IETF Logo Mail Archive

Re: [pkix] a question of cert (and OCSP) extension syntax

Russ Housley <housley@vigilsec.com> Mon, 30 March 2015 15:47 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E01F21A016C for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 08:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUGbB0OVd2P4 for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 08:47:12 -0700 (PDT)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC5F1A0169 for <pkix@ietf.org>; Mon, 30 Mar 2015 08:47:12 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 22EDE9A404D; Mon, 30 Mar 2015 11:47:02 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id qeIU7gaaEx-3; Mon, 30 Mar 2015 11:47:01 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-255-133-185.washdc.fios.verizon.net [96.255.133.185]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 6B51B9A404C; Mon, 30 Mar 2015 11:47:01 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: multipart/signed; boundary="Apple-Mail-90-599128295"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <A194E40C-016B-4CEA-A9A8-9A179C876D43@vpnc.org>
Date: Mon, 30 Mar 2015 11:46:50 -0400
Message-Id: <3161EB72-BE23-44CB-B02A-12648BAE73BB@vigilsec.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz> <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com> <5512C9C7.70202@comodo.com> <55159714.1070902@openca.org> <55190678.6080007@comodo.com> <924332F5-FED1-4A0C-BBD8-146C1AC549B3@vigilsec.com> <A194E40C-016B-4CEA-A9A8-9A179C876D43@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Rob Stradling <rob.stradling@comodo.com>
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/6GsUAhIJ0NKi4ksvfv3i4soy34E>
Cc: IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 15:47:14 -0000

Paul:

>>> I think it's only "wrong" and "weird" if you take the view that "if it could conceivably be constructed in ASN.1, then it MUST be constructed in ASN.1".  I don't take that view.
>> 
>> Certificates are ASN.1, and RFC 5280 (and its predecessors) say that extensions are OCTET STRING wrapped ASN.1 structures.  From section 4.2 of RFC 2459:
>> 
>> 	Each extension includes an OID and an ASN.1 structure.
> 
> I always interpreted the "an ASN.1 structure" there as meaning that any structure was acceptable, whether it was SEQUENCE or INTEGER or OCTET STRING or whatever.

The usage in this case is a non-ASN.1 structure shoved into an OCTET STRING and then wrapped in an OCTET STRING.  The non-ASN.1 structure is easily represented as an ASN.1 structure, which would allow one of the OCTET STRING wrappings to be removed.  This just seems much cleaner to me.

Russ

v2.39.1 | Report a Bug | By Email | System Status