Re: [pkix] a question of cert (and OCSP) extension syntax

Sean Leonard <dev+ietf@seantek.com> Mon, 30 March 2015 19:10 UTC

Return-Path: <dev+ietf@seantek.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C74E21ACCD9 for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 12:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuetWpWBmvas for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 12:10:10 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E940E1ACC86 for <pkix@ietf.org>; Mon, 30 Mar 2015 12:10:09 -0700 (PDT)
Received: from [10.177.240.84] (unknown [63.92.241.249]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 940CB509BE; Mon, 30 Mar 2015 15:10:06 -0400 (EDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_3D670D13-26FC-4B39-AA69-14C74A136194"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Leonard <dev+ietf@seantek.com>
In-Reply-To: <74EB71CA-3E5F-4D93-9232-3F1AA7308D7B@gmail.com>
Date: Mon, 30 Mar 2015 12:09:19 -0700
Message-Id: <AAF5FB13-B0FF-4C59-AA3B-D8D8B51E5A14@seantek.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz> <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com> <5512C9C7.70202@comodo.com> <55159714.1070902@openca.org> <55190678.6080007@comodo.com> <924332F5-FED1-4A0C-BBD8-146C1AC549B3@vigilsec.com> <A194E40C-016B-4CEA-A9A8-9A179C876D43@vpnc.org> <3161EB72-BE23-44CB-B02A-12648BAE73BB@vigilsec.com> <74EB71CA-3E5F-4D93-9232-3F1AA7308D7B@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/TJ2XyuAWR-fpKFqTLlD-JhvBy2U>
Cc: IETF PKIX <pkix@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 19:10:11 -0000

On Mar 30, 2015, at 10:23 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:

> 
>> On Mar 30, 2015, at 6:46 PM, Russ Housley <housley@vigilsec.com> wrote:
>> 
>> Paul:
>> 
>>>>> I think it's only "wrong" and "weird" if you take the view that "if it could conceivably be constructed in ASN.1, then it MUST be constructed in ASN.1".  I don't take that view.
>>>> 
>>>> Certificates are ASN.1, and RFC 5280 (and its predecessors) say that extensions are OCTET STRING wrapped ASN.1 structures.  From section 4.2 of RFC 2459:
>>>> 
>>>> 	Each extension includes an OID and an ASN.1 structure.
>>> 
>>> I always interpreted the "an ASN.1 structure" there as meaning that any structure was acceptable, whether it was SEQUENCE or INTEGER or OCTET STRING or whatever.
>> 
>> The usage in this case is a non-ASN.1 structure shoved into an OCTET STRING and then wrapped in an OCTET STRING.
> 
> That is not without precedent.  A subject alternative name ([1]) of type rfc822Name is required to be formatted according to section 4.1.2 of RFC 2821, and that’s not ASN-1 formatted.

The counterpoint is that rfc822Names (e-mail addresses) are human-readable and usually transmitted in that exact format, namely in protocols where it has to be unpacked into local-part and domain components, such as RFC 5322 (e-mail format) and RFC 5321 (SMTP), as well as in prose text. The same logic applies to dNSNames.

The sequence of data at issue here is not human-readable, certainly not in the same way as those examples.

Sean