Re: [pkix] a question of cert (and OCSP) extension syntax
Santosh Chokhani <schokhani@cygnacom.com> Tue, 31 March 2015 16:10 UTC
Return-Path: <schokhani@cygnacom.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75D781ACDEA for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 09:10:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uuZaNFjhFeUv for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 09:10:37 -0700 (PDT)
Received: from ipesa2.cygnacom.com (ipesa2.cygnacom.com [65.242.48.201]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E9E21AC425 for <pkix@ietf.org>; Tue, 31 Mar 2015 09:10:37 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgQGAMnGGlUKPDLZ/2dsb2JhbABcg1hcBYgvvUAKhXMCgg4BAQEBAQF9hBQBAQEEAQEBNzQXBAIBCA0EBAEBAR4JBycLFAkIAQEEARIIiCwIzgsBAQEBAQEBAQEBAQEBAQEBAQEBAQETBIsphH8GhCcFoXaNHIQQb4FEfwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,502,1422939600"; d="scan'208";a="63683"
Received: from unknown (HELO svaexch2.cygnacom.com) ([10.60.50.217]) by ipesa2.cygnacom.com with ESMTP; 31 Mar 2015 12:10:25 -0400
Received: from svaexch1.cygnacom.com (10.60.50.216) by svaexch2.cygnacom.com (10.60.50.217) with Microsoft SMTP Server (TLS) id 15.0.913.22; Tue, 31 Mar 2015 12:10:24 -0400
Received: from svaexch1.cygnacom.com ([fe80::b53e:f4f1:9071:563e]) by svaexch1.cygnacom.com ([fe80::b53e:f4f1:9071:563e%12]) with mapi id 15.00.0913.011; Tue, 31 Mar 2015 12:10:24 -0400
From: Santosh Chokhani <schokhani@cygnacom.com>
To: Melinda Shore <melinda.shore@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] a question of cert (and OCSP) extension syntax
Thread-Index: AdBrZsHaGJOCFgmhlEednHuY3LPBowAfaXWAAAA9ZIAAAIfAAAABJ8qAAAg+JeA=
Date: Tue, 31 Mar 2015 16:10:23 +0000
Message-ID: <5bd22886e1284448a52594bd6bb74286@svaexch1.cygnacom.com>
References: <00d201d06b68$779e2c90$66da85b0$@akayla.com> <B679DABC-5B8B-40C4-A7C3-527227D4A876@vpnc.org> <9CF25F90-396C-4341-B04D-E850BDBA7339@vigilsec.com> <5C63864B-CE7F-4118-BDC5-2E0419704CB5@vpnc.org> <551AC28D.3010202@gmail.com>
In-Reply-To: <551AC28D.3010202@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.117.7]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/PILaVlrjirlrOJ89Hd8qSTXh6Vs>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 16:10:43 -0000
Melinda, I am in the camp that believes 6962 does not need to change in this regard. So, even if we got the information you are seeking below, I hope the first try will be to tell that software developer that they are doing this wrong. They should not try to decode an extension they do not understand. -----Original Message----- From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Melinda Shore Sent: Tuesday, March 31, 2015 11:52 AM To: pkix@ietf.org Subject: Re: [pkix] a question of cert (and OCSP) extension syntax On 3/31/15 7:18 AM, Paul Hoffman wrote: > On Mar 31, 2015, at 8:03 AM, Russ Housley <housley@vigilsec.com> > wrote: >> ASN.1 processing is needed to get the value of the OCTET STRING from >> the extension, so I do not understand the point you are trying to >> make. > > At the beginning of the thread, it seemed like the issue was > *encoding* the values, not decoding them. Right, but there seems to be some suggestion that there is certificate processing software out there that tries to decode the contents of an extension it doesn't recognize or understand. I'm hopeful that people raising this concern can be more specific and point out what software it is. *That* would be a pretty good example of the new information we've been asking for. Melinda _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla