Re: [pkix] a question of cert (and OCSP) extension syntax

"Peter Yee" <peter@akayla.com> Tue, 31 March 2015 04:09 UTC

Return-Path: <peter@akayla.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 011711B2A6A for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 21:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbHk6mEyijVd for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 21:09:19 -0700 (PDT)
Received: from p3plsmtpa08-03.prod.phx3.secureserver.net (p3plsmtpa08-03.prod.phx3.secureserver.net [173.201.193.104]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C929A1B2A78 for <pkix@ietf.org>; Mon, 30 Mar 2015 21:09:19 -0700 (PDT)
Received: from spectre ([173.8.184.78]) by p3plsmtpa08-03.prod.phx3.secureserver.net with id A49J1q00W1huGat0149J0E; Mon, 30 Mar 2015 21:09:19 -0700
From: Peter Yee <peter@akayla.com>
To: pkix@ietf.org
Date: Mon, 30 Mar 2015 21:09:21 -0700
Message-ID: <00d201d06b68$779e2c90$66da85b0$@akayla.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdBrZsHatLuXTU+gQku24nGhjBIbDg==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/IuKxUr0bdzkc1ZyKDfiUt8dt4GA>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 04:09:23 -0000

We've been doing ASN.1 for more than 20 years.  Is it really that hard to
encode things as ASN.1?  I understand that text encoding is readable and
even fashionable, but it's not like ASN.1 is the bugbear it's made out to
be.

		-Peter

> From: Russ Housley <housley@vigilsec.com>
> Date: March 30, 2015 11:21:37 AM EDT
> To: Rob Stradling <rob.stradling@comodo.com>
> Cc: IETF PKIX <pkix@ietf.org>
> Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
> 
> Rob:
> 
>> I think it's only "wrong" and "weird" if you take the view that "if it
could conceivably be constructed in ASN.1, then it MUST be constructed in
ASN.1".  I don't take that view.
> 
> Certificates are ASN.1, and RFC 5280 (and its predecessors) say that
extensions are OCTET STRING wrapped ASN.1 structures.  From section 4.2 of
RFC 2459:
> 
> 	Each extension includes an OID and an ASN.1 structure.
> 
> Russ