Re: [pkix] [Technical Errata Reported] RFC3029 (6444)

Stefan Santesson <> Mon, 01 March 2021 21:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 42D4A3A2390 for <>; Mon, 1 Mar 2021 13:54:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ohXFKOyESTex for <>; Mon, 1 Mar 2021 13:53:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 25DE03A238F for <>; Mon, 1 Mar 2021 13:53:57 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 8EE5D2467FF1 for <>; Mon, 1 Mar 2021 22:53:50 +0100 (CET)
Received: from (unknown []) by (Postfix) with ESMTP id 6F0392E2961F; Mon, 1 Mar 2021 22:53:50 +0100 (CET)
Received: from (unknown []) by (Postfix) with ESMTP id 6A84C489402; Mon, 1 Mar 2021 22:53:50 +0100 (CET)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by ( []) (amavisd-new, port 10024) with LMTP id 3p6uSxTY0Eej; Mon, 1 Mar 2021 22:53:49 +0100 (CET)
X-Loopia-Auth: user
Received: from [] (unknown []) (Authenticated sender: by (Postfix) with ESMTPSA id 3D6A8489400; Mon, 1 Mar 2021 22:53:49 +0100 (CET)
User-Agent: Microsoft-MacOutlook/16.46.21021202
Date: Mon, 01 Mar 2021 22:53:48 +0100
From: Stefan Santesson <>
To: Carlisle Adams <>, Russ Housley <>, Erwann Abalea <>
CC: "Roman D. Danyliw" <>, Ben Kaduk <>, IETF PKIX <>
Message-ID: <>
Thread-Topic: [pkix] [Technical Errata Reported] RFC3029 (6444)
References: <> <> <> <> <YTXPR0101MB110157FF4F373702155B2361A29A9@YTXPR0101MB1101.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YTXPR0101MB110157FF4F373702155B2361A29A9@YTXPR0101MB1101.CANPRD01.PROD.OUTLOOK.COM>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3697484029_1902171330"
Archived-At: <>
Subject: Re: [pkix] [Technical Errata Reported] RFC3029 (6444)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Mar 2021 21:54:02 -0000

I think there is a need for clarification and to correct the “Integer -> INTEGER” issue.

But I don’t think it is appropriate to change any ASN.1 to attempt to fix neither the implicit tagging or the ambiguity of the “Data” type.


Here is my motivation.

On the nested implicit tagged object we have a similar issue with Distribution Point in RFC 5280:


   CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint


   DistributionPoint ::= SEQUENCE {

        distributionPoint       [0]     DistributionPointName OPTIONAL,

        reasons                 [1]     ReasonFlags OPTIONAL,

        cRLIssuer               [2]     GeneralNames OPTIONAL }


   DistributionPointName ::= CHOICE {

        fullName                [0]     GeneralNames,

        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }


Here we have the Implicitly tagged DistributionPointName containing the implicitly tagged choice of GeneralNames or RelativeDistinguishedName.

I’m not an ASN.1 expert, but this is solved by implementations by converting the outer tag to an explicit tag.

E.g. when GeneralNames is used it is represented by [0][0]{GeneralNames length and value}


I assume that the same principle must apply to CertEtcToken.


On the “Data” structure it turns out that there are 4 different service types:


   - Certification of Possession of Data (cpd),

   - Certification of Claim of Possession of Data (ccpd),

   - Validation of Digitally Signed Document (vsd), and

   - Validation of Public Key Certificates (vpkc).


Where cpd and vsd always use message, ccpd always use messageImprint and vpkc always use sequence of TargetEtcChain


So, even if this is not great, it is still possible to implement the protocol, given that you know what service that use the “Data” type.

This is in fact how the implementation pointed out by Russ implements this:

Se the ”getInstance()” function at line 90:


My conclusion is that the protocol has design flaws, but it is not the task of an errata to fix design flaws.

Fixing design flaws is the task of a protocol update. But I don’t think there is a good motivation to put the efforts into releasing a new version of this protocol.

As it is, the protocol is at least implementable, demonstrated by the linked code.



Stefan Santesson 


From: Carlisle Adams <>
Date: Monday, 1 March 2021 at 17:23
To: Russ Housley <>om>, Erwann Abalea <>
Cc: "Roman D. Danyliw" <>rg>, Ben Kaduk <>du>, Stefan Santesson <>om>, IETF PKIX <>
Subject: RE: [pkix] [Technical Errata Reported] RFC3029 (6444)


Hi Russ, all,


I agree that these errors need fixing because there doesn’t seem to be an easy way to get around them otherwise.  I also agree with Stefan that this is probably an indication that DVCS was never widely implemented…  L





From: Russ Housley <> 
Sent: February-28-21 5:26 PM
To: Erwann Abalea <>
Cc: Roman D. Danyliw <>rg>; Ben Kaduk <>du>; Stefan Santesson <>om>; IETF PKIX <>rg>; Carlisle Adams <>
Subject: Re: [pkix] [Technical Errata Reported] RFC3029 (6444)


Attention : courriel externe | external email



Le sam. 27 févr. 2021 à 08:45, Russ Housley <> a écrit :

I guess I should have held off on reporting this ASN.1 error.  Once I corrected it, I discovered two errors that I do not know how to fix.

There is an implementation somewhere because Appendix F contains examples.  I do not know how the implementer got around these two problems.


CertEtcToken ::= CHOICE {
     certificate                  [0] IMPLICIT Certificate ,
     esscertid                    [1] ESSCertId ,
     pkistatus                    [2] IMPLICIT PKIStatusInfo ,
     assertion                    [3] ContentInfo ,
     crl                          [4] IMPLICIT CertificateList,
     ocspcertstatus               [5] IMPLICIT CertStatus,
     oscpcertid                   [6] IMPLICIT CertId ,
     oscpresponse                 [7] IMPLICIT OCSPResponse,
     capabilities                 [8] SMIMECapabilities,
     extension                    Extension{{ExtensionSet}}

CertEtcToken is a CHOICE with tags 0 through 8, but CertStatus CHOICE with tags 0 through 2.  You cannot nest a CHOICE in another CHOICE is the IMPLICIT tags overlap.

The use of EXPLICIT tagging would have solved the problem, but the authors clearly preferred IMPLICIT tags.


Here, it's easy. The outermost IMPLICIT tag is transformed into an EXPLICIT one by the ASN.1 compiler (it will probably emit a warning, though).


Yes, I am aware of that possibility of fixing the specification, but it is unclear what an implementer would do with a ASN.1 module with compilation errors, or a warning that inserts a EXPLICIT.



DigestInfo ::= SEQUENCE {
    digestAlgorithm   DigestAlgorithmIdentifier,
    digest            Digest

Data ::= CHOICE {
      message           OCTET STRING ,
      messageImprint    DigestInfo,
      certs             SEQUENCE SIZE (1..MAX) OF

DigestInfo is a SEQUENCE, and certs is a SEQUENCE, so the two have the same tag.  A recipient cannot tell which one the sender intended.


For this one, there's clearly no solution. Tagging would have solved it (any kind of tagging mode), but it's missing.


Indeed, at lease one of the SEQUENCE needs a tag.