Re: [pkix] Why is the crlNumber an OCTET STRING?

"Manger, James" <James.H.Manger@team.telstra.com> Wed, 21 April 2021 02:56 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED2D43A1065 for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 19:56:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.telstra.com header.b=ObeisNkG; dkim=pass (1024-bit key) header.d=team.telstra.com header.b=a5fuZd+w
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIlgwv4LzLOO for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 19:55:58 -0700 (PDT)
Received: from ipxdvo.tcif.telstra.com.au (ipxdvo.tcif.telstra.com.au [203.35.135.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 604193A105A for <pkix@ietf.org>; Tue, 20 Apr 2021 19:55:56 -0700 (PDT)
IronPort-HdrOrdr: A9a23:b35S+q1K2tUBtxGR5xnfuQqjBcVyeYIsi2QD101hICF9WMqeisyogbAnzhfykjkcQzUNntqHNamGTxrnhP1IyKMWOqqvWxSjhXuwIOhZjbfK7jX8F0TFnNJ1+rxnd8FFZeHYKXhfoYLE7BKjE9AmqePnzImNif3Fx3lgCSFGApsO0y5DBgyWElJ7SWB9bPJTKLOm6sBKpyWtdDAsV+vTPAhgY8H5q8DWj5WjWBYaBnccmWyzpAm14733GQXw5Hkjeg5IqI1PzUH11ybX5qC/v+r+7xnbzgbonu1rseqk4MBEHta0kcQQKi/hkCelbIlsQKesvDUprPqi5X07qtXKrj0nOMN+4W7WZQiO0HzQ8jil9i0h43jj2leEgX3lgMDwST4gEfNbiZhUaQTU5iMbzbdB+ZMO5nmYsYFWEAOoplWe2+T1
X-IronPort-AV: E=Sophos;i="5.82,238,1613394000"; d="scan'208,217";a="289337846"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipodvi.tcif.telstra.com.au with ESMTP; 21 Apr 2021 12:55:54 +1000
Received: from wsapp6785.srv.dir.telstra.com ([10.75.3.134]) by ipcavi.tcif.telstra.com.au with ESMTP; 21 Apr 2021 12:55:54 +1000
Content-Language: en-AU
Content-Type: multipart/alternative; boundary="_000_SYBPR01MB56162CDF91BD659947C9444BE5479SYBPR01MB5616ausp_"
DKIM-Signature: v=1; a=rsa-sha256; d=team.telstra.com; s=s1; c=relaxed/relaxed; t=1618973754; h=from:subject:to:date:message-id; bh=RzV9fp3aK48hUn1fj97X9rPBp8ZhUCjuJeduivjS1B0=; b=ObeisNkGmGd2/8/j95jmHt7fUMyGJAOE0VMOEImd4HEMpboJSKbik7b02BMcY2T87EZ7UZSdH7V SaQ5JKdcY1Tf6dRxfj1fIizPunSbsDxqnC73mL8eEDz2RW44Fiq/Fh+ibGZEfTYjQQ0RlZJixjABY zg4Gim5+55/JMvfAYJCpA+No99fLdj/ZIEKZr6KUMi+AjXVZavtW5WUjD5crGIec0CyAQtt3gcnVe QDf5Uoi/SDjlOG9TfSa0dLZbuC6uMjSyLvi8gIBCrJZixrxtVs9W6OcGoh52lZXYsml4/TvY2Mdgs KBK1djBVO+8rtdfOROuVmWsU99/rlJl+kmZA==
Received: from wsapp5870.srv.dir.telstra.com (10.75.139.12) by wsapp6785.srv.dir.telstra.com (10.75.3.134) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 12:55:53 +1000
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp5870.srv.dir.telstra.com (10.75.139.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 12:55:53 +1000
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (10.172.101.126) by autodiscover.team.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 21 Apr 2021 12:55:53 +1000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BL1aAE9L+3JZs5UdRwnrjo2Bt2Gyx8Pxjf2b0qt2iPnJ5zkFLhHc43DLd5k6cNXeL8vLFfUmrMHxAVzw5ZJ9fLpzXk781qnHa5SDsRFLHoZ/evricE1xM10vRe/fVbAUrxso8+mf0RQjrtdcbZrji39pF8Q/rkkz+ARECkAsRHAVdaFKamNBoBdRKzzWjnLymTkEcc0t6oSQhTK651GpoYDw9pUBK6Sn6dOruXIyPsC3bntPkviBJ1bgmEGbujlsfHJThIxL4M2vDSIBIRAeaoVvzDlnyieeYYxqq9kYYXb5Mc/4tgCttKmlrd6ILE40sBb0J7+UxorrzJBD25nLPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RzV9fp3aK48hUn1fj97X9rPBp8ZhUCjuJeduivjS1B0=; b=dy3ZJQ72WiJkBB/ZgPyLk5og+9zJDkv6TOQflsONEylcCB64HF3zmzoXFCD5p0TltWPryGcrBMwaWcV3Vd5MfFlEIrTC4JXfM9VoFIFp2muq7lz8lEN/MfiEAHHzC052FeySz+/w7m74ZW4fK3QFBaT0SuEKqPZzsej9fF3kDaqfzOnWJ/a2STtE/umhwgraLgT85fMWUHmQfu2roIshX0m26T7U0JSD9Hob1TjU39HrRzyjixLiltmfbVLJK/cF8OWTAb5obUtQAB2a0n+0XK7clSs95/RoXzZihYlQwpecLQL4Ml5q3j1xMdTFQDZHPGdcP/Dd039E/F2vt7sb7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.telstra.com; dmarc=pass action=none header.from=team.telstra.com; dkim=pass header.d=team.telstra.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RzV9fp3aK48hUn1fj97X9rPBp8ZhUCjuJeduivjS1B0=; b=a5fuZd+wJiZFoOh1CAQfLisVGwEKt8bymvXyVI997jEX2EmhW7alemRtCysNtAr/GNcNwHCEV4RzYp03rJ8p/j5DJCGRnMCgn6/Se78VIUBI2RZwwzcG/EWPPoGNCs0Ys3DBqrY7QQX2x27QDkStGPq5lDbZpbonnoyDx5Ujl+8=
Received: from SYBPR01MB5616.ausprd01.prod.outlook.com (2603:10c6:10:9f::8) by SYXPR01MB1568.ausprd01.prod.outlook.com (2603:10c6:0:38::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.18; Wed, 21 Apr 2021 02:55:52 +0000
Received: from SYBPR01MB5616.ausprd01.prod.outlook.com ([fe80::bdd6:3307:af2f:b79f]) by SYBPR01MB5616.ausprd01.prod.outlook.com ([fe80::bdd6:3307:af2f:b79f%7]) with mapi id 15.20.4065.020; Wed, 21 Apr 2021 02:55:52 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Russ Housley <housley@vigilsec.com>
CC: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2aq9744AgAAEoQCAAAHDAIAABsaAgAA+zAOAAApQgIAAAJhC
Date: Wed, 21 Apr 2021 02:55:52 +0000
Message-ID: <SYBPR01MB56162CDF91BD659947C9444BE5479@SYBPR01MB5616.ausprd01.prod.outlook.com>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz>, <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com>, <1618957726686.74538@cs.auckland.ac.nz>, <SYBPR01MB5616009D18496B7FD5CA38E1E5479@SYBPR01MB5616.ausprd01.prod.outlook.com>, <1618973426649.81377@cs.auckland.ac.nz>
In-Reply-To: <1618973426649.81377@cs.auckland.ac.nz>
Accept-Language: en-AU, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cs.auckland.ac.nz; dkim=none (message not signed) header.d=none;cs.auckland.ac.nz; dmarc=none action=none header.from=team.telstra.com;
x-originating-ip: [203.35.185.253]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c52487b2-7f60-4f25-97c2-08d90470fa00
x-ms-traffictypediagnostic: SYXPR01MB1568:
x-microsoft-antispam-prvs: <SYXPR01MB1568A16225F546F89EC25479E5479@SYXPR01MB1568.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /MpYZ/dgmxgn6psbOvACR8tHXUM9pa1zUYvN3qxFfhjTRjT55+vHCYK6oB/ZlNQzeZlH0Wdw6Amq2CP/XqpuqSvdOUgv14bVQLx7f+gHbP7n0ZjCBLIGrDEHbaYx++ogs9WL2Tg3YDwLe6ToCIV1kVu4zxZsTSP4MBI5FKd3mwZJ3OkLQEIkG8VnuvaJmIrGgec3/CddJEe0AL1VrW1aWBh77PPuoIPA45pZW3n0RvplMKIbtk3zPNaHiWd94BoFDiJLo1EUw2Co3X575uvPXBWYHcnb0C8JGrxe1W3uWDPfLBr/iEtccjOZbUibjjpsK6c8JmXJaVgfu1t3C7IqR65hrRi/zVQGDrsKPy13G70y4mqC8a7/EUF7FsZIrVBCzvIw1zycFdwIJ5KNtojikytNa0+kklBjtEcuogpOeukuhM2oNemQ6GoaokLxjfqyo9d/DlDlXZhvqDwIAF0Mfo3Dg1yQGEfOmvMWnqEhc516CRgOFt7CRrvD6eTBwkiNYpn+0Vq+qVlRM0dfwv7Wo7KGgwaKPjte2rP49JDWIFCmR8MM135kG06SSXlNNw01mUcD/QLiRvSSieQdGJ3WikBd+kIm0oSM+3s0jgGzDgI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYBPR01MB5616.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(136003)(376002)(396003)(346002)(26005)(186003)(7696005)(33656002)(4326008)(122000001)(53546011)(76116006)(66946007)(91956017)(6506007)(66446008)(66476007)(2906002)(110136005)(8936002)(38100700002)(478600001)(86362001)(9686003)(55016002)(5660300002)(52536014)(66574015)(83380400001)(71200400001)(8676002)(66556008)(64756008)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: oUpT0KX1uF0Lr6W7VIBi1jIDkHEN1qzMQNArwLFvdjxuPxfteR0f79fOtcESyrjBmHBjStl+o/pfNKzGbVp9XVMXzgbKOW/5tEu8ffRzYA4iyvRj4INHuFy7/Zcfsspkk1ovff3S7B2jDuAyrk3VkHVs3Ptu3x/14vhPc+xStzbXnQZToUozrYj/qjh5/outeRhWfFFR0GJy6X3HV4Hpx0AANKXzlnqj90mbz5swaFw41xmJTttbewcj6AsNLt8xbHohlO4Hj+wJgscZFOVChyOqJgCPkfGzwJiBRKVMga43SBDpcuyHyyvBqlM9uFPzrqQ910YYZw/yagfKgxpAgc6pwVPleHqg9H1XHfU8zUsOWNHG6wq46h7JyFa/1ua6ebIkI9Gs9Bn0+xOB6aLeefmlTk8mmhfcYYs2P+2do0uMlp93Ox8+CDqcWS4hOwclUWFa35sJHQ0wf0f2PaeR3F7+wdRmk7UqgsJ95ajbJYjvEVAjT6I8kmub4Z/KmkX6VoTYeIap8Qc0CnU63odM4cCdOAhk9t00ynuDtxsLaoPtKsLVr4eAkwYLYy5i0PVhmupw8/38JNbY0P2HWXLQr2qaYLXX3+zWCAhQHF+ONzlg8Hfz195GipEhG6TlHZxuAwAo1sPvG3mJAQWv85mVyczcJ7uDdo/LFDXgZ8CYM16B/89i7bES0Iyf1efgVaPf+nnc4S2g8NN6dsLU/5dnGn7HknPPf7fEcuNdEpiokYnLjf/y6KnGVjFpDqNt9G/9PVsBqUCjytp+w439grYAFAZZ5uVCogrbzWJgPSjbmU1POPTp19WYZuSi4W3hAgPPWAmJege4MIZzhSQpqb33BoeOb83SMFuly/mHWhHfAZQFd8JHMOSPoa2Qgwx4JsdlA3AC5gHkXDK83J+VMBMlRWyo9Y6OGwU03b4lcqDpkTTRNNyRHWZxUXy0vsqzw+Gdg/Iwb32D8Sd1eOJRo8F6ifI/nI0r69jHrhMt1bn9znQ3Ibp/Sdky45FsD9wBMuL+pI4xHMg/1K4pQbIZnrwZoiG4uUJLHYk7JfC7F5/acZFfoDKeAcmhIAaHJpRX3T5YQtC2iiFaZorhTNlGZ2ufKmV79R8hiiAQnL0ZJPTntbj0m+LzmeqJrehDOKhzioRJs+dm32hQtnhuHmWOlVEHK7KvUXBf7tavSjC6oKWhnoewotFCuur1o0D/3NIDsNkHL6amNWouy58MzL9E7hf7PDIvsHc9caoet7Nzfi87Y9YPyrjjYafTgT/iJirLu4eQNrA9bmtzZ0Vk08LILnMWVHYPcDz/a+w+S67Blr8Sg7bTmJm0Yed2kDgiiFMc2bJouxA2C7milCoKljjtvfIajw==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYBPR01MB5616.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c52487b2-7f60-4f25-97c2-08d90470fa00
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2021 02:55:52.6169 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NwNGPG3mtlYr585PGm7sk0t1gHi7+xSOUvu4KUxd+67Bd6+R9Ldb8/ozEW5ZfxwMjDMZpCPoHbF6L0BvW0A/ZCdw8yFqZeCghjmAOG7iegY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1568
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/Qa7vk-nlHBbl_jTejIntSpZ5bJ4>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 02:56:04 -0000

“monotonically increasing” doesn’t mean increase by 1. It means increase in 1 direction. So nano-seconds-since-1970 is valid, even if you only sign a CRL once a day – and doesn’t require state.

From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Wednesday, 21 April 2021 at 12:50 pm
To: Manger, James <James.H.Manger@team.telstra.com>, Russ Housley <housley@vigilsec.com>
Cc: IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
[External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments.

Manger, James <James.H.Manger@team.telstra.com> writes:

>Presumably CRLNumber has the “20 octet” language merely for consistency with
>CertificateSerialNumber. They sound so similar: numbering CRLs vs numbering
>certs.

Ah, that would make sense.

Just for fun, I thought about what it would take to blow past the limits of a
generic integer value, say 64 bits.  It's not just a case of running a counter
up to whatever number it is that a twenty-byte value is called, you need to
sign and publish a CRL for each one.  Let's say, rather optimistically, that
you can do a hundred a second (since it's not just raw sigs but actually
assembling and publishing a CRL), so you're doing ~10M a day.  That's about 5
billion years of issuing CRLs as fast as you can to exceed what an integer
value can hold.

Looked at another way, if you've got some way you can run something that
requires 2^160 operations you'll be doing other things, probably related to
BTC, with it instead of mucking around with PKI.

Peter.