Re: [pkix] Why is the crlNumber an OCTET STRING?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 20 April 2021 21:58 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E77C3A1EE4 for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 14:58:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wBSJPb4C_cS for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 14:58:25 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E36B13A1EC0 for <pkix@ietf.org>; Tue, 20 Apr 2021 14:58:24 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2239.outbound.protection.outlook.com [104.47.71.239]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-49-t2AbS0YdMk2m9kaCiQ6YZA-1; Wed, 21 Apr 2021 07:58:20 +1000
X-MC-Unique: t2AbS0YdMk2m9kaCiQ6YZA-1
Received: from SG2PR03CA0154.apcprd03.prod.outlook.com (2603:1096:4:c9::9) by ME2PR01MB3825.ausprd01.prod.outlook.com (2603:10c6:220:26::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.19; Tue, 20 Apr 2021 21:58:19 +0000
Received: from SG2APC01FT064.eop-APC01.prod.protection.outlook.com (2603:1096:4:c9:cafe::70) by SG2PR03CA0154.outlook.office365.com (2603:1096:4:c9::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.7 via Frontend Transport; Tue, 20 Apr 2021 21:58:18 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.224) smtp.mailfrom=cs.auckland.ac.nz; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz
Received: from uxcn13-ogg-c.UoA.auckland.ac.nz (130.216.95.224) by SG2APC01FT064.mail.protection.outlook.com (10.152.251.229) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4042.16 via Frontend Transport; Tue, 20 Apr 2021 21:58:16 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.4) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 09:58:15 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4e7:eb90:ab28:1bf5]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4e7:eb90:ab28:1bf5%14]) with mapi id 15.00.1497.015; Wed, 21 Apr 2021 09:58:15 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Russ Housley <housley@vigilsec.com>
CC: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2aq9JmQAgADNMVI=
Date: Tue, 20 Apr 2021 21:58:14 +0000
Message-ID: <1618955894307.55564@cs.auckland.ac.nz>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz>, <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com>
In-Reply-To: <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: edbfaf4a-74b6-4771-c330-08d90447672c
X-MS-TrafficTypeDiagnostic: ME2PR01MB3825:
X-Microsoft-Antispam-PRVS: <ME2PR01MB3825DC8DDC86998E71D27CCDEE489@ME2PR01MB3825.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7691
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: YSgfIZsjWf+2kHeRgR8hlmd2+zM9LfzVu7vkcr85PP4cdBLI7mq/uSgFdr4ECWzUpSIR4NsVBCf4i1j/2OBHbJN7fcgXyhyLycSV5sPuAZ44kOIKQHVtyJALca9+VcV92F369cx2M9z5RCiNgUYmTgle9Xj6uHHvX35Wybp1W+NrXLRRQaijNubmBVN+cgFSnbQhMhv0QmrcWn4WrgKd5x5e9LEyz2WShPqwaW4mT5yD5lRoEomF3hO2Wd8AHFmnfJ7DI4ncSvfGiN2klJk3SBB9iILQidH/z05KBaTvnC9bLwwhh4J5PuM6b2jhl2iBg7S5cOSeecBsYQf0hGdKM/Tu/GhEFO+TEw7UURH3lVs0Btpahyn5PE+4Ug3LVPwcc/rmO/0AIDkOzC7Ws61/F0wTw2f8czo1n7zjQKUeg/ffl6l7nHddsR6WVPEWG8BKgoevjqPdi7AlqvTWYLcmEdr6WQWM/aqJV0z0uJKDt4UdacwvoktFPDdyMfJvQwASvv6M2HXvDwnKHdUwY2MTyBigby9xAjP3bUvbcjJhI6yaje+NY4oWLVIyRPsguf8EFYp9lMydP7xejWRe1ZCCSv3N0tES9+r00O/jbBeZB6an6JCJkMVTwXIv415PEbuEyMz/5BkbT8gci6GEOkkYTdrqOm68SkSv+5ukBFwsCuk=
X-Forefront-Antispam-Report: CIP:130.216.95.224; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-ogg-c.UoA.auckland.ac.nz; PTR:natgate2-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(39860400002)(346002)(396003)(136003)(376002)(36840700001)(46966006)(36906005)(316002)(47076005)(786003)(26005)(478600001)(8936002)(8676002)(36860700001)(82740400003)(6916009)(356005)(7636003)(4744005)(82310400003)(2906002)(70206006)(83380400001)(2616005)(86362001)(5660300002)(70586007)(336012)(4326008)(186003); DIR:OUT; SFP:1101
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2021 21:58:16.6911 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: edbfaf4a-74b6-4771-c330-08d90447672c
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.224]; Helo=[uxcn13-ogg-c.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT064.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME2PR01MB3825
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/CNfGv5W8_srxbwet0ByrFvdOOAc>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 21:58:33 -0000

Russ Housley <housley@vigilsec.com> writes:

>I see nothing about an OCTET STRING ...

If it's 20 bytes it's an OCTET STRING dressed up as an INTEGER, not a real
INTEGER.  In particular, if it's something where you'd need to issue 18
quintillion, 446 quadrillion, 744 trillion, 73 billion, 709 million, 551
thousand and 615 CRLs to exceed the capacity of an actual integer value
(assuming 64-bit) then there's something else going on, which is what I was
trying to find out.  It's not a "monotonically increasing sequence number" any
more because it's not possible to issue that many CRLs, so what is it?

Peter.