Re: [pkix] Why is the crlNumber an OCTET STRING?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 20 April 2021 22:29 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A26D73A2033 for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 15:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6QNtwCVN67dE for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 15:28:58 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4778B3A2031 for <pkix@ietf.org>; Tue, 20 Apr 2021 15:28:57 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2234.outbound.protection.outlook.com [104.47.71.234]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-20-lkfcKzTNMr2u1JwO3iTchg-1; Wed, 21 Apr 2021 08:28:52 +1000
X-MC-Unique: lkfcKzTNMr2u1JwO3iTchg-1
Received: from SG2PR0601CA0007.apcprd06.prod.outlook.com (2603:1096:3::17) by SYBPR01MB4588.ausprd01.prod.outlook.com (2603:10c6:10:5b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.20; Tue, 20 Apr 2021 22:28:51 +0000
Received: from HK2APC01FT058.eop-APC01.prod.protection.outlook.com (2603:1096:3:0:cafe::24) by SG2PR0601CA0007.outlook.office365.com (2603:1096:3::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16 via Frontend Transport; Tue, 20 Apr 2021 22:28:50 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.224) smtp.mailfrom=cs.auckland.ac.nz; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz
Received: from uxcn13-tdc-b.UoA.auckland.ac.nz (130.216.95.224) by HK2APC01FT058.mail.protection.outlook.com (10.152.249.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4042.16 via Frontend Transport; Tue, 20 Apr 2021 22:28:49 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-b.UoA.auckland.ac.nz (10.6.3.3) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 10:28:48 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4e7:eb90:ab28:1bf5]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4e7:eb90:ab28:1bf5%14]) with mapi id 15.00.1497.015; Wed, 21 Apr 2021 10:28:48 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Russ Housley <housley@vigilsec.com>
CC: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2aq9JmQAgADNMVL//zkzAIAAzrgj
Date: Tue, 20 Apr 2021 22:28:47 +0000
Message-ID: <1618957726686.74538@cs.auckland.ac.nz>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz>, <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com>
In-Reply-To: <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: e3a0e0d9-0a3f-4d9a-3aee-08d9044baba2
X-MS-TrafficTypeDiagnostic: SYBPR01MB4588:
X-Microsoft-Antispam-PRVS: <SYBPR01MB45887345D3540290763D8D20EE489@SYBPR01MB4588.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: C7Ywa+YBFq6MAblscbNThLBzFT5bxLpQeGIxAd0cKLmPX03+xpeMXOjm9J+/PHbZi3XTarwAWRXWm0LVgyHCjtp6/DsaNxn87bdex+1BEEXrI+uUTrum+tIwsPSGM0rI+AMZPvCGjAQo3HJUAHJlIp3+wsa+IzJJ5Yr5mITyZXuIpGqinhrnDJun1MTAYS79zegXExJwy4U4j7h8mg0ci6q2A9HPjyY5hVeXJSDYuS1kRzC4T316rR5cICsDFQq3NsrQdACZ/LKAmHtm8qm9vGa9Id3RRdB/wlkdWty6v4yadRktCaa8UrbZAhwtK1O+ocChra5gBeC8+FvbAZs+zImGd7wd/UDh1Kab0lRkH06v3QKe0aTPpo3TFLcPYKP01KPYAXzUUDRIKu+wrixCNpKiiKD8n95nHdEjk1JCjmp5skm0s/9E3fxfoBEgxvpz2uloVp8rsWHYm1KCBqg6xQRVrbe0ivv3HTQ2ICfUOHariP/y71+yq4qCKWdXpvfBqoTfpPgbPJwnwdAgRJo7s71l1vDxIvWIM7TEvnXBHrDnMT3LFm7lSRzqoMVkSWTHP3LT8hBkAmeXAvXk8ZNGpFE43VXjHRt14oZ8LbX19VSUfQyVuraEjsjeLwfK5cJw5C5AEBAr1qnFby+EoVMxMx4JQCKCsdoKv/w1M8Hni3c=
X-Forefront-Antispam-Report: CIP:130.216.95.224; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-b.UoA.auckland.ac.nz; PTR:natgate2-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(39850400004)(376002)(346002)(396003)(136003)(36840700001)(46966006)(4326008)(186003)(26005)(478600001)(2906002)(2616005)(6916009)(5660300002)(47076005)(86362001)(36860700001)(82310400003)(336012)(7636003)(356005)(82740400003)(70206006)(70586007)(8676002)(36906005)(8936002)(786003)(316002); DIR:OUT; SFP:1101
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2021 22:28:49.4796 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e3a0e0d9-0a3f-4d9a-3aee-08d9044baba2
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.224]; Helo=[uxcn13-tdc-b.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: HK2APC01FT058.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB4588
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/g12NzTkZPkJCmEGkU_u2BnHZ5Wg>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 22:29:04 -0000

Russ Housley <housley@vigilsec.com> writes:

>the text explains there are various ways that a CRL issuer can assign numbers
>for different scopes that can lead to larger values.

It doesn't really explain it, all it says is:

   If a CRL issuer generates two CRLs (two complete CRLs, two delta
   CRLs, or a complete CRL and a delta CRL) for the same scope at
   different times, the two CRLs MUST NOT have the same CRL number.

So CRL #1 has crlNumber 17, CRL #2 has crlNumber 18.  That's monotonically
increasing, and fits into a standard integer.

Paul Hoffman <paul.hoffman@vpnc.org> writes:

>you chose to use RFC 3280 instead of RFC 5280. :-(

I used 3280 because that's where the requirement for 20-byte "integers" was
introduced, so I was wondering what caused it.  My guess, for lack of any
obvious reason, was that it was someone's hack/implementation bug that was
written into the spec, because I can't see any other reason for the
OCTET_STRING-as-INTEGER use.  You certainly can't monotonically increase a
counter to the point where it'd be necessary.

Peter.