Re: [pkix] iPAddress name constraints encoding
Russ Housley <housley@vigilsec.com> Wed, 25 August 2021 21:47 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797143A142C for <pkix@ietfa.amsl.com>; Wed, 25 Aug 2021 14:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Abw-zllkFh-d for <pkix@ietfa.amsl.com>; Wed, 25 Aug 2021 14:47:54 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B55C3A142D for <pkix@ietf.org>; Wed, 25 Aug 2021 14:47:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 0F7C9300C0B for <pkix@ietf.org>; Wed, 25 Aug 2021 17:47:54 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LiNyJr5bXFlg for <pkix@ietf.org>; Wed, 25 Aug 2021 17:47:51 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 62D65300BA3; Wed, 25 Aug 2021 17:47:51 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <ED74AA88-5BA7-415A-85B4-6D58EC44F657@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BBB90F86-31A0-4BD5-ABE6-EBE43229C282"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Wed, 25 Aug 2021 17:47:49 -0400
In-Reply-To: <BYAPR14MB21833293B444340758E0394692C69@BYAPR14MB2183.namprd14.prod.outlook.com>
Cc: IETF PKIX <pkix@ietf.org>
To: Corey Bonnell <Corey.Bonnell@digicert.com>
References: <BYAPR14MB21833293B444340758E0394692C69@BYAPR14MB2183.namprd14.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/OpPrKipY-biT_NKnq7kcZ0kD6U8>
Subject: Re: [pkix] iPAddress name constraints encoding
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2021 21:48:00 -0000
Corey: It was chosen because there were existing specifications that were easy to reference. It seemed undesirable to make up a new encoding to save space in the certificate. Russ > On Aug 25, 2021, at 5:06 PM, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org> wrote: > > Hello, > RFC 5280, section 4.2.1.10 (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10>) specifies the following encoding for iPAddress constraints: > > The syntax of iPAddress MUST be as described in Section 4.2.1.6 with > the following additions specifically for name constraints. For IPv4 > addresses, the iPAddress field of GeneralName MUST contain eight (8) > octets, encoded in the style of RFC 4632 (CIDR) to represent an > address range [RFC4632]. For IPv6 addresses, the iPAddress field > MUST contain 32 octets similarly encoded. For example, a name > constraint for "class C" subnet 192.0.2.0 is represented as the > octets C0 00 02 00 FF FF FF 00, representing the CIDR notation > 192.0.2.0/24 (mask 255.255.255.0). > > I believe this text makes it clear that iPAddress constraints must use CIDR notation, but the encoding scheme specified here seems to be very inefficient. For example, the number of bits corresponding to the network prefix of an IPv6 constraint could alternatively be encoded in one octet as opposed to using 16 octets to express the netmask as defined above. Does anyone have any insight on why this (seemingly very inefficient) encoding scheme was chosen? > > Thanks, > Corey > _______________________________________________ > pkix mailing list > pkix@ietf.org <mailto:pkix@ietf.org> > https://www.ietf.org/mailman/listinfo/pkix <https://www.ietf.org/mailman/listinfo/pkix>
- [pkix] iPAddress name constraints encoding Corey Bonnell
- Re: [pkix] iPAddress name constraints encoding Russ Housley