[pkix] Why is the crlNumber an OCTET STRING?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 20 April 2021 21:20 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CC453A1BE5 for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 14:20:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXWJLZDJuE7M for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 14:20:47 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80CA83A1BE2 for <pkix@ietf.org>; Tue, 20 Apr 2021 14:20:46 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2237.outbound.protection.outlook.com [104.47.71.237]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-89-2ec2c-irNO-XlpFI4YvZLQ-1; Wed, 21 Apr 2021 07:20:41 +1000
X-MC-Unique: 2ec2c-irNO-XlpFI4YvZLQ-1
Received: from SG2PR01CA0110.apcprd01.prod.exchangelabs.com (2603:1096:4:40::14) by ME1PR01MB1459.ausprd01.prod.outlook.com (2603:10c6:200:2b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.19; Tue, 20 Apr 2021 21:20:39 +0000
Received: from SG2APC01FT060.eop-APC01.prod.protection.outlook.com (2603:1096:4:40:cafe::e9) by SG2PR01CA0110.outlook.office365.com (2603:1096:4:40::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.20 via Frontend Transport; Tue, 20 Apr 2021 21:20:39 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.224) smtp.mailfrom=cs.auckland.ac.nz; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (130.216.95.224) by SG2APC01FT060.mail.protection.outlook.com (10.152.251.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4042.16 via Frontend Transport; Tue, 20 Apr 2021 21:20:38 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 09:20:36 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4e7:eb90:ab28:1bf5]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4e7:eb90:ab28:1bf5%14]) with mapi id 15.00.1497.015; Wed, 21 Apr 2021 09:20:36 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: IETF PKIX <pkix@ietf.org>
Thread-Topic: Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2Q==
Date: Tue, 20 Apr 2021 21:20:36 +0000
Message-ID: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1f714cf8-8c93-4faa-64f8-08d9044224e5
X-MS-TrafficTypeDiagnostic: ME1PR01MB1459:
X-Microsoft-Antispam-PRVS: <ME1PR01MB14595568BCA71F4032FC5DFCEE489@ME1PR01MB1459.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: Iw5E76nSWSzlFeiH3Nt4bnzuOPGDCkBqfhQhlYY1oelAsj/3Oqdwn2/0XHjDgt0YSstgqBiy+Q0Nls9liZUh//7AnRHAhF1NZPrUGESLS+hWKvlFvbGvXZkKtT5QAoR/Ea+Y29bjypWFwuFo/tWDt+LkDfO/YYZJ7PdGMz+n2rAj+vITfQ+YHpZhSL6YmCk4RBjL8u2cB+54d9mczcoOL7f7VUM+3/k9ZOASdTiGd7M5M9euy0rDVTbaGMJsVl4/HB4RG25XnaDuQyKniW3/vnCK+zZeU2fAtGaCVV5TakaiBlkBexuc9N+krt6Lj4jq6WfWx41YVMWy3sE9U2biEPVXll0CFAAu8CrOKmbd5+3DBywJssaDccO8/WFzdg3S60lDYy7UX597zZeBnz19oJlWNOdYljJNW3YpQCmqjTAfIS57oxReTROrjw3mMVBbemK9FfmXbFMOTKIh+s5fVUo6MZLP4NPijWrJXZzSn6Dy8BIIlpcqX9IhzlU4RwMkk0Sa9b3R1WAVuX9f5m+iCIgKEv9RlU5eSgC+4qlrK71Zp5UtvsH+DagtdkCqpuVKYh1ELJ3ErOH9Sy2iKaN6k23SB7TcQ2g4/oImSvVdwUWcVEfap1nQ0V+kFg2h6pvBoEkbq40bPDPhZ3vY42E5WKLJx9teyfS4IpPX0z1+H2M=
X-Forefront-Antispam-Report: CIP:130.216.95.224; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-d.UoA.auckland.ac.nz; PTR:natgate2-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(136003)(346002)(396003)(376002)(39860400002)(36840700001)(46966006)(6916009)(47076005)(7636003)(9686003)(316002)(24736004)(478600001)(86362001)(55016002)(83380400001)(5660300002)(2906002)(82310400003)(8676002)(7696005)(786003)(70586007)(82740400003)(26005)(36906005)(4744005)(8936002)(108616005)(186003)(70206006)(356005)(36860700001)(336012); DIR:OUT; SFP:1101
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2021 21:20:38.0103 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1f714cf8-8c93-4faa-64f8-08d9044224e5
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.224]; Helo=[uxcn13-tdc-d.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT060.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME1PR01MB1459
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/KVXLqmQ7GrQEEoHx2x-1In91z0Y>
Subject: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 21:20:51 -0000

This came up recently in an implementation, the crlNumber, defined as "a
monotonically increasing sequence number for a given CRL scope and CRL
issuer", is defined in RFC 3280 (but not the original 2459) as "CRL numbers
can be expected to contain long integers.  CRL verifiers MUST be able to
handle CRLNumber values up to 20 octets", i.e. a SHA-1 hash disguised as an
INTEGER.

So if it's a monotonically increasing sequence number, why is it also a SHA-1
hash?  How can a CA issue several billion CRLs/delta CRLs to overflow an
actual integer?

Peter.