Re: [pkix] Why is the crlNumber an OCTET STRING?

"Manger, James" <James.H.Manger@team.telstra.com> Wed, 21 April 2021 02:42 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12F5B3A0E9E for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 19:42:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.telstra.com header.b=W5KotaOT; dkim=pass (1024-bit key) header.d=team.telstra.com header.b=CMQKZR/t
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SB_629CQNbIN for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 19:42:22 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A78A3A0E96 for <pkix@ietf.org>; Tue, 20 Apr 2021 19:42:19 -0700 (PDT)
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3At4BU265cEbobUEHuCAPXwb+BI+orLtY04lQ7?= =?us-ascii?q?vn1ZYxpTb8CeioSSh/wdzxD5k3I8X3snlNCGNsC7MBDh3LRy5pQcOqrnYRn+tA?= =?us-ascii?q?KTTL1KwIP+z1TbcRHW2fVa0c5bHpRWLP3VIRxEgd3h4A++euxA/PCi/LqzjenT?= =?us-ascii?q?i1dBJDsEV4ha4w10ChmWHyRNLWEsObMDGJCR5tVKqn6bQFt/VLXeOlA/U/XevN?= =?us-ascii?q?qOrZr6YHc9dnsawTOThjCl4qOSKXal9yoZOgki/Z4StULrkwnl6r7mlve803bn?= =?us-ascii?q?phbuxqUTssDm0MF7H8CJitIYMBThggulf55PW7iesCs4rcq+0losnfPLpBAtNd?= =?us-ascii?q?l08BrqDwaIiCqo/RLv2DEv+Hf+yVmeoHfqrMDjXgsgB9BMnp1Uf3LimiwdleA5?= =?us-ascii?q?6blK2XmYqoo/N2KjoBjA?=
X-IronPort-AV: E=Sophos;i="5.82,238,1613394000"; d="scan'208,217";a="439868293"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipobvi.tcif.telstra.com.au with ESMTP; 21 Apr 2021 12:42:16 +1000
Received: from wsapp5584.srv.dir.telstra.com ([10.75.131.20]) by ipcbvi.tcif.telstra.com.au with ESMTP; 21 Apr 2021 12:42:16 +1000
Content-Language: en-AU
Content-Type: multipart/alternative; boundary="_000_SYBPR01MB5616009D18496B7FD5CA38E1E5479SYBPR01MB5616ausp_"
DKIM-Signature: v=1; a=rsa-sha256; d=team.telstra.com; s=s1; c=relaxed/relaxed; t=1618972936; h=from:subject:to:date:message-id; bh=/nP/yqE3/yrVEyGAtzGoZwxnuwszIcs3dMiJE4Pk7lc=; b=W5KotaOTucdjgrgA11vUsaE6cBWTQs6UhZJ41Q4pwBlsYUdjLxsYGVsKIqDTNERta1SFZs2sbcA y0jbV61CLyfxwJc7b5PR/26W1bRkEfpRGtsVOyywcIgG67atjtKICYGCXu/gpjuPVj3hYKmDY4jxR NwDLe306UcJOIBiHG2sYpwfF609isgX1tqXqn+VFh1ZDqZhrVSdmoMJmesOc8ZPfQX3S9FzOLto1y ArgUxEZq976IqQazwsNMnoUZlQEXvIcbNDBtFxokjdnMMLvfshtAusEaK72KojDFWxs5f9USFr0S0 RVpmXK1toKjeGWdzg4JrHyseuLtytg3U+jJw==
Received: from wsapp5872.srv.dir.telstra.com (10.75.11.108) by wsapp5584.srv.dir.telstra.com (10.75.131.20) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 12:42:15 +1000
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp5872.srv.dir.telstra.com (10.75.11.108) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 12:42:15 +1000
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (10.172.101.126) by autodiscover.team.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 21 Apr 2021 12:42:15 +1000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NSszH2txnjkOozxPAGOldQnLNCqpxzvmlmZTviVed4Z2P+TAELmEKZc8JrT2PlzS00CZMPmZcOKdvgtDobvMKPLjQ94n4BuY+RdY36mORggrWZ5il/lKs0y69OyHEcWYy7W3YLVhVzCr6pKyy8ZYFrQpgbygZ1Ss6F5/QE9l8uNzi0QxIRDDnWW09Kmbf9li9yp5Wi6moFF94LDUWoksZGeVAKavVJMzCS0tyYoOvZj3U3ixvJzQDJtNEayn/QS3zqF6L5RGYNRdIUWCgeBUKZhPnvI2p1SE6ML3IldkZjPzrLEjUHhhYeE8kDPmJrpRn9tqY7aqehlCON5Hw5ZPDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/nP/yqE3/yrVEyGAtzGoZwxnuwszIcs3dMiJE4Pk7lc=; b=DcEf/j/NtR7w/1LrcpTSK2zaiJ3EEq7JlgO6jKaVIBQkreHol6Y8VVCuKWAzbZsA/jneSXjUd0ztmrOA3Nn4mlX0QJpCz2daVCRsXYJ2FLX7b15VdmIcgnhkRgVzhto1+uGH7OqY13k1RtV2kANr+oe3JgSEr/IN7jRLIp/Ps0cUVEDBoUJAdghs7EPsjNQGgStr05ltFaExHsCqJLP5AYvm+/mVq8To8OXKIZeR7kT7itQtT5g3BV2OiQ/fZu3DzsgfM3lnUcOf4yHKNBrYIrtSZB98+r5+ZyRsmUHRziCecjWUs0qc9L4D7o1K1eX+oR7efAIdxbqg46A2fiF5RQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.telstra.com; dmarc=pass action=none header.from=team.telstra.com; dkim=pass header.d=team.telstra.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/nP/yqE3/yrVEyGAtzGoZwxnuwszIcs3dMiJE4Pk7lc=; b=CMQKZR/tqXv8AAsT51vrZ638vYE5/eNJTdIJ4rsR3ssKhXI6kHmpnvpc3V8u0LOzn2p46UODenxN6o7+VVZ6bvkmmN7uILHmEggXnVoyODv9Ln7IsjxJvtACJUGAxtcfJSXLZvVSNMNuDiW2vWrfnlXw/X4e9c1jo0GHLm9WISw=
Received: from SYBPR01MB5616.ausprd01.prod.outlook.com (2603:10c6:10:9f::8) by SYBPR01MB4748.ausprd01.prod.outlook.com (2603:10c6:10:5e::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16; Wed, 21 Apr 2021 02:42:14 +0000
Received: from SYBPR01MB5616.ausprd01.prod.outlook.com ([fe80::bdd6:3307:af2f:b79f]) by SYBPR01MB5616.ausprd01.prod.outlook.com ([fe80::bdd6:3307:af2f:b79f%7]) with mapi id 15.20.4065.020; Wed, 21 Apr 2021 02:42:14 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Russ Housley <housley@vigilsec.com>
CC: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2aq9744AgAAEoQCAAAHDAIAABsaAgAA+zAM=
Date: Wed, 21 Apr 2021 02:42:14 +0000
Message-ID: <SYBPR01MB5616009D18496B7FD5CA38E1E5479@SYBPR01MB5616.ausprd01.prod.outlook.com>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz>, <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com>, <1618957726686.74538@cs.auckland.ac.nz>
In-Reply-To: <1618957726686.74538@cs.auckland.ac.nz>
Accept-Language: en-AU, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cs.auckland.ac.nz; dkim=none (message not signed) header.d=none;cs.auckland.ac.nz; dmarc=none action=none header.from=team.telstra.com;
x-originating-ip: [203.41.142.254]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 55c246a9-e2f6-471f-bc5c-08d9046f1257
x-ms-traffictypediagnostic: SYBPR01MB4748:
x-microsoft-antispam-prvs: <SYBPR01MB4748F0D10AE83EBCF624A03FE5479@SYBPR01MB4748.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: r7sOJqhQF/4AWJcZchtE7G8YftfaRdl00swQn8vCtMv+AHI3mLQOl0DWUTcL3QaF71u2YsTo/pCIiEL1mp8w2C7OjCif8i3RO4xBd9BDORF8SzUQu8sYPlGkGEpx1z4WFvK13eEuvdVo9j1GAPGfvKDy5pFd49Rb7NM3a/Fs0iFh/4qIKDo1Oxb1ZJyiXuDrgkAgSYhcabQelGe/GzZbf1+AEVVK1jUAlHI2rKNbrWGTmOodBYmwztbSt8KmhSvRJ4GcU5Ly97iej/wJnNY+BpVqQIaXft4MVX1Ani1C59ifJ4e79bhqiiI3krldTbyPmIN1awt3BppqmpzrXSUbcTK+dan7QDrUkWrpHIrOg70TJOSPaJ5FDvUzrhWgdF7sOZqY8cUWa8aoVaKf6ht/9NudALsnd6e5wdNog837sypFIY+VzBB9J+GP7sd4hYx9ag9hRrKwbKv1gknACxZKmLQ/DgUh5HuG4pcSSgty6FNY/BzPz+scYDQ0jBf+BMe9zY3r6KEe/XhoLr/VQGF3gFf8k/NI9cZiJi7hecgP2SXfHjPqxGwmm9jtRFnpKrhGblTj/790UckgIvI5idzi0PdTflKqUaiqB98VqiQGHFWbsE134skjJryeFRO2+gaBJXBXqYWg4Le7lEcyfT7ATF75DkqYR3vl8aYOIY6AKAo3eRLvWs9NeUocKFiEiAkV
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYBPR01MB5616.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(346002)(376002)(39860400002)(136003)(478600001)(8676002)(122000001)(9686003)(166002)(5660300002)(71200400001)(2906002)(66556008)(966005)(83380400001)(26005)(86362001)(110136005)(55016002)(186003)(316002)(8936002)(4326008)(33656002)(76116006)(66946007)(52536014)(66476007)(38100700002)(53546011)(7696005)(64756008)(66446008)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?/7UztvZrwQG3A82ySuwb7MhRXFHo0V8dk+gR93nMbCo+AtL6T4mXyyiX?= =?Windows-1252?Q?Eq8pQbXYjBfzNULEucTivWtGhgoBZ/DnlIRTrQqqyv9XbmYGyn1EFkS+?= =?Windows-1252?Q?lWp+FJfK440xsH9jgnCgTaROFNOQIzL6rT0aYWPcPBbku4WFm++gp+xb?= =?Windows-1252?Q?zXM0RT6J6aITW1YADU7rd7wmDGf8kpDwgKs4UaIACjrGMS3A9TkiQybG?= =?Windows-1252?Q?iVA+4yh5dRNUXUk8UT0hKRxjvJNQHBnt906MjSaoqjz+JGW36a7wVHFn?= =?Windows-1252?Q?o8GFjIzUba3mhVR2TiMKAKdSM4uTGskJACf9FbSotqWLQC9OEopX+6h5?= =?Windows-1252?Q?QBjWKwiNTFZA9a76hRbj10WNEqtJ404FPn6DNUfuoSiMmPtgLKRLWvRo?= =?Windows-1252?Q?KlrXk84k97xYN40YAcxVGurBqqxVLSuj1tawc/H2IyW2yeI+QS+JrAXA?= =?Windows-1252?Q?wQ8OEpDxxGkUf8xSPjR2YlsH6/7Rvovs6dz/gY5pHCaGLv/4l80YMRpV?= =?Windows-1252?Q?9y/712isIKqY5iaSD2gr4wht9Q1d3t2EASkWXSniB3odJX540GTka9lA?= =?Windows-1252?Q?v7tl0owbgjtlMGHUSN4QeJz4/9fV5VZhDlHfIxi0B9HBf1cxaparX+wP?= =?Windows-1252?Q?O6qKnaJ8IrRN2L9N0zMtROxMbtSe3P3aqm/9x5qkvj7PDSK9C/q9Z1Hh?= =?Windows-1252?Q?Keox9+6oN//HjLWcp8FTbkTOgx27WXSVnx+Qp0lkGufRPz39kaIVEOH5?= =?Windows-1252?Q?+XB691d/T+LxVaFzaOrVhU4G/0+T0mpTXcfHQYtZroQ7jLEMLPoUcaRI?= =?Windows-1252?Q?40U+mC3Ex+zzboNYZfylYZsnFFZLHDO6CxFeIGHOxp3Nlhc/by4Tifgj?= =?Windows-1252?Q?abQzDz/pifPDn/1y44u3dYWatOYq/zey/60J/RVAZrc0rsCAKiJlNweC?= =?Windows-1252?Q?3FQqHADdS8PMJ+tBysSi9eOKGKprCaHXl6onWzUc491fVmY7GtE+EKuP?= =?Windows-1252?Q?hn1uzgOo6n72VHR05yLyXEY/kPd+N4tePaRYc/Qc9KZsyHRV1Ozyzyk7?= =?Windows-1252?Q?TURlwd28t16pbJe3eTC3XQM6OyqWYO5fIIbvqJOIoMEFZRJk9Gbxs7Z1?= =?Windows-1252?Q?zaI5l3ovyfbSC/cpMOZWBxhaJQGXcLQhzPu8zTfv0j0yb5LXrL1RaTI9?= =?Windows-1252?Q?IU4SP1k9fdBl7pTiLcbGZJc7MvPYBUwac1ZOf+k17uHGEDqwZm8gqlht?= =?Windows-1252?Q?ubrYvtV88qzoGz5DwKNn/mLpAYYGZca9tTme5Gwx2LqbOaQi9ths5XnI?= =?Windows-1252?Q?Qyrfa8FlGXdFZDCPvci4hg8HWUYrHAyHw98oVHRzzM/IyrOwULagwxp9?= =?Windows-1252?Q?beSD3G3MTjbJFsSYGIEfOyEM9TWgxzqBf0p+Y78J4mkVaVGtSLqopIDw?= =?Windows-1252?Q?fYHoK1BkpBnoU1TT3pt+1Q=3D=3D?=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYBPR01MB5616.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 55c246a9-e2f6-471f-bc5c-08d9046f1257
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2021 02:42:14.4479 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9jO8hnZBN1cwVFhvQ/EXv4lYCenxeVuaTO3fSuZclx18jvMm+W5U6GDkw1w9k9PAON5hngh9LxNA6O1MmTFGB/p8P9XPDgbN+wgv+8AwZoQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB4748
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/PjsXJnNifZki2b20Nt-CLLxtmoY>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 02:42:28 -0000

Presumably CRLNumber has the “20 octet” language merely for consistency with CertificateSerialNumber. They sound so similar: numbering CRLs vs numbering certs.
Peter is right that it doesn’t actually make much sense as you can’t use hashes for CRL numbers given they need to be ordered.
Limiting CRL numbers to, say, [0, 2^63] could have been friendlier to devs. But it’s too late for that.

It is almost conceivable that a CA could hash the details of a CRL’s scope, then replace the least-significant, say, 64 bits with nano-seconds-since-1970 ; - )

--
James Manger


From: pkix <pkix-bounces@ietf.org> on behalf of Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Wednesday, 21 April 2021 at 8:29 am
To: Russ Housley <housley@vigilsec.com>
Cc: IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
[External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments.

Russ Housley <housley@vigilsec.com> writes:

>the text explains there are various ways that a CRL issuer can assign numbers
>for different scopes that can lead to larger values.

It doesn't really explain it, all it says is:

   If a CRL issuer generates two CRLs (two complete CRLs, two delta
   CRLs, or a complete CRL and a delta CRL) for the same scope at
   different times, the two CRLs MUST NOT have the same CRL number.

So CRL #1 has crlNumber 17, CRL #2 has crlNumber 18.  That's monotonically
increasing, and fits into a standard integer.

Paul Hoffman <paul.hoffman@vpnc.org> writes:

>you chose to use RFC 3280 instead of RFC 5280. :-(

I used 3280 because that's where the requirement for 20-byte "integers" was
introduced, so I was wondering what caused it.  My guess, for lack of any
obvious reason, was that it was someone's hack/implementation bug that was
written into the spec, because I can't see any other reason for the
OCTET_STRING-as-INTEGER use.  You certainly can't monotonically increase a
counter to the point where it'd be necessary.

Peter.

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix