Re: [pkix] a question of cert (and OCSP) extension syntax
Peter Yee <peter@akayla.com> Tue, 31 March 2015 20:21 UTC
Return-Path: <peter@akayla.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96AFA1A8701 for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 13:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id enLsptSQ_E9z for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 13:20:58 -0700 (PDT)
Received: from p3plsmtpa08-04.prod.phx3.secureserver.net (p3plsmtpa08-04.prod.phx3.secureserver.net [173.201.193.105]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 530271A86EA for <pkix@ietf.org>; Tue, 31 Mar 2015 13:20:58 -0700 (PDT)
Received: from [10.221.196.102] ([166.176.59.210]) by p3plsmtpa08-04.prod.phx3.secureserver.net with id ALLw1q00N4Y9HZS01LLxdl; Tue, 31 Mar 2015 13:20:57 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Peter Yee <peter@akayla.com>
X-Mailer: iPhone Mail (12D508)
In-Reply-To: <551A5F4B.1050703@cs.tcd.ie>
Date: Tue, 31 Mar 2015 13:20:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2BE9A45B-89E0-4103-9C98-98FF7A78029B@akayla.com>
References: <00d201d06b68$779e2c90$66da85b0$@akayla.com> <551A5F4B.1050703@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/P7SuqTu5gcDew21Ed36O_3zuoso>
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 20:21:02 -0000
Steve, I don't think it's an unreasonable argument to make. And I should have been clearer below. Having sat through a week of ASN.1-bashing/text-encoding-glorifying in Dallas, my point is simply that the alleged difficulty in handling ASN.1 is overblown and should not be used in making the argument against using an ASN.1 encoding of the extension value. Perhaps I'm overly sensitive to the implication that ASN.1 is too difficult. I buy Russ's argument regarding the encoding, but I will admit that there are many larger points to be decided in the IETF. :-). -Peter On Mar 31, 2015, at 1:48 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: Hi Peter, > On 31/03/15 05:09, Peter Yee wrote: > We've been doing ASN.1 for more than 20 years. Is it really that hard to > encode things as ASN.1? But that's not the question. The question is whether or not it is reasonable for the IETF to object if someone (or some wg) has chosen to use another encoding style for an X.509 extnValue? > I understand that text encoding is readable and > even fashionable, but it's not like ASN.1 is the bugbear it's made out to > be. In the case in hand in trans, we're not dealing with text encoding but with TLS style encoding, since trans has to use both forms, they have chosen to use the TLS style for an X.509 extension value. In other words, this is not an ASN.1 hate situation. If one wanted to generalise from the trans case, I think you'd ask the question this way: when defining an X.509 extension for protocol foo, is it reasonable that the extnValue uses the encoding style of protocol foo, (wrapped in an OCTET STRING)? S. > > -Peter > >> From: Russ Housley <housley@vigilsec.com> >> Date: March 30, 2015 11:21:37 AM EDT >> To: Rob Stradling <rob.stradling@comodo.com> >> Cc: IETF PKIX <pkix@ietf.org> >> Subject: Re: [pkix] a question of cert (and OCSP) extension syntax >> >> Rob: >> >>> I think it's only "wrong" and "weird" if you take the view that "if it > could conceivably be constructed in ASN.1, then it MUST be constructed in > ASN.1". I don't take that view. >> >> Certificates are ASN.1, and RFC 5280 (and its predecessors) say that > extensions are OCTET STRING wrapped ASN.1 structures. From section 4.2 of > RFC 2459: >> >> Each extension includes an OID and an ASN.1 structure. >> >> Russ > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla