Re: [pkix] a question of cert (and OCSP) extension syntax

Eric Rescorla <ekr@rtfm.com> Thu, 02 April 2015 17:57 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E00BE1A0086 for <pkix@ietfa.amsl.com>; Thu, 2 Apr 2015 10:57:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79edODntUHQ0 for <pkix@ietfa.amsl.com>; Thu, 2 Apr 2015 10:57:56 -0700 (PDT)
Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7FFD1A002D for <pkix@ietf.org>; Thu, 2 Apr 2015 10:57:55 -0700 (PDT)
Received: by wgdm6 with SMTP id m6so92778848wgd.2 for <pkix@ietf.org>; Thu, 02 Apr 2015 10:57:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=BhJ3LrFLVJLnYR6RG0NDbLMSG2o7C3Gt2dHVK0ql9Vc=; b=Ls0D+KDTdV/GUKw/y2b4uW1zNJ5Op0NObiWoBbrWXH2p0GPhNLawfbhwkhKTaKMk/5 HDS2C9S6IV8J1dgw8u188NkHCYi5CnlrqoIWIzyi1YeOc35m02HZzzgGmB4sdZHRAhVu qUGkBaa859+2tD34Ymkh0fQLVlLf91HbLAnO6BSyOrcDT1vs1hs4Ws+AHT7YBrz2xhIx V75ZgDoql26cwd5ePn8HrCLXeM26WLvJqN65PBgSun+VgG2FH1nEF90fSdk5D/n+MhsP p+zcBcbGW50SlevRmE96riH7z4tXivK2ByfbOyeN2eCezqk8n17cX3y4F+eewcv6Um9b +diQ==
X-Gm-Message-State: ALoCoQnOU5ABSRV9rUeCMGJN2RIqzfeYT3Hd/jGk5+2mdAP0j6M1bMuDa7og9vpaCjBA8/q6/Orj
X-Received: by 10.194.235.71 with SMTP id uk7mr97225483wjc.13.1427997474438; Thu, 02 Apr 2015 10:57:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Thu, 2 Apr 2015 10:57:14 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 02 Apr 2015 10:57:14 -0700
Message-ID: <CABcZeBNh6ourcteOn-d+x1jrEjx-8eUO0H_7W41vr78cG55PhQ@mail.gmail.com>
To: pkix@ietf.org
Content-Type: multipart/alternative; boundary="089e01493afa3456af0512c19225"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/kiSB7M8cpl6kBjKA3miruthLDAE>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 17:57:57 -0000

Stephen Kent writes:
> Since the bulk of the data items have an obvious ASN.1
> representation, and the certificate or TBS certificate are native
> ASN.1 structures, we feel that the decision to stuff all of the data
> items into an OCTET STRING is inappropriate, and that it sets a bad
> precedent for others developing certificate (and OCSP) extensions in
> the future

My sense is that it would be better for this data to be in ASN.1 for
consistency with the certificate itself.

-Ekr