Re: [pkix] Why is the crlNumber an OCTET STRING?
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 21 April 2021 15:39 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1BFF3A2CBD for <pkix@ietfa.amsl.com>; Wed, 21 Apr 2021 08:39:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vHaguNGH8G5w for <pkix@ietfa.amsl.com>; Wed, 21 Apr 2021 08:38:57 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2120.outbound.protection.outlook.com [40.107.20.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9DBC3A2CAE for <pkix@ietf.org>; Wed, 21 Apr 2021 08:38:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iHuStQgEdeCTJdwFg/3nbORA7+tCBJAdSvBjxHueusYiP3WK+Arw0wG0+4hT8hPTa0qTypAs1smAcGGFQ5ZVXJdkQdA1CQaJqKshty6gQ597U4F1awSI8KF1pO0IbCEAEN2zihy5MfdNyaUzAm0YoKVC5jNNt3wh+8Y+wZEtQDokOzBn1wh386t8XByLixzO8VDsH+s04SGTOcDiWwS6YIlQk5viLwP/j7eJ1cRu3OkyZl+IIzGUGguVq9qfqYhcF5fFEPNqmU72/xRZDOAO+b8JTY2kltzv/YfaIo8VhX8d6P/gDPoTSPGl5Jk77RJoPH7v7pfJ2AABmy4jHrI3+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y4K0x0DHfX5pZ9da5++q9Tvg3+IfLEj8TSyAYGbgQjM=; b=NtoaxEiHbSmj3BqXc6K6G+pMw57AZocPQw0UK9FVhPTNSWqevKXN+CbN5FVePvw0tkxMEAJoOzbtHPv5lFdYXcSa5SoBcmVASOLH48Z5uLR8cIPldzJmOBRJF964u3Q90AB984qfqlhqbtCPDTdAxu23+ejyCITiSnbf+KWhdDoipROg8Xg6jHiYpW5oJ8iPUVpoV/3pvXOrqnhwkl7d9oUZoE54RCddeVAq3I7jPzyfMoB9g74GGdX6wujl9gdXuKZClMbzF5qtRIgdRGzhNM/2jTPaIJDD6DmWsCjDRFt9qB1y4+RYMJOXIwRw2n5XpWS6IvLdufUDrQI+qRpKvw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y4K0x0DHfX5pZ9da5++q9Tvg3+IfLEj8TSyAYGbgQjM=; b=ZqncyEV+oPRYwNnbNyO3dJvvXAlS4Yy6Qwmj3bXml92vSM/Muxiu04tG1wd66dTUp/0+NWq14+BXtQvLonlrtAYbBEqWp4OSIMW/UGVyr8A8v5hT26KMCWjixLVg9pZbiOKgLVWaCwTfuuF3jUURS7/RYynV90zp/c1g9TMJVas3+Un12S+JP0mMHVQ0o+ipxRVRjbnx04nCda6Q/JRd+Q4G74pxzfb1I5FSKWSOzRZfZPUvBlesVlyD2gZnjL2EpHIFATSQhOw/DBazXD2h1H9DSwVSDXlFLytbJan7d/pQjWnjTpRA7oO0juOf0PFSmYdQW2RtB4PjjMjQ+Qy5VQ==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB8PR02MB5675.eurprd02.prod.outlook.com (2603:10a6:10:e8::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16; Wed, 21 Apr 2021 15:38:54 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::2d8d:9193:d3f3:6cc6]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::2d8d:9193:d3f3:6cc6%5]) with mapi id 15.20.4065.021; Wed, 21 Apr 2021 15:38:54 +0000
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "Manger, James" <James.H.Manger@team.telstra.com>, Russ Housley <housley@vigilsec.com>
Cc: IETF PKIX <pkix@ietf.org>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz> <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com> <1618957726686.74538@cs.auckland.ac.nz> <SYBPR01MB5616009D18496B7FD5CA38E1E5479@SYBPR01MB5616.ausprd01.prod.outlook.com> <1619018456026.55711@cs.auckland.ac.nz>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <1ef29d5d-1d4c-df66-84a1-291fefdd1aa0@cs.tcd.ie>
Date: Wed, 21 Apr 2021 16:38:52 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
In-Reply-To: <1619018456026.55711@cs.auckland.ac.nz>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="0aFNqc873UIJtZCrAUaSvFb6QdBdfuXZO"
X-Originating-IP: [2001:bb6:5e5e:b458:c408:81bc:8416:5281]
X-ClientProxiedBy: DB6PR0301CA0061.eurprd03.prod.outlook.com (2603:10a6:4:54::29) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:c408:81bc:8416:5281] (2001:bb6:5e5e:b458:c408:81bc:8416:5281) by DB6PR0301CA0061.eurprd03.prod.outlook.com (2603:10a6:4:54::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.20 via Frontend Transport; Wed, 21 Apr 2021 15:38:53 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: dde24374-198d-43b2-e5d1-08d904db91c1
X-MS-TrafficTypeDiagnostic: DB8PR02MB5675:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB8PR02MB5675E9560EA251919CBEE34DA8479@DB8PR02MB5675.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:4125;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: jONbsS4LOj2hpG2Oayn/P4xNVIkswqo7VyC0S6OuSWojDLwMtdyWOG52mgBUOA+xzBKS3kpngpipxTnMHnCOqvHgQrc+G7ZapK1rI4/z7sGDWQRBAQotYeQZ68fAa078DPX8gFNNFTth3Q+k6jWB9YNdwIu2xQF2D2s8ZNNMR4NTSBue+unY7eFt/YTq+R71eY/JFU1zHO3L+KvXJSBYIbgm8ddFSaVSepptNgWa2akJ4vUkO0nP4Bwe07gRPrZcQ8y0Z2jfeoLmKlBGWTjZYMSNPvEjZZOz2giHPcgKsqtj2j0ebjFxbwr3NKfjrLftwX8COdZDKKk9k1rhsDeWBYmoTywUFS+PPgJwL5/Fw9Bu7kkj8ZDUPYS7ABEV/r/TG/1qx1zUjD5qz5TNkOb2Eh6MgwP06MW8TTieTJnOKGRqhXJXOCkeAJKRWnh0GkGRSjoFJ8agKl+btaW0VPTePOLA6NeksS7ZLtpQiiGSfcgZzryfKATsAajRQUeHV6ZM5Wv6bCJK2sWs24nScLdKuQ1jBiafC8tdqn0g6ZuHDdFCdFoD8a4gX31eOOG5gZ1DU9RTh9rF4SDUcsT9uozW7IAmm4ApUfiDAtYgd6qituYD2NIdESMaJxvx3dGzAZt8SBSo9PMJwI/9E05D+PXds06M8MfdlTomiZ7s2uRW4yeyX3iJ66i1o1wLzyXZF30h
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(39860400002)(366004)(136003)(376002)(66556008)(316002)(52116002)(31696002)(2906002)(2616005)(66616009)(86362001)(45080400002)(786003)(5660300002)(66946007)(83380400001)(31686004)(8936002)(6486002)(33964004)(110136005)(36756003)(4326008)(66476007)(21480400003)(186003)(16526019)(53546011)(8676002)(478600001)(44832011)(38100700002)(235185007)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: K8JNsPquhtHuHkzAi5hMNdDOwcZ+vci617jH2+ZesSLI1UVxiuRt3JrVo19Ck5bw3dJbxTvhuyZYt35mMQl+/HkICP6GpqkB8yjIov7jSjRlpPmh3CJB/ETxfjU50oGoDRT+1m4Zen0vVhiPaVh/L0rY2U9Z6I/Qmnu9acksQAA/JkuP5LfXfeOAJU8LHNc4FnPS+JYdCv6KIFErG2mfq7MnrcpSgf3JTUHCwZFQNVieLoiRdCHif0L1K8YOxE70v47acvPIFdY1aEsoffhg9Bvwgq1qhkCHqZ+4kXunQ79rkMt+wcQSK3jV57tQ1rIhEIXtmhJcIXIVTn/8DvK8sQmsXoyQWbKYALCD5pKH3hsjmP+cwHWdIfQl56gZvox5JHEMu4ex//J6u/AUv1TH+SiQx5IN2uJOG+8jpOymhtS3yA9tnOJoyrfYEaYXywdfAvIY6wVBqa/r72lsM7wLsTHC9joWScolPcTkq0GJ+BY+uopaROPOHr/uCm2FCh2fC5bQqCfrImPpBYK22S46t0vTirN+eX2Cm2RspP7DHADXHg6Cmh4LbCunBAu/gK5lzSeOSQ8fH0j0fuZmzBLGZPf4n3pNi7ubivRNhfj0hxIUp/4Ea0666K+mp8AxFY6UXQ9AZ5iLGjKf4gYajh4XXM21pYhes5uM5qIjhzw0CTyxXEBbF/2MO8K4OjDsaTQ0xBRTMesv+V0CkLXomcny6EyAKTLsCkxsYyQ/I1tFNChIDPIeg6sdevS3uiqv2L+d8WpGB/IrAp3qibABkrKl+oBtIr4TCo6RPM63qq8XaqbADYXOlkc+tJ+YKR5vJRdpS2e0hJPWZzzXrKHNlLPXGCKDKLzoRaQ5VSWCWM9EHJh8RMSRI+Zs9WIeRT0vPCUtZvBNK9jrsj2t1JWo+wzXqO2cyzCO3TPlfOqNk4AFQPZTlEeirzc+lk/1SLQcggNHCZTr3ANL428OCWf1iuOKg/KbqlSCifUV71qesrgsjVdNKmnJHhglaR9cAtIOaS9dwKAZ2Xr2O1sjvxyf0lWKSRb3Rv9HgnQtlCV+wVD5LgZznCTwmxVZVJyUP7sdyEOSOrR8oqzbr2FH9RWDVbM3Xrwt8y1Jf+Dm66DjBKzs/D+OtOlE9eaQI7AumBBAw4ZQ7IwfS8xLep22sM8hHK4+DTeE6iqkJ0lJ8hEIX2HvxoP3nUoopkGY8puKDYEZAQVe9h5TzJd53iol1osqNqI6Tzo/+rbSfi+FWLnjPcvcLGaDMPfc+KWc+BdwSFw46QqyITcCVncj8DTuLCeC5TPTDVmvfmA23JFBDBEmD6BVZQuj7XaLfiUbwJVixHQGvl5FK56ZXrZ5FizmI6mj0WoRCFJ8TP1FWnYI6h+9GkEXOC7XqjHHo3G7J+R65FO3Ue8R
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: dde24374-198d-43b2-e5d1-08d904db91c1
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2021 15:38:54.0557 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: W7gXtirTWijZEwREWNpZTwGL5FvWHO+6W9rn5UtoG2YeXGl2OXQKIHDd6Ic8dDTR
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR02MB5675
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/YclespPai-JB8yHuiPsf4oH0JKg>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 15:39:04 -0000
Hiya, On 21/04/2021 16:20, Peter Gutmann wrote: > Just noticed that the RFC text kinda confirms this: That sounds reasonable - simplest explanation being most likely and all that:-) > > As noted in Section 4.1.2.2, serial numbers can be expected to > contain long integers. Certificate users MUST be able to handle > serialNumber values up to 20 octets in length. Conforming CAs MUST > NOT use serialNumber values longer than 20 octets. > > As noted in Section 5.2.3, CRL numbers can be expected to contain > long integers. CRL validators MUST be able to handle cRLNumber > values up to 20 octets in length. Conforming CRL issuers MUST NOT > use cRLNumber values longer than 20 octets. > > So it's a cut&paste of the text for certificate serial numbers, for which > there's a legitimate reason, the German tank problem, to not use actual serial > numbers. IIRC there was also a request from a CA in .au around then that used company registration numbers as (part of?) the cert serial number and those were long structured numbers or something. I vaguely recall being asked to get text in that alerted people that serials could be longer than some implementations expected at that time. I've no recollection of how the CRL number text ended up the same. Cheers, S.
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Paul Hoffman
- Re: [pkix] Why is the crlNumber an OCTET STRING? Paul Hoffman
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Manger, James
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Manger, James
- Re: [pkix] Why is the crlNumber an OCTET STRING? Niklas Matthies
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stephen Farrell
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Niklas Matthies
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Jeffrey Walton
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Ernst G Giessmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Dars, Mihran [VendorPass]