IETF Logo Mail Archive

Re: [pkix] DER encoding in RFC 3161

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 11 August 2020 02:13 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37803A0EE1 for <pkix@ietfa.amsl.com>; Mon, 10 Aug 2020 19:13:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_0tNDDt4QmP for <pkix@ietfa.amsl.com>; Mon, 10 Aug 2020 19:12:59 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46EF33A0EDF for <pkix@ietf.org>; Mon, 10 Aug 2020 19:12:58 -0700 (PDT)
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (mail-sy3aus01lp2056.outbound.protection.outlook.com [104.47.117.56]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-23-Bem8vk9fOBqRY5uq8NGY_Q-1; Tue, 11 Aug 2020 12:12:54 +1000
X-MC-Unique: Bem8vk9fOBqRY5uq8NGY_Q-1
Received: from HKAPR03CA0012.apcprd03.prod.outlook.com (2603:1096:203:c8::17) by SYBPR01MB3275.ausprd01.prod.outlook.com (2603:10c6:10:27::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.22; Tue, 11 Aug 2020 02:12:49 +0000
Received: from HK2APC01FT062.eop-APC01.prod.protection.outlook.com (2603:1096:203:c8:cafe::b0) by HKAPR03CA0012.outlook.office365.com (2603:1096:203:c8::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.7 via Frontend Transport; Tue, 11 Aug 2020 02:12:48 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; hallambaker.com; dkim=none (message not signed) header.d=none;hallambaker.com; dmarc=none action=none header.from=cs.auckland.ac.nz;
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (130.216.95.208) by HK2APC01FT062.mail.protection.outlook.com (10.152.249.193) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3261.16 via Frontend Transport; Tue, 11 Aug 2020 02:12:47 +0000
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 11 Aug 2020 14:12:45 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.006; Tue, 11 Aug 2020 14:12:45 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "mrex@sap.com" <mrex@sap.com>
CC: Phillip Hallam-Baker <phill@hallambaker.com>, "pkix@ietf.org" <pkix@ietf.org>, Koichi Sugimoto <koichi.sugimoto=40globalsign.com@dmarc.ietf.org>
Thread-Topic: [pkix] DER encoding in RFC 3161
Thread-Index: AdZksx18VlMWy5IjSUeqIghIxhGjWgA1PjsAAO9AsYAAQIiIUQElcU+AACnzgO8=
Date: Tue, 11 Aug 2020 02:12:44 +0000
Message-ID: <1597111968117.61312@cs.auckland.ac.nz>
References: <PS1PR03MB48921EE23E93434559DF1ECE9D730@PS1PR03MB4892.apcprd03.prod.outlook.com> <CAMm+LwhdgfkbwXrfX8yiK3UDJRGOGzMJ2mXuyKqZWTdGbBE6gQ@mail.gmail.com> <20200803152056.014E9404B@ld9781.wdf.sap.corp> <1596535762003.26579@cs.auckland.ac.nz>, <20200810181053.AB421404B@ld9781.wdf.sap.corp>
In-Reply-To: <20200810181053.AB421404B@ld9781.wdf.sap.corp>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b53ddb16-8872-4ae1-0bb5-08d83d9c0ada
X-MS-TrafficTypeDiagnostic: SYBPR01MB3275:
X-Microsoft-Antispam-PRVS: <SYBPR01MB32750B1DA80C3A58828DF555EE450@SYBPR01MB3275.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: uIaGOHPMlsza6amjHYLItPsVpSIRZpsOVBTN/hag31IUZvOljE1HqR6u5rFI4wiZUj7JQimBWM9E/jER2Pwq5UCU+QboQtL4xETerWl6gloJEVaQboxWauaj+gvHTXv4lBSksWSw/NWt7TCtJ8A2I1r/5oaXfZ6oPuP0rRSfDvnwWQj5kpEfYW2636yRU6tHGcmwe6cQvcDuygV4XgxPjqX9rCwb5vYDcQRBrmtEX5n7ieohld/oQNbiGFZiqPWgNlGJbXEhnGZTZ4HDY2N9ors7hyo7zycWJcU784B0saBf49hG/NA0zoIiHfOv69oELOZKfeFR2lumn6HuGxZsFogy5ING5ZnzBF8x5cQgk+89W8snB4iTQmH1CZRjabpHDhaHKeMPWWqisPycTA2b5g==
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-d.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(346002)(396003)(376002)(46966005)(316002)(786003)(186003)(86362001)(82310400002)(356005)(478600001)(336012)(2906002)(36906005)(70586007)(2616005)(70206006)(4744005)(54906003)(4326008)(7636003)(8676002)(26005)(47076004)(82740400003)(6916009)(5660300002)(8936002); DIR:OUT; SFP:1101;
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Aug 2020 02:12:47.5891 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b53ddb16-8872-4ae1-0bb5-08d83d9c0ada
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-tdc-d.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: HK2APC01FT062.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB3275
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/cL8Qr1ibrTntl_hjvbUrMMdHS2E>
Subject: Re: [pkix] DER encoding in RFC 3161
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 02:13:01 -0000

Martin Rex <mrex@sap.com> writes:

>the breakage occurs when suddenly expecting that malleable parts of an X.509
>certificate (=everyting *OUTSIDE* of ToBeSigned) are guaranteed to be
>unchanged by whatever storage and transports a Certificate is going through,
>including any ASN.1 length encodings on the outside.

Which is the case for everything I know of.  I assume you must have some
special-case situation you've run into where this is an issue, but since
"certificate fingerprints" are pretty much the universal unique identifier for
the things - fire up any cert viewer and you'll see them used, for example -
I'd say that if there is something out there that rewrites certs and breaks
the fingerprint then whatever it is is broken and needs to be fixed.

More to the point, we've been using cert fingerprints for thirty-odd years
without running into any problems, so if something turns up now that breaks
them then that's the problem, not cert fingerprints.

Peter.

v2.23.0 | Report a Bug | By Email