Re: [pkix] [Errata Held for Document Update] RFC7030 (4384)
Dan Harkins <dharkins@lounge.org> Wed, 19 August 2020 20:59 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF7603A0E31; Wed, 19 Aug 2020 13:59:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.849
X-Spam-Level:
X-Spam-Status: No, score=-2.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.949, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWJD44i18FWz; Wed, 19 Aug 2020 13:59:45 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 313913A0E2C; Wed, 19 Aug 2020 13:59:45 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QFB0FBL6WZK7J@wwwlocal.goatley.com>; Wed, 19 Aug 2020 15:59:44 -0500 (CDT)
Received: from Dans-MacBook-Pro.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QFB006GAWYDYB@trixy.bergandi.net>; Wed, 19 Aug 2020 13:59:04 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO Dans-MacBook-Pro.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Wed, 19 Aug 2020 13:59:03 -0700
Date: Wed, 19 Aug 2020 13:59:40 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <20200819195855.074DCF4078A@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>, pierce.leonberger@baesystems.com, pritikin@cisco.com, peter@akayla.com, dharkins@arubanetworks.com
Cc: rdd@cert.org, pkix@ietf.org, iesg@ietf.org
Message-id: <895a0e46-c26c-8f01-39a2-23097cc548f9@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO Dans-MacBook-Pro.local)
References: <20200819195855.074DCF4078A@rfc-editor.org>
X-PMAS-Software: PreciseMail V3.3 [200819] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/BA3f46FS6TZQG8C_AnUezPn6jLk>
Subject: Re: [pkix] [Errata Held for Document Update] RFC7030 (4384)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2020 20:59:47 -0000
Hi there, On 8/19/20 12:58 PM, RFC Errata System wrote: > The following errata report has been held for document update > for RFC7030, "Enrollment over Secure Transport". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid4384 > > -------------------------------------- > Status: Held for Document Update > Type: Technical > > Reported by: Pierce Leonberger <pierce.leonberger@baesystems.com> > Date Reported: 2015-06-02 > Held by: Roman Danyliw (IESG) > > Section: 4.5.2 > > Original Text > ------------- > CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID > > AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, attribute Attribute } > > Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { > type ATTRIBUTE.&id({IOSet}), > values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) } > > Corrected Text > -------------- > AttrOrOID ::= CHOICE { > oid OBJECT IDENTIFIER, > attribute Attribute{YouNeedToDefineOrReferenceAnObjectSet} > } > > Notes > ----- > 1. The AttrOrOID CHOICE was started with a '(' versus a '{'. > > 2. Attribute{} is a parameterized type and you are missing the parameter reference within the AttrOrOID CHOICE for "attribute". "YouNeedToDefined...." needs to be a list of OIDs I believe. Since this is a request to someone on how to generate a CSR, the OIDs should be the ones that would be useful when giving such instruction. For instance: - "Generate a CSR with a public key from p384, add your serialNumber as an extReq, include challengePassword, and sign the whole thing with ECDSA and SHA384" - "Generate a CSR with RSA and a key that is 4096 bits, include challengePassword and sign the whole thing with RSA and SHA512" So how about this: AttrOrOID ::= CHOICE { oid OBJECT IDENTIFER, attribute AttrSet } AttrSet ATTRIBUTE ::= { challengePassword, id-ecPublicKey, rsaEncryption, extReq, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512, SHA256, SHA384, SHA512, ... } Would this work? This is basically what I implemented in my EST reference design (plus some extra stuff like for extReq like macAddress, favoriteDrink, etc that might be considered part of "..."). regards, Dan. > 3. You need to define or reference the object set to be used in #2. > > Highly recommend you create an ASN.1 Module as part of this specification. This will make it clear which specifications (and the versions there of) you are importing types from (i.e. Attribute{}) and the tagging that should be used (module level). If you need to define a new object set for #3 then this new module would be the perfect home for it. > > -------------------------------------- > RFC7030 (draft-ietf-pkix-est-09) > -------------------------------------- > Title : Enrollment over Secure Transport > Publication Date : October 2013 > Author(s) : M. Pritikin, Ed., P. Yee, Ed., D. Harkins, Ed. > Category : PROPOSED STANDARD > Source : Public-Key Infrastructure (X.509) > Area : Security > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] [Errata Held for Document Update] RFC7030 … RFC Errata System
- Re: [pkix] [Errata Held for Document Update] RFC7… Dan Harkins
- Re: [pkix] [Errata Held for Document Update] RFC7… Jim Schaad
- Re: [pkix] [Errata Held for Document Update] RFC7… Russ Housley