Re: [pkix] a question of cert (and OCSP) extension syntax

Peter Yee <peter@akayla.com> Tue, 31 March 2015 20:21 UTC

Return-Path: <peter@akayla.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96AFA1A8701 for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 13:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id enLsptSQ_E9z for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 13:20:58 -0700 (PDT)
Received: from p3plsmtpa08-04.prod.phx3.secureserver.net (p3plsmtpa08-04.prod.phx3.secureserver.net [173.201.193.105]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 530271A86EA for <pkix@ietf.org>; Tue, 31 Mar 2015 13:20:58 -0700 (PDT)
Received: from [10.221.196.102] ([166.176.59.210]) by p3plsmtpa08-04.prod.phx3.secureserver.net with id ALLw1q00N4Y9HZS01LLxdl; Tue, 31 Mar 2015 13:20:57 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Peter Yee <peter@akayla.com>
X-Mailer: iPhone Mail (12D508)
In-Reply-To: <551A5F4B.1050703@cs.tcd.ie>
Date: Tue, 31 Mar 2015 13:20:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2BE9A45B-89E0-4103-9C98-98FF7A78029B@akayla.com>
References: <00d201d06b68$779e2c90$66da85b0$@akayla.com> <551A5F4B.1050703@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/P7SuqTu5gcDew21Ed36O_3zuoso>
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 20:21:02 -0000

Steve,

I don't think it's an unreasonable argument to make. And I should have been clearer below. Having sat through a week of ASN.1-bashing/text-encoding-glorifying in Dallas, my point is simply that the alleged difficulty in handling ASN.1 is overblown and should not be used in making the argument against using an ASN.1 encoding of the extension value. Perhaps I'm overly sensitive to the implication that ASN.1 is too difficult. I buy Russ's argument regarding the encoding, but I will admit that there are many larger points to be decided in the IETF. :-).

                               -Peter


On Mar 31, 2015, at 1:48 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:


Hi Peter,

> On 31/03/15 05:09, Peter Yee wrote:
> We've been doing ASN.1 for more than 20 years.  Is it really that hard to
> encode things as ASN.1?  

But that's not the question. The question is whether or not it is
reasonable for the IETF to object if someone (or some wg) has chosen
to use another encoding style for an X.509 extnValue?

> I understand that text encoding is readable and
> even fashionable, but it's not like ASN.1 is the bugbear it's made out to
> be.

In the case in hand in trans, we're not dealing with text encoding
but with TLS style encoding, since trans has to use both forms, they
have chosen to use the TLS style for an X.509 extension value. In
other words, this is not an ASN.1 hate situation.

If one wanted to generalise from the trans case, I think you'd ask
the question this way: when defining an X.509 extension for protocol
foo, is it reasonable that the extnValue uses the encoding style
of protocol foo, (wrapped in an OCTET STRING)?

S.


> 
>       -Peter
> 
>> From: Russ Housley <housley@vigilsec.com>
>> Date: March 30, 2015 11:21:37 AM EDT
>> To: Rob Stradling <rob.stradling@comodo.com>
>> Cc: IETF PKIX <pkix@ietf.org>
>> Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
>> 
>> Rob:
>> 
>>> I think it's only "wrong" and "weird" if you take the view that "if it
> could conceivably be constructed in ASN.1, then it MUST be constructed in
> ASN.1".  I don't take that view.
>> 
>> Certificates are ASN.1, and RFC 5280 (and its predecessors) say that
> extensions are OCTET STRING wrapped ASN.1 structures.  From section 4.2 of
> RFC 2459:
>> 
>>   Each extension includes an OID and an ASN.1 structure.
>> 
>> Russ
> 
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix