Re: [pkix] Why is the crlNumber an OCTET STRING?
"Manger, James" <James.H.Manger@team.telstra.com> Wed, 21 April 2021 02:56 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED2D43A1065 for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 19:56:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.telstra.com header.b=ObeisNkG; dkim=pass (1024-bit key) header.d=team.telstra.com header.b=a5fuZd+w
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIlgwv4LzLOO for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 19:55:58 -0700 (PDT)
Received: from ipxdvo.tcif.telstra.com.au (ipxdvo.tcif.telstra.com.au [203.35.135.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 604193A105A for <pkix@ietf.org>; Tue, 20 Apr 2021 19:55:56 -0700 (PDT)
IronPort-HdrOrdr: A9a23:b35S+q1K2tUBtxGR5xnfuQqjBcVyeYIsi2QD101hICF9WMqeisyogbAnzhfykjkcQzUNntqHNamGTxrnhP1IyKMWOqqvWxSjhXuwIOhZjbfK7jX8F0TFnNJ1+rxnd8FFZeHYKXhfoYLE7BKjE9AmqePnzImNif3Fx3lgCSFGApsO0y5DBgyWElJ7SWB9bPJTKLOm6sBKpyWtdDAsV+vTPAhgY8H5q8DWj5WjWBYaBnccmWyzpAm14733GQXw5Hkjeg5IqI1PzUH11ybX5qC/v+r+7xnbzgbonu1rseqk4MBEHta0kcQQKi/hkCelbIlsQKesvDUprPqi5X07qtXKrj0nOMN+4W7WZQiO0HzQ8jil9i0h43jj2leEgX3lgMDwST4gEfNbiZhUaQTU5iMbzbdB+ZMO5nmYsYFWEAOoplWe2+T1
X-IronPort-AV: E=Sophos;i="5.82,238,1613394000"; d="scan'208,217";a="289337846"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipodvi.tcif.telstra.com.au with ESMTP; 21 Apr 2021 12:55:54 +1000
Received: from wsapp6785.srv.dir.telstra.com ([10.75.3.134]) by ipcavi.tcif.telstra.com.au with ESMTP; 21 Apr 2021 12:55:54 +1000
Content-Language: en-AU
Content-Type: multipart/alternative; boundary="_000_SYBPR01MB56162CDF91BD659947C9444BE5479SYBPR01MB5616ausp_"
DKIM-Signature: v=1; a=rsa-sha256; d=team.telstra.com; s=s1; c=relaxed/relaxed; t=1618973754; h=from:subject:to:date:message-id; bh=RzV9fp3aK48hUn1fj97X9rPBp8ZhUCjuJeduivjS1B0=; b=ObeisNkGmGd2/8/j95jmHt7fUMyGJAOE0VMOEImd4HEMpboJSKbik7b02BMcY2T87EZ7UZSdH7V SaQ5JKdcY1Tf6dRxfj1fIizPunSbsDxqnC73mL8eEDz2RW44Fiq/Fh+ibGZEfTYjQQ0RlZJixjABY zg4Gim5+55/JMvfAYJCpA+No99fLdj/ZIEKZr6KUMi+AjXVZavtW5WUjD5crGIec0CyAQtt3gcnVe QDf5Uoi/SDjlOG9TfSa0dLZbuC6uMjSyLvi8gIBCrJZixrxtVs9W6OcGoh52lZXYsml4/TvY2Mdgs KBK1djBVO+8rtdfOROuVmWsU99/rlJl+kmZA==
Received: from wsapp5870.srv.dir.telstra.com (10.75.139.12) by wsapp6785.srv.dir.telstra.com (10.75.3.134) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 12:55:53 +1000
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp5870.srv.dir.telstra.com (10.75.139.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 12:55:53 +1000
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (10.172.101.126) by autodiscover.team.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 21 Apr 2021 12:55:53 +1000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BL1aAE9L+3JZs5UdRwnrjo2Bt2Gyx8Pxjf2b0qt2iPnJ5zkFLhHc43DLd5k6cNXeL8vLFfUmrMHxAVzw5ZJ9fLpzXk781qnHa5SDsRFLHoZ/evricE1xM10vRe/fVbAUrxso8+mf0RQjrtdcbZrji39pF8Q/rkkz+ARECkAsRHAVdaFKamNBoBdRKzzWjnLymTkEcc0t6oSQhTK651GpoYDw9pUBK6Sn6dOruXIyPsC3bntPkviBJ1bgmEGbujlsfHJThIxL4M2vDSIBIRAeaoVvzDlnyieeYYxqq9kYYXb5Mc/4tgCttKmlrd6ILE40sBb0J7+UxorrzJBD25nLPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RzV9fp3aK48hUn1fj97X9rPBp8ZhUCjuJeduivjS1B0=; b=dy3ZJQ72WiJkBB/ZgPyLk5og+9zJDkv6TOQflsONEylcCB64HF3zmzoXFCD5p0TltWPryGcrBMwaWcV3Vd5MfFlEIrTC4JXfM9VoFIFp2muq7lz8lEN/MfiEAHHzC052FeySz+/w7m74ZW4fK3QFBaT0SuEKqPZzsej9fF3kDaqfzOnWJ/a2STtE/umhwgraLgT85fMWUHmQfu2roIshX0m26T7U0JSD9Hob1TjU39HrRzyjixLiltmfbVLJK/cF8OWTAb5obUtQAB2a0n+0XK7clSs95/RoXzZihYlQwpecLQL4Ml5q3j1xMdTFQDZHPGdcP/Dd039E/F2vt7sb7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.telstra.com; dmarc=pass action=none header.from=team.telstra.com; dkim=pass header.d=team.telstra.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RzV9fp3aK48hUn1fj97X9rPBp8ZhUCjuJeduivjS1B0=; b=a5fuZd+wJiZFoOh1CAQfLisVGwEKt8bymvXyVI997jEX2EmhW7alemRtCysNtAr/GNcNwHCEV4RzYp03rJ8p/j5DJCGRnMCgn6/Se78VIUBI2RZwwzcG/EWPPoGNCs0Ys3DBqrY7QQX2x27QDkStGPq5lDbZpbonnoyDx5Ujl+8=
Received: from SYBPR01MB5616.ausprd01.prod.outlook.com (2603:10c6:10:9f::8) by SYXPR01MB1568.ausprd01.prod.outlook.com (2603:10c6:0:38::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.18; Wed, 21 Apr 2021 02:55:52 +0000
Received: from SYBPR01MB5616.ausprd01.prod.outlook.com ([fe80::bdd6:3307:af2f:b79f]) by SYBPR01MB5616.ausprd01.prod.outlook.com ([fe80::bdd6:3307:af2f:b79f%7]) with mapi id 15.20.4065.020; Wed, 21 Apr 2021 02:55:52 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Russ Housley <housley@vigilsec.com>
CC: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2aq9744AgAAEoQCAAAHDAIAABsaAgAA+zAOAAApQgIAAAJhC
Date: Wed, 21 Apr 2021 02:55:52 +0000
Message-ID: <SYBPR01MB56162CDF91BD659947C9444BE5479@SYBPR01MB5616.ausprd01.prod.outlook.com>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz>, <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com>, <1618957726686.74538@cs.auckland.ac.nz>, <SYBPR01MB5616009D18496B7FD5CA38E1E5479@SYBPR01MB5616.ausprd01.prod.outlook.com>, <1618973426649.81377@cs.auckland.ac.nz>
In-Reply-To: <1618973426649.81377@cs.auckland.ac.nz>
Accept-Language: en-AU, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cs.auckland.ac.nz; dkim=none (message not signed) header.d=none;cs.auckland.ac.nz; dmarc=none action=none header.from=team.telstra.com;
x-originating-ip: [203.35.185.253]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c52487b2-7f60-4f25-97c2-08d90470fa00
x-ms-traffictypediagnostic: SYXPR01MB1568:
x-microsoft-antispam-prvs: <SYXPR01MB1568A16225F546F89EC25479E5479@SYXPR01MB1568.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /MpYZ/dgmxgn6psbOvACR8tHXUM9pa1zUYvN3qxFfhjTRjT55+vHCYK6oB/ZlNQzeZlH0Wdw6Amq2CP/XqpuqSvdOUgv14bVQLx7f+gHbP7n0ZjCBLIGrDEHbaYx++ogs9WL2Tg3YDwLe6ToCIV1kVu4zxZsTSP4MBI5FKd3mwZJ3OkLQEIkG8VnuvaJmIrGgec3/CddJEe0AL1VrW1aWBh77PPuoIPA45pZW3n0RvplMKIbtk3zPNaHiWd94BoFDiJLo1EUw2Co3X575uvPXBWYHcnb0C8JGrxe1W3uWDPfLBr/iEtccjOZbUibjjpsK6c8JmXJaVgfu1t3C7IqR65hrRi/zVQGDrsKPy13G70y4mqC8a7/EUF7FsZIrVBCzvIw1zycFdwIJ5KNtojikytNa0+kklBjtEcuogpOeukuhM2oNemQ6GoaokLxjfqyo9d/DlDlXZhvqDwIAF0Mfo3Dg1yQGEfOmvMWnqEhc516CRgOFt7CRrvD6eTBwkiNYpn+0Vq+qVlRM0dfwv7Wo7KGgwaKPjte2rP49JDWIFCmR8MM135kG06SSXlNNw01mUcD/QLiRvSSieQdGJ3WikBd+kIm0oSM+3s0jgGzDgI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYBPR01MB5616.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(136003)(376002)(396003)(346002)(26005)(186003)(7696005)(33656002)(4326008)(122000001)(53546011)(76116006)(66946007)(91956017)(6506007)(66446008)(66476007)(2906002)(110136005)(8936002)(38100700002)(478600001)(86362001)(9686003)(55016002)(5660300002)(52536014)(66574015)(83380400001)(71200400001)(8676002)(66556008)(64756008)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: oUpT0KX1uF0Lr6W7VIBi1jIDkHEN1qzMQNArwLFvdjxuPxfteR0f79fOtcESyrjBmHBjStl+o/pfNKzGbVp9XVMXzgbKOW/5tEu8ffRzYA4iyvRj4INHuFy7/Zcfsspkk1ovff3S7B2jDuAyrk3VkHVs3Ptu3x/14vhPc+xStzbXnQZToUozrYj/qjh5/outeRhWfFFR0GJy6X3HV4Hpx0AANKXzlnqj90mbz5swaFw41xmJTttbewcj6AsNLt8xbHohlO4Hj+wJgscZFOVChyOqJgCPkfGzwJiBRKVMga43SBDpcuyHyyvBqlM9uFPzrqQ910YYZw/yagfKgxpAgc6pwVPleHqg9H1XHfU8zUsOWNHG6wq46h7JyFa/1ua6ebIkI9Gs9Bn0+xOB6aLeefmlTk8mmhfcYYs2P+2do0uMlp93Ox8+CDqcWS4hOwclUWFa35sJHQ0wf0f2PaeR3F7+wdRmk7UqgsJ95ajbJYjvEVAjT6I8kmub4Z/KmkX6VoTYeIap8Qc0CnU63odM4cCdOAhk9t00ynuDtxsLaoPtKsLVr4eAkwYLYy5i0PVhmupw8/38JNbY0P2HWXLQr2qaYLXX3+zWCAhQHF+ONzlg8Hfz195GipEhG6TlHZxuAwAo1sPvG3mJAQWv85mVyczcJ7uDdo/LFDXgZ8CYM16B/89i7bES0Iyf1efgVaPf+nnc4S2g8NN6dsLU/5dnGn7HknPPf7fEcuNdEpiokYnLjf/y6KnGVjFpDqNt9G/9PVsBqUCjytp+w439grYAFAZZ5uVCogrbzWJgPSjbmU1POPTp19WYZuSi4W3hAgPPWAmJege4MIZzhSQpqb33BoeOb83SMFuly/mHWhHfAZQFd8JHMOSPoa2Qgwx4JsdlA3AC5gHkXDK83J+VMBMlRWyo9Y6OGwU03b4lcqDpkTTRNNyRHWZxUXy0vsqzw+Gdg/Iwb32D8Sd1eOJRo8F6ifI/nI0r69jHrhMt1bn9znQ3Ibp/Sdky45FsD9wBMuL+pI4xHMg/1K4pQbIZnrwZoiG4uUJLHYk7JfC7F5/acZFfoDKeAcmhIAaHJpRX3T5YQtC2iiFaZorhTNlGZ2ufKmV79R8hiiAQnL0ZJPTntbj0m+LzmeqJrehDOKhzioRJs+dm32hQtnhuHmWOlVEHK7KvUXBf7tavSjC6oKWhnoewotFCuur1o0D/3NIDsNkHL6amNWouy58MzL9E7hf7PDIvsHc9caoet7Nzfi87Y9YPyrjjYafTgT/iJirLu4eQNrA9bmtzZ0Vk08LILnMWVHYPcDz/a+w+S67Blr8Sg7bTmJm0Yed2kDgiiFMc2bJouxA2C7milCoKljjtvfIajw==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYBPR01MB5616.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c52487b2-7f60-4f25-97c2-08d90470fa00
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2021 02:55:52.6169 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NwNGPG3mtlYr585PGm7sk0t1gHi7+xSOUvu4KUxd+67Bd6+R9Ldb8/ozEW5ZfxwMjDMZpCPoHbF6L0BvW0A/ZCdw8yFqZeCghjmAOG7iegY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1568
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/Qa7vk-nlHBbl_jTejIntSpZ5bJ4>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 02:56:04 -0000
“monotonically increasing” doesn’t mean increase by 1. It means increase in 1 direction. So nano-seconds-since-1970 is valid, even if you only sign a CRL once a day – and doesn’t require state. From: Peter Gutmann <pgut001@cs.auckland.ac.nz> Date: Wednesday, 21 April 2021 at 12:50 pm To: Manger, James <James.H.Manger@team.telstra.com>, Russ Housley <housley@vigilsec.com> Cc: IETF PKIX <pkix@ietf.org> Subject: Re: [pkix] Why is the crlNumber an OCTET STRING? [External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments. Manger, James <James.H.Manger@team.telstra.com> writes: >Presumably CRLNumber has the “20 octet” language merely for consistency with >CertificateSerialNumber. They sound so similar: numbering CRLs vs numbering >certs. Ah, that would make sense. Just for fun, I thought about what it would take to blow past the limits of a generic integer value, say 64 bits. It's not just a case of running a counter up to whatever number it is that a twenty-byte value is called, you need to sign and publish a CRL for each one. Let's say, rather optimistically, that you can do a hundred a second (since it's not just raw sigs but actually assembling and publishing a CRL), so you're doing ~10M a day. That's about 5 billion years of issuing CRLs as fast as you can to exceed what an integer value can hold. Looked at another way, if you've got some way you can run something that requires 2^160 operations you'll be doing other things, probably related to BTC, with it instead of mucking around with PKI. Peter.
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Paul Hoffman
- Re: [pkix] Why is the crlNumber an OCTET STRING? Paul Hoffman
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Manger, James
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Manger, James
- Re: [pkix] Why is the crlNumber an OCTET STRING? Niklas Matthies
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stephen Farrell
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Niklas Matthies
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Jeffrey Walton
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Ernst G Giessmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Dars, Mihran [VendorPass]