5F3T6xNsT/iapY0NVdf8WV/aIHF3UiNAdDOPqy4yqnWzi5jwIOmnXiT3bbREFwg12j2pr+qDaj38gB8Ya/aMMeRyRJopF42Zx6q1IBZJGnovqtE2yqXPtgc9YGhzbnzbWtqXS657iK5jDPP3lHrV+M8b7lVzvHo4/zDXQ88WWvZFoh6ggqPCoSUHn+lU73nOpqwLeBKQpx4zCPiUv8i3wtMXv77CiiXStflYzjoWF4NV6QawYOko6DYLrFLNn/K5ssVWutBYVeBI0fXY2T6XqjnZQqIS9xDdv4bheSPFuN+4FcyTTifEMldqAFD6uwa+r8kW11H7K0nosw8a3N3nRlMMf9/NsdMfG8M44KC/4L9fOL2/G/lVKRPNvU1yK/pm6ezVvC2HxObfkrwCGiUtGIqLwRG8KgClKcKAnj6XQdZffq2/dStTsHwT0coL7pFfanXk3kd3m/jmEEjUCgwfNgF7Mts4bCvQSFj1DQuJsqfBFR5UY3ZG0aLY+6Hkpf2X87jYUb/Lh7MC1BfW5ucct/RKUc5yfXIdPorYE1DVtbkArkQDtJR8svrEVv9eNh58ZkmWQp9ymvc6Q3S/O6HxZr2j6FelO1tPSGRg1/L3Up+MjyuYlKGMEKj6sZAxcWVeG4Pl6naG6/SbgPrPxE5Of0FMT9yDoBd7YKEMBruP8oc1hcdnYxO8Iq/KJ8Xv0kRDCLicgS7wjCIUnPiZ8Tlz0YjUhkrTqUWdo/D07V6WgJH1KVk11klLGCpxZP/JGPuahtYjTCZrHXLc7SllQOnRnkEXPNl1uZaqL6ihLkWLDi1Gp1uQwVYqvNqYATWN/EMZOCCh+hOhFR+uq5fAs/Hej7LT0xP1CY2wb9AU3bxXozNJDB1oO8cKY+/jw24N5G3DaCytJ57rR5LbhKEqq6PBYi+hFGfLmPWv9vwedJogtlLYxViNxgy0BJXLmQdVKNqcB85igcwyGvnoBC60NLrehMBrmDM+avLZaAQdlLXwaQpFI0AhY55s2ocVUMTCH1lyF3YLnXBb446845GXeoc9lj01oFE8zbttc2VOwW/K7EzdOBi8IL+L+l9/I9ewegviPRjla/fvqajSa6SgNdjV8J9V3O5vtzZEs3N5QS6OHEvQa7aw80wPFv+wj03v5Cww6CVHaUsMQBEqgUMgNGyNkI056RP75CaAELnFgSFVCoYDO1JxCBcE1HP7+o+f2D+3Ya4RPSM1k38Cm/ic7eAM/czcT8vjN4eaZgwy7cMWW8NbLNm/t02nCL/XNEr63asiKBMF5V6Et6trVEMsYfnw4ZiErHBJt7028sP2DzvNNHmGnvCo9H9ItbSC7rsgs8W9fop5iABTwrmy9v+G4JJOVABvMTMh99BOo2JjcTAgXGHxtt5ooHSHp6gfC1lYiABu+eKkBWEz6w4mqJKU0PZwrAyFWc4iokFlaZt3XWQZ2HZej/0Njay6FIwQ8VikffjhWnDh2QG3ec+OEzxSvSw0TwvbjD3XYCALbpd4TT1u74w3B5M1NhF8aoTiJCNEK+otBZHyeg0Dy8azQOCZeD9ICjL4rq0ah/VDXeE
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1aec3ffc-ae04-414c-c7a3-08db54d34457
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2023 23:30:56.4041 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ldVXAFg5itzkWiTa6OH65MED6lcUfrP7EmQsAQMi6hUIS0dG8BrIzJ3eGnPKINjB/hn0IcHVv3O6Yicq+m2JIPffJ386Z2l5V3FRaGLaiDs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY8PR01MB8679
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/61rWLZ_m2vOkNzzI_NH-zLFnqAM>
Subject: Re: [pkix] AuthorityKeyIdentifier and SubjectKeyIdentifier in DRIP X.509 certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2023 23:31:08 -0000

Robert Moskowitz <rgm-sec@htt-consult.com> writes:

>I SHOULD be able to use the DETS in keyIdentifier as I do with
>SubjectKeyIdentifier, but openSSL is resisting my efforts.  So far.

The aKID is copied from the issuing cert so I would imagine you can't just set
it arbitrarily.  OTOH since the aKID is copied from the issuing cert the
obvious way to get it into the subject cert would be to set it as the sKID in
the issuing cert.

>I was wondering if there is something I could do with authorityCertIssuer?

Probably not for the same reason you can't set the aKID in the subject cert
yourself.

You then also run into the problem that the sKID/aKID is the universal
identifier there and it's not clear what, if any, support there is for
handling authorityCertIssuers.

Peter.

v2.23.0 | Report a Bug | By Email