Re: [pkix] a question of cert (and OCSP) extension syntax
Rob Stradling <rob.stradling@comodo.com> Wed, 25 March 2015 14:47 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2551A870A for <pkix@ietfa.amsl.com>; Wed, 25 Mar 2015 07:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VH5pNW1dyf_u for <pkix@ietfa.amsl.com>; Wed, 25 Mar 2015 07:46:59 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECCAE1B29E7 for <pkix@ietf.org>; Wed, 25 Mar 2015 07:44:25 -0700 (PDT)
Received: (qmail 22656 invoked by uid 1004); 25 Mar 2015 14:44:23 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Wed, 25 Mar 2015 14:44:23 +0000
Received: (qmail 27914 invoked by uid 1000); 25 Mar 2015 14:44:23 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Wed, 25 Mar 2015 14:44:23 +0000
Message-ID: <5512C9C7.70202@comodo.com>
Date: Wed, 25 Mar 2015 14:44:23 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Sean Leonard <dev+ietf@seantek.com>, IETF PKIX <pkix@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz> <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com>
In-Reply-To: <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/Zfgy9UzRhgZM5VQ-oLcmsO-RRe0>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 14:47:02 -0000
On 25/03/15 14:20, Sean Leonard wrote: > On Mar 18, 2015, at 2:10 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > >> Melinda Shore <melinda.shore@gmail.com> writes: >> >>> it's what's in the document until someone can either point to some normative >>> specification that it violates or can point to something that actually would >>> break. >> >> This isn't a case of standards rules-lawyering though (in any case the PKIX >> spec is flexible enough that you can stuff anything you want into a >> certificate if you interpret things just right, see the famous MPEG-of-cat >> quote), it's that this is creating a situation where an *X.509 standards- >> compliant certificate* contains data that can't be processed by an *X.509 >> standards-compliant certificate application*. > > I agree with Peter. Keep the encoding as ASN.1 for this extension. It is not particularly onerous, and it preserves compatibility for other applications. How exactly might the certificate extension we're talking about [1] break compatibility with other applications? The Subject Key Identifier extension uses the exact same ASN.1 syntax (the content of the extension is a plain OCTET STRING). RFC5280 does not require applications to recognize this extension. I'm not aware of any applications that choke on the Subject Key Identifier extension, so why should we expect any to choke on the 6962-bis extension? [1] https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/?include_text=1 Sections 3.4.2 and 3.4.2.2 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla