Re: [pkix] a question of cert (and OCSP) extension syntax
Sean Leonard <dev+ietf@seantek.com> Mon, 30 March 2015 19:10 UTC
Return-Path: <dev+ietf@seantek.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C74E21ACCD9 for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 12:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuetWpWBmvas for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 12:10:10 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E940E1ACC86 for <pkix@ietf.org>; Mon, 30 Mar 2015 12:10:09 -0700 (PDT)
Received: from [10.177.240.84] (unknown [63.92.241.249]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 940CB509BE; Mon, 30 Mar 2015 15:10:06 -0400 (EDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_3D670D13-26FC-4B39-AA69-14C74A136194"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Leonard <dev+ietf@seantek.com>
In-Reply-To: <74EB71CA-3E5F-4D93-9232-3F1AA7308D7B@gmail.com>
Date: Mon, 30 Mar 2015 12:09:19 -0700
Message-Id: <AAF5FB13-B0FF-4C59-AA3B-D8D8B51E5A14@seantek.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz> <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com> <5512C9C7.70202@comodo.com> <55159714.1070902@openca.org> <55190678.6080007@comodo.com> <924332F5-FED1-4A0C-BBD8-146C1AC549B3@vigilsec.com> <A194E40C-016B-4CEA-A9A8-9A179C876D43@vpnc.org> <3161EB72-BE23-44CB-B02A-12648BAE73BB@vigilsec.com> <74EB71CA-3E5F-4D93-9232-3F1AA7308D7B@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/TJ2XyuAWR-fpKFqTLlD-JhvBy2U>
Cc: IETF PKIX <pkix@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 19:10:11 -0000
On Mar 30, 2015, at 10:23 AM, Yoav Nir <ynir.ietf@gmail.com> wrote: > >> On Mar 30, 2015, at 6:46 PM, Russ Housley <housley@vigilsec.com> wrote: >> >> Paul: >> >>>>> I think it's only "wrong" and "weird" if you take the view that "if it could conceivably be constructed in ASN.1, then it MUST be constructed in ASN.1". I don't take that view. >>>> >>>> Certificates are ASN.1, and RFC 5280 (and its predecessors) say that extensions are OCTET STRING wrapped ASN.1 structures. From section 4.2 of RFC 2459: >>>> >>>> Each extension includes an OID and an ASN.1 structure. >>> >>> I always interpreted the "an ASN.1 structure" there as meaning that any structure was acceptable, whether it was SEQUENCE or INTEGER or OCTET STRING or whatever. >> >> The usage in this case is a non-ASN.1 structure shoved into an OCTET STRING and then wrapped in an OCTET STRING. > > That is not without precedent. A subject alternative name ([1]) of type rfc822Name is required to be formatted according to section 4.1.2 of RFC 2821, and that’s not ASN-1 formatted. The counterpoint is that rfc822Names (e-mail addresses) are human-readable and usually transmitted in that exact format, namely in protocols where it has to be unpacked into local-part and domain components, such as RFC 5322 (e-mail format) and RFC 5321 (SMTP), as well as in prose text. The same logic applies to dNSNames. The sequence of data at issue here is not human-readable, certainly not in the same way as those examples. Sean
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla