Re: [pkix] a question of cert (and OCSP) extension syntax
"Manger, James" <James.H.Manger@team.telstra.com> Tue, 17 March 2015 23:08 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13B6C1A1BA9; Tue, 17 Mar 2015 16:08:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.799
X-Spam-Level: *
X-Spam-Status: No, score=1.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994, WEIRD_PORT=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8Fpfs8A3cHu; Tue, 17 Mar 2015 16:08:12 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id ADCD71A1BCF; Tue, 17 Mar 2015 16:08:11 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.11,418,1422882000"; d="scan'208";a="76950754"
Received: from unknown (HELO ipccvi.tcif.telstra.com.au) ([10.97.217.208]) by ipocvi.tcif.telstra.com.au with ESMTP; 18 Mar 2015 09:38:26 +1100
X-IronPort-AV: E=McAfee;i="5600,1067,7743"; a="284037117"
Received: from wsmsg3703.srv.dir.telstra.com ([172.49.40.171]) by ipccvi.tcif.telstra.com.au with ESMTP; 18 Mar 2015 10:08:09 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3703.srv.dir.telstra.com ([172.49.40.171]) with mapi; Wed, 18 Mar 2015 10:08:09 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Stephen Kent <kent@bbn.com>, pkix <pkix@ietf.org>, "trans@ietf.org" <trans@ietf.org>
Date: Wed, 18 Mar 2015 10:08:08 +1100
Thread-Topic: [pkix] a question of cert (and OCSP) extension syntax
Thread-Index: AdBg6YKgnqK8ubTHQe+lGZN7OB2IYQAFTW6Q
Message-ID: <255B9BB34FB7D647A506DC292726F6E12855BD177A@WSMSG3153V.srv.dir.telstra.com>
References: <550881DE.8090304@bbn.com>
In-Reply-To: <550881DE.8090304@bbn.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/OkwZCe1nkX3pQEhGZUpzh_T_7Aw>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 23:08:15 -0000
I came across a real cert with a Certificate Transparency extension the other day and took a look inside. (I assume) the cert extension complies with RFC6962 "Certificate Transparency", and I believe this is also consistent with the current update draft-ietf-trans-rfc6962-bis-07. Below are extracts from the certificate in hex: preceded by line numbers; indenting to show structure; and some comments starting with #. Notable items: Line 145: start of cert extension holding 3 signed cert timestamps (SCTs). Line 147: extnValue OCTET STRING Line 148: Another OCTET STRING, embedded in extnValue. Hence, an "ASN.1 DER encoded structure" (this OCTET STRING) "is the value of the octet string extnValue". That is, the syntax is a valid extension. Lines 149-182: TLS-style encoding (eg most 2-byte/4-hexdigit items are lengths). Lines 158-160: A DER-encoding embedded in the TLS-style encoding. Each SCT has version (1 byte), log id (32 bytes), timestamp (8 bytes, milliseconds since 1970), alg ids (1 byte each), and a signature (DER-encoding of SEQ. {r, s}). The signature in the extension is calculated over (most of) the tbsCertificate, but the tbsCertificate does NOT appear in the extension. I suggest keeping this TLS-style-encoding-embedded-in-an-OCTET-STRING. It is a bit Frankenstein-esq, but I don’t think that is avoidable. Certificate Transparency mixes X.500 and TLS, they chose different encoding styles, the styles have to meet somewhere. The cert extension should definitely have the exact bytes for fields that will be signed, which means TLS-style 1-byte alg ids, 8-byte timestamp, and SCT extensions. Converting each individual field to ASN.1 would just make it more awkward to reconstruct the exact bytes to be signed. # Certificate Transparency extension # from the certificate for https://op.certification.openid.net:60054/ # 3 SignedCertificateTimestamps # from Google 'Pilot' (A4...10), DigiCert (56...DD), Google 'Aviator' (68...C4) 1 30 82072A # certificate 2 30 820612 # tbsCertificate (to be signed) 3 A0 03 4 02 01 02 # v3 5 02 10 0D1C890FBE7061A327B970DA2FC3B90A # cert serial number ... 74 31 24 75 30 22 76 06 03 550403 # cn 77 0C 1B 6F702E63657274696669636174696F6E2E6F70656E69642E6E6574 # op.certification.openid.net ... 86 A3 8202F5 87 30 8202F1 88 30 26 89 06 03 551D11 # id-ce-subjectAltName 90 04 1F 91 30 1D 92 82 1B 6F702E63657274696669636174696F6E2E6F70656E69642E6E6574 # op.certification.openid.net ... 145 30 82017C 146 06 0A 2B06010401D679020402 # 1.3.6.1.4.1.11129.2.4.2 147 04 82016C 148 04 820168 # PrecertificateSCTList 149 0166 150 0075 151 00 # version 152 A4B90990B418581487BB13A2CC67700A3C359804F91BDFB8E377CD0EC80DDC10 # id Google Pilot 153 0000014B99953C14 # timestamp 154 0000 # extensions 155 04 # hash sha256 156 03 # signature ecdsa 157 0046 158 30 44 159 02 20 11666B9E97E4E4AC6434E4B67C02617A31FB14DAEE4BB018D7B2B178133E1630 # r 160 02 20 6A13F32E7C704CDCB7B1D12241AA3E346F4DED5670CA01DA5B850BCFB04285B5 # s 161 0075 162 00 163 5614069A2FD7C2ECD3F5E1BD44B23EC74676B9BC99115CC0EF949855D689D0DD # id DigiCert 164 0000014B99953E24 165 0000 166 04 167 03 168 0046 169 30 44 170 02 20 3EC2C5C2408ED171F2D3B8B0FD3DFA8CA09C4BE3A7DD1ADA871444D39B0828A7 171 02 20 596955FE3F434579E9CD9144455AE7848094CDA89EED2A5F3DC254B38F2E4335 172 0076 173 00 174 68F698F81F6482BE3A8CEEB9281D4CFC71515D6793D444D10A67ACBB4F4FFBC4 # id Google Aviator 175 0000014B99953C08 176 0000 177 04 178 03 179 0047 180 30 45 181 02 21 008E8E239C48C46E0AD1F0B102071B2CA73E199C791654E93B406F9F3BB4EEC967 182 02 20 49427C3C633C5D0FC21088921AE2F01BF49D8B21012A0A8EEBD8B2967B72F2B4 183 184 30 0D 185 06 09 2A864886F70D01010B # sha256WithRSAEncryption 186 05 00 187 03 820101 009710D1B54C9F9241694CF1927223F0AE6901B7AD419685F1DBE39F2959ADCCAD7EB0C1FD10583E1502DE6A52D58078ECEA9F17DA018D203E7EA5A5805FEA2811031776F3EDC02C18A426AC80A76735C69DCC87E885D76E40E75D3FA70F060F967D551CDBC1AECEC8993169BDCA45764B0D2857CCFDF87E0DF0A1594E3EF35EC031D4967F844EFE07C402FEC501DDEA5787D1DD4D6F0EF0E9E1B241E200922A35C279C41F248E62015494FD2820823317C9B08B5EFC5C46943453AB81AB7BC78DAA35B757CAD323F97F8C1DC5A0B69C39FE77A4354685ECB68AE04C5F32B152D39C4DA22A3A16CE395FE0CFC03BF7247265BCD032AF1E5A80D86D38B2F9D749C6 # signature A few more comments inline below. -- James Manger ---------- From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Stephen Kent Sent: Wednesday, 18 March 2015 6:35 AM To: pkix Subject: [pkix] a question of cert (and OCSP) extension syntax Folks, Stephen Farrell suggested that I pose a question to this list based on an ongoing debate in another WG. A certificate and OCSP extension has been proposed in TRANS. The extension consists of a few data items, principally: version number (an integer) a log ID (an octet string) a time stamp a certificate or TBS certificate [JM] No, the cert/tbsCert is NOT in this cert ext a hash value (a bit or octet string) [JM] I think you mean a signature an optional set of TBD protocol-specific extensions The authors of the proposed extension elected to encode all of these data items as one big OCTET STRING, rather than using the existing, base ASN.1 data types. They elected to not use an ASN.1 structure here because one of the three ways to communicate this data to a client is via a TLS handshake. They believe that the TLS handshake will eventually become the predominant means of transporting this data. (I didn’t find the argument for this prediction compelling, but ...). Thus they chose to employ the syntax defined in RFC 5246. Russ Housley and I have argued that using OCTET STRING here is inconsistent with the intent of 5280 (and 2594 and 3280), which defines an extension as: Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. Since the bulk of the data items have an obvious ASN.1 representation, [JM] Is the "obvious ASN.1" for the timestamp (ms since 1970) GeneralizedTime or INTEGER or OCTET STRING (SIZE(8))? [JM] I guess the "obvious ASN.1" for the alg ids is INTEGER {sha256(4), ...}, even though ASN.1 uses OID (or actually AlgorithmIdentifier). [JM] The ASN.1 for SCT extensions would presumably be SEQUENCE OF OCTET STRING, which still embeds a TLS-style encoding in an OCTET STRING. and the certificate or TBS certificate are native ASN.1 structures, we feel that the decision to stuff all of the data items into an OCTET STRING is inappropriate, and that it sets a bad precedent for others developing certificate (and OCSP) extensions in the future I’m soliciting feedback from this list on this topic, to pass on to Stephen, Kathleen, and the TRANS WG. Thanks, Steve
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla