Re: [pkix] a question of cert (and OCSP) extension syntax

Rob Stradling <rob.stradling@comodo.com> Wed, 25 March 2015 14:47 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2551A870A for <pkix@ietfa.amsl.com>; Wed, 25 Mar 2015 07:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VH5pNW1dyf_u for <pkix@ietfa.amsl.com>; Wed, 25 Mar 2015 07:46:59 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECCAE1B29E7 for <pkix@ietf.org>; Wed, 25 Mar 2015 07:44:25 -0700 (PDT)
Received: (qmail 22656 invoked by uid 1004); 25 Mar 2015 14:44:23 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Wed, 25 Mar 2015 14:44:23 +0000
Received: (qmail 27914 invoked by uid 1000); 25 Mar 2015 14:44:23 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Wed, 25 Mar 2015 14:44:23 +0000
Message-ID: <5512C9C7.70202@comodo.com>
Date: Wed, 25 Mar 2015 14:44:23 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Sean Leonard <dev+ietf@seantek.com>, IETF PKIX <pkix@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz> <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com>
In-Reply-To: <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/Zfgy9UzRhgZM5VQ-oLcmsO-RRe0>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 14:47:02 -0000

On 25/03/15 14:20, Sean Leonard wrote:
> On Mar 18, 2015, at 2:10 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>
>> Melinda Shore <melinda.shore@gmail.com> writes:
>>
>>> it's what's in the document until someone can either point to some normative
>>> specification that it violates or can point to something that actually would
>>> break.
>>
>> This isn't a case of standards rules-lawyering though (in any case the PKIX
>> spec is flexible enough that you can stuff anything you want into a
>> certificate if you interpret things just right, see the famous MPEG-of-cat
>> quote), it's that this is creating a situation where an *X.509 standards-
>> compliant certificate* contains data that can't be processed by an *X.509
>> standards-compliant certificate application*.
>
> I agree with Peter. Keep the encoding as ASN.1 for this extension. It is not particularly onerous, and it preserves compatibility for other applications.

How exactly might the certificate extension we're talking about [1] 
break compatibility with other applications?

The Subject Key Identifier extension uses the exact same ASN.1 syntax 
(the content of the extension is a plain OCTET STRING).  RFC5280 does 
not require applications to recognize this extension.

I'm not aware of any applications that choke on the Subject Key 
Identifier extension, so why should we expect any to choke on the 
6962-bis extension?


[1] 
https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/?include_text=1
   Sections 3.4.2 and 3.4.2.2

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online