Re: [pkix] [Technical Errata Reported] RFC3029 (6444)

Carlisle Adams <cadams@uottawa.ca> Mon, 01 March 2021 16:23 UTC

Return-Path: <cadams@uottawa.ca>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3597F3A1F0F for <pkix@ietfa.amsl.com>; Mon, 1 Mar 2021 08:23:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uottawa.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vt62EX1RcxZM for <pkix@ietfa.amsl.com>; Mon, 1 Mar 2021 08:23:44 -0800 (PST)
Received: from mx98.uottawa.ca (mx98.uottawa.ca [137.122.9.241]) by ietfa.amsl.com (Postfix) with ESMTP id EC48A3A1F0E for <pkix@ietf.org>; Mon, 1 Mar 2021 08:23:43 -0800 (PST)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01lp2055.outbound.protection.outlook.com [104.47.60.55]) by mx98.uottawa.ca (Postfix) with ESMTPS id 3DC581FFFD; Mon, 1 Mar 2021 11:23:34 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L95kRWjIBelssjI0+EkrxNCE1lTgD7SUqW/hbdsn4aTWnLjs/IuSosLYFayoGSQVty7kzR79xBCQAcHlUMmRmglLKwPyVPe19WsCOB8VIUj4RwaOPztszYzm53Ta+1lD2RaF1IunSs4PGA8SjzTqxC4qsiMEFDeqfzmE0X9cjTQiZKItVVPYTHJ1f7XFQdRyrbCinCZfNXR1rSi2GtesDhu/E6FniOrHzngkRW+8TvgGBh08dVlDmanN1hE8U9Xj7CDdp6HAfKmpWWTzL9TTTFhQRFsmFqSpkjogu0jjxu/zmSqy93frgDcf2k6GBJ3do8qn1kCk0YFM8dJUsNnUrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T3s/kL5xN8GmaulPipxNnzID9n5PMpcJtRfun1xvwGg=; b=R3yQi+h0WUfgIct0OR7QUpM8QLgwDh5jIp64jwoNnCS5oNymBnD2T9rfg9htVHkFzD+IqpJDukdr2aPQAGtugqlIjwM+DKLTR3cEEEaG0LXADwCa2PEj9Hc66tOFlTBMGfIYr/t4gt0lw7pAS7wi573qihSNVQX7Al+Bz7s51sj+YsNmMqAVQLeORS5RXW+zsk9Wf+Kgam+phvNYKG5O8q4z4BEHGe6pnKjPdvQugKAPAvaBtGo+ClgU4gb/zzxTMqC/dmjX8rHMuwyzayp1Wf2MevXpMlUVSFtjTpqJFC9CicyKoC75z48I3BZwzdzTrDuRFCitY9wK7T1YcCWv0A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uottawa.ca; dmarc=pass action=none header.from=uottawa.ca; dkim=pass header.d=uottawa.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uottawa.onmicrosoft.com; s=selector2-uottawa-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T3s/kL5xN8GmaulPipxNnzID9n5PMpcJtRfun1xvwGg=; b=HSZBVRGV2zSx7cr66Dk3m//PdnNZYeMmjo5zezuEij2+X+FdtVjnC95h1lV0wXV3Mn8To2DEgqA76R2ZRlBddMENlwmkM7fHPKPNOaq1c6NbSfkktjoeUXB/0WAOn1e79KXn3HiM7l7ZBbSAEZrHHws+Y4dqJijswD66LxgG0Ek=
Received: from YTXPR0101MB1101.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b00:8::29) by YTBPR01MB3455.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:19::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.32; Mon, 1 Mar 2021 16:23:33 +0000
Received: from YTXPR0101MB1101.CANPRD01.PROD.OUTLOOK.COM ([fe80::b03d:cec8:f1d0:cf2a]) by YTXPR0101MB1101.CANPRD01.PROD.OUTLOOK.COM ([fe80::b03d:cec8:f1d0:cf2a%3]) with mapi id 15.20.3890.029; Mon, 1 Mar 2021 16:23:33 +0000
From: Carlisle Adams <cadams@uottawa.ca>
To: Russ Housley <housley@vigilsec.com>, Erwann Abalea <eabalea@gmail.com>
CC: "Roman D. Danyliw" <rdd@cert.org>, Ben Kaduk <kaduk@mit.edu>, Stefan Santesson <stefan@aaa-sec.com>, IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] [Technical Errata Reported] RFC3029 (6444)
Thread-Index: AQHXDN1BqO6jxL0BDEy1SyTijkYM2qpt7FYAgAA7UQCAASwFcA==
Date: Mon, 1 Mar 2021 16:23:33 +0000
Message-ID: <YTXPR0101MB110157FF4F373702155B2361A29A9@YTXPR0101MB1101.CANPRD01.PROD.OUTLOOK.COM>
References: <20210226205457.C1E5FF40764@rfc-editor.org> <109BE558-3363-4030-A906-E329B7ED28B4@vigilsec.com> <CA+i=0E4K6nWAAfiuuQ-uOR+9+9G+9=T9J=EMmqqP7-oA00tP6w@mail.gmail.com> <27430A71-1D03-4704-8D31-3412FF922CD5@vigilsec.com>
In-Reply-To: <27430A71-1D03-4704-8D31-3412FF922CD5@vigilsec.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=uottawa.ca;
x-originating-ip: [137.122.91.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c05816f9-6996-4140-8c2e-08d8dcce5ba6
x-ms-traffictypediagnostic: YTBPR01MB3455:
x-microsoft-antispam-prvs: <YTBPR01MB345530E1242B911B9D564BA4A29A9@YTBPR01MB3455.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EdiPqxI+qEhGj5tiNj8AUQHsfN3nUVchKNepVlHMtPlFDl7G5LJHI5KYwNyvAhsfLAWxVs7M57HNtPDY/TZrFsG+QF2ELj1kgSOuDBSpqMQgYm0+HfUEgvIsRZngHD5x1ZUUBrnJ7JhWxLfuBI7ccRc20Cd764TXz7hmjZV+p+mevupcnS52VR5AkaarweqLgTkvKd3F2PpyvdIetdiD584biPl68uiiRq218WWjpewgA97XCSwgSB3rq4Cb55ns3gEgiz381UX4DbTmhySMBKGbPPaGcWYK/eG2x763PPuHhUW+7oY5sG7NF//ZTBGafDA8XPbQM4c8FafPMmCBdpZT0P2cbrJ1Z41bxnhQn+cav1d6ZaBgovjI+jvZA6CKK30JuVp/m6kzNk1uOdI5lS8/QUUxTFXyBANxJHAgwrPgaZqLnVk1qkyel11fVMvBB6R49Wt6I/6iQFoP6WdW8ObOBQP8cWM26pFyofXIZyg+PRsqJzvsl2NzuO31uIR54WtqdNMDN61VYjearBaGzQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YTXPR0101MB1101.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(39860400002)(346002)(366004)(396003)(26005)(53546011)(6506007)(86362001)(7696005)(8936002)(33656002)(66574015)(8676002)(110136005)(54906003)(2906002)(478600001)(786003)(66446008)(71200400001)(83380400001)(186003)(4326008)(66946007)(5660300002)(64756008)(66476007)(76116006)(66556008)(55016002)(316002)(9686003)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?SGZMemo4L0JIYmZFMmNyb1EvbWFyZ0ZvQ0J6MkxESWlybU94TW5Ld2k1Yllr?= =?utf-8?B?S09ua2xFaWFhUklYRjBGaWRMWEhGSE1NT1ZjK3VidlZmaFZKOWIrK3V0N0VK?= =?utf-8?B?Mk82SzVuZ2xoNjc3bkFhUVByNVJRLzcxcG51L3ZKaUp4Y2dGVlh1aEhxc2ZS?= =?utf-8?B?WUZtaURiU21qK0R0eHcybWRxejNtYVVhbEJGa0hZT05HUnhFalpHVk54QkRq?= =?utf-8?B?MDd2czJqSFpaVXdQTExJTnN0UVlHbnA2b1FoeTNRTjllMFJFcDJlWGNaRXlM?= =?utf-8?B?SENXMGpOTDExMlBvbDd3aEJCQ0x4RkE0enpqM0QrcjBOc1VERitMTGhwejNY?= =?utf-8?B?ZVZGRUVTRnBYREJqdHBNU0Zqb2pqTWtjR0Vrd21LaTd0OC9vdTI3U0RPTmJE?= =?utf-8?B?WlZTYVozZWRINEtBK0pVdzVBZGx4Rmk5bnhQaWM1djhsQlljRWdHejQzK0hY?= =?utf-8?B?dzNNc1o0Ym9RdmU5Y0dZOUNxVi9KbDAyTkhxaDVXTEM1YTBkUGowTnluOVlY?= =?utf-8?B?ZFd4SEVJZTQwNHBqVFdZQlZCbGk3NjZyUnFGSzgxc0VrYjdxaGFURjR5MkhW?= =?utf-8?B?WHA0eHRoNWJIOVExanlhcVpHYU1wN2dIZkJRSFFuckd3eE5MNGdBbi9ESHV2?= =?utf-8?B?eHVDMDIwLzE2UHJ2RWxMYzF0WUNEVzhNRHFnSjRIY0NpNURYa3ZWSTZ4NVQ4?= =?utf-8?B?R2tIVVRXcDk3eEx5aXN3MEs4SXUvbVBRbDArbWZINXdINmw0K1Qwd1VVK2tp?= =?utf-8?B?cllmUFhpcUk5cXJlcnI1eHd1UUxJMk03M1kwT1VYWGxtT0lHWHVhMDRkZlUv?= =?utf-8?B?TWZBM0VRODM2MTJtRnhqM2pHTHZoY2Y1NENCbC93WWhVS05jbnA2cldOYUNI?= =?utf-8?B?V0NOZGVvYm1vRU5UMXhtRzYzeVY4L0RqSStjeDFDWjB4NHljSXNrekhHSU1o?= =?utf-8?B?SG1XdVp2eUdFTDhRdjRwK0UxWm92ZS95L2tGRFBqRTNGNmlmZFJUZnFnak9C?= =?utf-8?B?a3ZKTXp1ZVdaVjYyUTlYU2QycXZCUzdXZFBNN1dqeTRJV01uNm9BaHgxTWUz?= =?utf-8?B?SUJaR0pxUFd4a3M0NFBXMW4vVVRUVnd2OUZWYzJwVG9aY2NQNHJsK00xd3Vh?= =?utf-8?B?TkNwZW9mMjhpRzlRQkFma1NZSW0rU3daTmcxcURremQ3SCtpMW5iQnUvaGQv?= =?utf-8?B?MHlhOWtUcVVHRDRuOFpRQ0ExeWZtZURVMEJFRldmOVFDalRmclBXK1ZHYlhm?= =?utf-8?B?RzBMc1phc1ZVTTdrdFZyTkxzRXhhOG5ld3pFUmhLdXBtWVpUaHRwVlZsZVhV?= =?utf-8?B?M2dRNkZOUUNzSTgvWEpsdU05SmZKZ01uckZzbzhCSTRyVmVrN25za0F2OUkz?= =?utf-8?B?UTY3RjIzQkkxMHJTdklTZ0FiS2ZhSEQxa3ZxT0V6enNBbldQR3FaQ3Ivdk9y?= =?utf-8?B?N29rRURhQUJyZm0xSkZIVlNGSzdGeVZhNnh4UHZQVjZaZThmVjNrQklac1BX?= =?utf-8?B?RUJjR0JDandlYkhGcXhpbW9TeEhGajF2U0pmSXVPRThQQ2Y2L0lsTU9GVUR0?= =?utf-8?B?WFlPSmVPNFlCS1RubmpKM3JQZVZzcGZCQ3oyd1FTaEFoTzZuSDhqcHIyUS8x?= =?utf-8?B?Y2VaQVZrbVkvaW5MSS9jS3dMQmc2UTVJSVhicGg3TzBGZVNVVUlpTzZtNWsz?= =?utf-8?B?TzNCSzBKd2lIaVdhYUJwQklGQTFrQ1dCYXJkK3hYRzR1MUQ4Q1E0K2kyc0lL?= =?utf-8?Q?F0WhG4JVxaca7UzkV0N68b6xhgE6oXLR8+z1443?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_YTXPR0101MB110157FF4F373702155B2361A29A9YTXPR0101MB1101_"
MIME-Version: 1.0
X-OriginatorOrg: uottawa.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YTXPR0101MB1101.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: c05816f9-6996-4140-8c2e-08d8dcce5ba6
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2021 16:23:33.0741 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d41fdab1-7e15-4cfd-b5fa-7200e54deb6b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: d6u4etz5MH/J6zVO+oh4LK8GVdpDxvn3+HNSeNnJ5H8XrLMkF1fR1utWX/S5v/brawnkAlr56eSB6SkN7vi/gw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB3455
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/I1gtdS_PcIIuAR16-HrP6eKMyZU>
Subject: Re: [pkix] [Technical Errata Reported] RFC3029 (6444)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 16:23:46 -0000

Hi Russ, all,

I agree that these errors need fixing because there doesn’t seem to be an easy way to get around them otherwise.  I also agree with Stefan that this is probably an indication that DVCS was never widely implemented…  ☹

Carlisle.


From: Russ Housley <housley@vigilsec.com>
Sent: February-28-21 5:26 PM
To: Erwann Abalea <eabalea@gmail.com>
Cc: Roman D. Danyliw <rdd@cert.org>rg>; Ben Kaduk <kaduk@mit.edu>du>; Stefan Santesson <stefan@aaa-sec.com>om>; IETF PKIX <pkix@ietf.org>rg>; Carlisle Adams <cadams@site.uottawa.ca>
Subject: Re: [pkix] [Technical Errata Reported] RFC3029 (6444)

Attention : courriel externe | external email
Erwann:

Le sam. 27 févr. 2021 à 08:45, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> a écrit :
I guess I should have held off on reporting this ASN.1 error.  Once I corrected it, I discovered two errors that I do not know how to fix.

There is an implementation somewhere because Appendix F contains examples.  I do not know how the implementer got around these two problems.


PROBLEM 1:

CertEtcToken ::= CHOICE {
     certificate                  [0] IMPLICIT Certificate ,
     esscertid                    [1] ESSCertId ,
     pkistatus                    [2] IMPLICIT PKIStatusInfo ,
     assertion                    [3] ContentInfo ,
     crl                          [4] IMPLICIT CertificateList,
     ocspcertstatus               [5] IMPLICIT CertStatus,
     oscpcertid                   [6] IMPLICIT CertId ,
     oscpresponse                 [7] IMPLICIT OCSPResponse,
     capabilities                 [8] SMIMECapabilities,
     extension                    Extension{{ExtensionSet}}
}

CertEtcToken is a CHOICE with tags 0 through 8, but CertStatus CHOICE with tags 0 through 2.  You cannot nest a CHOICE in another CHOICE is the IMPLICIT tags overlap.

The use of EXPLICIT tagging would have solved the problem, but the authors clearly preferred IMPLICIT tags.

Here, it's easy. The outermost IMPLICIT tag is transformed into an EXPLICIT one by the ASN.1 compiler (it will probably emit a warning, though).

Yes, I am aware of that possibility of fixing the specification, but it is unclear what an implementer would do with a ASN.1 module with compilation errors, or a warning that inserts a EXPLICIT.



PROBLEM 2

DigestInfo ::= SEQUENCE {
    digestAlgorithm   DigestAlgorithmIdentifier,
    digest            Digest
}

Data ::= CHOICE {
      message           OCTET STRING ,
      messageImprint    DigestInfo,
      certs             SEQUENCE SIZE (1..MAX) OF
                            TargetEtcChain
}

DigestInfo is a SEQUENCE, and certs is a SEQUENCE, so the two have the same tag.  A recipient cannot tell which one the sender intended.

For this one, there's clearly no solution. Tagging would have solved it (any kind of tagging mode), but it's missing.

Indeed, at lease one of the SEQUENCE needs a tag.

Russ