Re: [pkix] [Errata Held for Document Update] RFC7030 (4384)
Jim Schaad <ietf@augustcellars.com> Thu, 20 August 2020 00:52 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D17763A0FD0; Wed, 19 Aug 2020 17:52:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrt_QwAcvyH9; Wed, 19 Aug 2020 17:52:53 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BE473A0E16; Wed, 19 Aug 2020 17:52:53 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 19 Aug 2020 17:52:46 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Dan Harkins' <dharkins@lounge.org>, 'RFC Errata System' <rfc-editor@rfc-editor.org>, pierce.leonberger@baesystems.com, pritikin@cisco.com, peter@akayla.com, dharkins@arubanetworks.com
CC: rdd@cert.org, pkix@ietf.org, iesg@ietf.org
References: <20200819195855.074DCF4078A@rfc-editor.org> <895a0e46-c26c-8f01-39a2-23097cc548f9@lounge.org>
In-Reply-To: <895a0e46-c26c-8f01-39a2-23097cc548f9@lounge.org>
Date: Wed, 19 Aug 2020 17:52:43 -0700
Message-ID: <003a01d6768c$3927ffb0$ab77ff10$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHE2+iAgDpBlQ8jsWu1mceME/5uBgJ83RFYqU93EBA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/IJIaNP_Gn6fQnpmfOK1f-DWMkZk>
Subject: Re: [pkix] [Errata Held for Document Update] RFC7030 (4384)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 00:52:56 -0000
-----Original Message----- From: pkix <pkix-bounces@ietf.org> On Behalf Of Dan Harkins Sent: Wednesday, August 19, 2020 2:00 PM To: RFC Errata System <rfc-editor@rfc-editor.org>; pierce.leonberger@baesystems.com; pritikin@cisco.com; peter@akayla.com; dharkins@arubanetworks.com Cc: rdd@cert.org; pkix@ietf.org; iesg@ietf.org Subject: Re: [pkix] [Errata Held for Document Update] RFC7030 (4384) Hi there, On 8/19/20 12:58 PM, RFC Errata System wrote: > The following errata report has been held for document update for > RFC7030, "Enrollment over Secure Transport". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid4384 > > -------------------------------------- > Status: Held for Document Update > Type: Technical > > Reported by: Pierce Leonberger <pierce.leonberger@baesystems.com> > Date Reported: 2015-06-02 > Held by: Roman Danyliw (IESG) > > Section: 4.5.2 > > Original Text > ------------- > CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID > > AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, attribute Attribute } > > Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { > type ATTRIBUTE.&id({IOSet}), > values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) } > > Corrected Text > -------------- > AttrOrOID ::= CHOICE { > oid OBJECT IDENTIFIER, > attribute Attribute{YouNeedToDefineOrReferenceAnObjectSet} > } > > Notes > ----- > 1. The AttrOrOID CHOICE was started with a '(' versus a '{'. > > 2. Attribute{} is a parameterized type and you are missing the parameter reference within the AttrOrOID CHOICE for "attribute". "YouNeedToDefined...." needs to be a list of OIDs I believe. Since this is a request to someone on how to generate a CSR, the OIDs should be the ones that would be useful when giving such instruction. For instance: [JLS] YouNeedToDefined needs to be an ObjectSet of Attributes. An attribute is going to have both an OID and a Type in it. - "Generate a CSR with a public key from p384, add your serialNumber as an extReq, include challengePassword, and sign the whole thing with ECDSA and SHA384" - "Generate a CSR with RSA and a key that is 4096 bits, include challengePassword and sign the whole thing with RSA and SHA512" So how about this: AttrOrOID ::= CHOICE { oid OBJECT IDENTIFER, attribute AttrSet } AttrSet ATTRIBUTE ::= { challengePassword, id-ecPublicKey, rsaEncryption, extReq, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512, SHA256, SHA384, SHA512, ... } [JLS] Items like challengePassword can be imported from RFC 2985. However id-ecPublicKey is an OID so the ATTRIBUTE would need to be defined att-ecPublicKey ::= ATTRIBUTE ::= { WITH SYNTAX ECParameters ID id-ecPublicKey } Making an ASN.1 module would shake out which are needed to be defined as attributes. I would use SHA256 in the oid choice myself. Having an value set there would be useful so that people know which values go in which choices. Jim Would this work? This is basically what I implemented in my EST reference design (plus some extra stuff like for extReq like macAddress, favoriteDrink, etc that might be considered part of "..."). regards, Dan. > 3. You need to define or reference the object set to be used in #2. > > Highly recommend you create an ASN.1 Module as part of this specification. This will make it clear which specifications (and the versions there of) you are importing types from (i.e. Attribute{}) and the tagging that should be used (module level). If you need to define a new object set for #3 then this new module would be the perfect home for it. > > -------------------------------------- > RFC7030 (draft-ietf-pkix-est-09) > -------------------------------------- > Title : Enrollment over Secure Transport > Publication Date : October 2013 > Author(s) : M. Pritikin, Ed., P. Yee, Ed., D. Harkins, Ed. > Category : PROPOSED STANDARD > Source : Public-Key Infrastructure (X.509) > Area : Security > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- [pkix] [Errata Held for Document Update] RFC7030 … RFC Errata System
- Re: [pkix] [Errata Held for Document Update] RFC7… Dan Harkins
- Re: [pkix] [Errata Held for Document Update] RFC7… Jim Schaad
- Re: [pkix] [Errata Held for Document Update] RFC7… Russ Housley