Re: [pkix] DER encoding in RFC 3161
Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 11 August 2020 02:13 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37803A0EE1 for <pkix@ietfa.amsl.com>; Mon, 10 Aug 2020 19:13:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_0tNDDt4QmP for <pkix@ietfa.amsl.com>; Mon, 10 Aug 2020 19:12:59 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46EF33A0EDF for <pkix@ietf.org>; Mon, 10 Aug 2020 19:12:58 -0700 (PDT)
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (mail-sy3aus01lp2056.outbound.protection.outlook.com [104.47.117.56]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-23-Bem8vk9fOBqRY5uq8NGY_Q-1; Tue, 11 Aug 2020 12:12:54 +1000
X-MC-Unique: Bem8vk9fOBqRY5uq8NGY_Q-1
Received: from HKAPR03CA0012.apcprd03.prod.outlook.com (2603:1096:203:c8::17) by SYBPR01MB3275.ausprd01.prod.outlook.com (2603:10c6:10:27::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.22; Tue, 11 Aug 2020 02:12:49 +0000
Received: from HK2APC01FT062.eop-APC01.prod.protection.outlook.com (2603:1096:203:c8:cafe::b0) by HKAPR03CA0012.outlook.office365.com (2603:1096:203:c8::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.7 via Frontend Transport; Tue, 11 Aug 2020 02:12:48 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; hallambaker.com; dkim=none (message not signed) header.d=none;hallambaker.com; dmarc=none action=none header.from=cs.auckland.ac.nz;
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (130.216.95.208) by HK2APC01FT062.mail.protection.outlook.com (10.152.249.193) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3261.16 via Frontend Transport; Tue, 11 Aug 2020 02:12:47 +0000
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 11 Aug 2020 14:12:45 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.006; Tue, 11 Aug 2020 14:12:45 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "mrex@sap.com" <mrex@sap.com>
CC: Phillip Hallam-Baker <phill@hallambaker.com>, "pkix@ietf.org" <pkix@ietf.org>, Koichi Sugimoto <koichi.sugimoto=40globalsign.com@dmarc.ietf.org>
Thread-Topic: [pkix] DER encoding in RFC 3161
Thread-Index: AdZksx18VlMWy5IjSUeqIghIxhGjWgA1PjsAAO9AsYAAQIiIUQElcU+AACnzgO8=
Date: Tue, 11 Aug 2020 02:12:44 +0000
Message-ID: <1597111968117.61312@cs.auckland.ac.nz>
References: <PS1PR03MB48921EE23E93434559DF1ECE9D730@PS1PR03MB4892.apcprd03.prod.outlook.com> <CAMm+LwhdgfkbwXrfX8yiK3UDJRGOGzMJ2mXuyKqZWTdGbBE6gQ@mail.gmail.com> <20200803152056.014E9404B@ld9781.wdf.sap.corp> <1596535762003.26579@cs.auckland.ac.nz>, <20200810181053.AB421404B@ld9781.wdf.sap.corp>
In-Reply-To: <20200810181053.AB421404B@ld9781.wdf.sap.corp>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b53ddb16-8872-4ae1-0bb5-08d83d9c0ada
X-MS-TrafficTypeDiagnostic: SYBPR01MB3275:
X-Microsoft-Antispam-PRVS: <SYBPR01MB32750B1DA80C3A58828DF555EE450@SYBPR01MB3275.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: uIaGOHPMlsza6amjHYLItPsVpSIRZpsOVBTN/hag31IUZvOljE1HqR6u5rFI4wiZUj7JQimBWM9E/jER2Pwq5UCU+QboQtL4xETerWl6gloJEVaQboxWauaj+gvHTXv4lBSksWSw/NWt7TCtJ8A2I1r/5oaXfZ6oPuP0rRSfDvnwWQj5kpEfYW2636yRU6tHGcmwe6cQvcDuygV4XgxPjqX9rCwb5vYDcQRBrmtEX5n7ieohld/oQNbiGFZiqPWgNlGJbXEhnGZTZ4HDY2N9ors7hyo7zycWJcU784B0saBf49hG/NA0zoIiHfOv69oELOZKfeFR2lumn6HuGxZsFogy5ING5ZnzBF8x5cQgk+89W8snB4iTQmH1CZRjabpHDhaHKeMPWWqisPycTA2b5g==
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-d.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(346002)(396003)(376002)(46966005)(316002)(786003)(186003)(86362001)(82310400002)(356005)(478600001)(336012)(2906002)(36906005)(70586007)(2616005)(70206006)(4744005)(54906003)(4326008)(7636003)(8676002)(26005)(47076004)(82740400003)(6916009)(5660300002)(8936002); DIR:OUT; SFP:1101;
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Aug 2020 02:12:47.5891 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b53ddb16-8872-4ae1-0bb5-08d83d9c0ada
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-tdc-d.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: HK2APC01FT062.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB3275
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/cL8Qr1ibrTntl_hjvbUrMMdHS2E>
Subject: Re: [pkix] DER encoding in RFC 3161
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 02:13:01 -0000
Martin Rex <mrex@sap.com> writes: >the breakage occurs when suddenly expecting that malleable parts of an X.509 >certificate (=everyting *OUTSIDE* of ToBeSigned) are guaranteed to be >unchanged by whatever storage and transports a Certificate is going through, >including any ASN.1 length encodings on the outside. Which is the case for everything I know of. I assume you must have some special-case situation you've run into where this is an issue, but since "certificate fingerprints" are pretty much the universal unique identifier for the things - fire up any cert viewer and you'll see them used, for example - I'd say that if there is something out there that rewrites certs and breaks the fingerprint then whatever it is is broken and needs to be fixed. More to the point, we've been using cert fingerprints for thirty-odd years without running into any problems, so if something turns up now that breaks them then that's the problem, not cert fingerprints. Peter.
- [pkix] DER encoding in RFC 3161 Koichi Sugimoto
- Re: [pkix] DER encoding in RFC 3161 Phillip Hallam-Baker
- Re: [pkix] DER encoding in RFC 3161 Peter Gutmann
- Re: [pkix] DER encoding in RFC 3161 Todd E. Johnson
- Re: [pkix] DER encoding in RFC 3161 Koichi Sugimoto
- Re: [pkix] DER encoding in RFC 3161 mrex
- Re: [pkix] DER encoding in RFC 3161 Peter Gutmann
- Re: [pkix] DER encoding in RFC 3161 David Chadwick
- Re: [pkix] DER encoding in RFC 3161 mrex
- Re: [pkix] DER encoding in RFC 3161 Peter Gutmann
- Re: [pkix] DER encoding in RFC 3161 Manger, James
- Re: [pkix] DER encoding in RFC 3161 Peter Gutmann