Re: [pkix] a question of cert (and OCSP) extension syntax

Santosh Chokhani <schokhani@cygnacom.com> Tue, 31 March 2015 16:10 UTC

Return-Path: <schokhani@cygnacom.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75D781ACDEA for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 09:10:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uuZaNFjhFeUv for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 09:10:37 -0700 (PDT)
Received: from ipesa2.cygnacom.com (ipesa2.cygnacom.com [65.242.48.201]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E9E21AC425 for <pkix@ietf.org>; Tue, 31 Mar 2015 09:10:37 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgQGAMnGGlUKPDLZ/2dsb2JhbABcg1hcBYgvvUAKhXMCgg4BAQEBAQF9hBQBAQEEAQEBNzQXBAIBCA0EBAEBAR4JBycLFAkIAQEEARIIiCwIzgsBAQEBAQEBAQEBAQEBAQEBAQEBAQETBIsphH8GhCcFoXaNHIQQb4FEfwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,502,1422939600"; d="scan'208";a="63683"
Received: from unknown (HELO svaexch2.cygnacom.com) ([10.60.50.217]) by ipesa2.cygnacom.com with ESMTP; 31 Mar 2015 12:10:25 -0400
Received: from svaexch1.cygnacom.com (10.60.50.216) by svaexch2.cygnacom.com (10.60.50.217) with Microsoft SMTP Server (TLS) id 15.0.913.22; Tue, 31 Mar 2015 12:10:24 -0400
Received: from svaexch1.cygnacom.com ([fe80::b53e:f4f1:9071:563e]) by svaexch1.cygnacom.com ([fe80::b53e:f4f1:9071:563e%12]) with mapi id 15.00.0913.011; Tue, 31 Mar 2015 12:10:24 -0400
From: Santosh Chokhani <schokhani@cygnacom.com>
To: Melinda Shore <melinda.shore@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] a question of cert (and OCSP) extension syntax
Thread-Index: AdBrZsHaGJOCFgmhlEednHuY3LPBowAfaXWAAAA9ZIAAAIfAAAABJ8qAAAg+JeA=
Date: Tue, 31 Mar 2015 16:10:23 +0000
Message-ID: <5bd22886e1284448a52594bd6bb74286@svaexch1.cygnacom.com>
References: <00d201d06b68$779e2c90$66da85b0$@akayla.com> <B679DABC-5B8B-40C4-A7C3-527227D4A876@vpnc.org> <9CF25F90-396C-4341-B04D-E850BDBA7339@vigilsec.com> <5C63864B-CE7F-4118-BDC5-2E0419704CB5@vpnc.org> <551AC28D.3010202@gmail.com>
In-Reply-To: <551AC28D.3010202@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.117.7]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/PILaVlrjirlrOJ89Hd8qSTXh6Vs>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 16:10:43 -0000

Melinda,

I am in the camp that believes 6962 does not need to change in this regard.

So, even if we got the information you are seeking below, I hope the first try will be to tell that software developer that they are doing this wrong.  They should not try to decode an extension they do not understand.

-----Original Message-----
From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Melinda Shore
Sent: Tuesday, March 31, 2015 11:52 AM
To: pkix@ietf.org
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax

On 3/31/15 7:18 AM, Paul Hoffman wrote:
> On Mar 31, 2015, at 8:03 AM, Russ Housley <housley@vigilsec.com>
> wrote:
>> ASN.1 processing is needed to get the value of the OCTET STRING from 
>> the extension, so I do not understand the point you are trying to 
>> make.
> 
> At the beginning of the thread, it seemed like the issue was
> *encoding* the values, not decoding them. 

Right, but there seems to be some suggestion that there is certificate processing software out there that tries to decode the contents of an extension it doesn't recognize or understand.  I'm hopeful that people raising this concern can be more specific and point out what software it is.  *That* would be a pretty good example of the new information we've been asking for.

Melinda

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix