[pkix] a question of cert (and OCSP) extension syntax

Stephen Kent <kent@bbn.com> Tue, 17 March 2015 19:34 UTC

Return-Path: <kent@bbn.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 103691A88B9 for <pkix@ietfa.amsl.com>; Tue, 17 Mar 2015 12:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJPQsVP1WulD for <pkix@ietfa.amsl.com>; Tue, 17 Mar 2015 12:34:56 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C2271A88B4 for <pkix@ietf.org>; Tue, 17 Mar 2015 12:34:56 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:51235 helo=COMSEC.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1YXxGR-0008Eq-2i for pkix@ietf.org; Tue, 17 Mar 2015 15:34:55 -0400
Message-ID: <550881DE.8090304@bbn.com>
Date: Tue, 17 Mar 2015 15:34:54 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: pkix <pkix@ietf.org>
Content-Type: multipart/alternative; boundary="------------010005000102060202000500"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/mjSlYfRkMgLyd1v7WF1IE-GZ3no>
Subject: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 19:34:58 -0000

Folks,

Stephen Farrell suggested that I pose a question to this list based on 
an ongoing  debate in another WG.

A certificate and OCSP extension has been proposed in TRANS. The 
extension consists of a few data items, principally:

version number (an integer)

a log ID (an octet string)

a time stamp

a certificate or TBS certificate

a hash value (a bit or octet string)

an optional set of TBD protocol-specific extensions

The authors of the proposed extension elected to encode all of these 
data items as one big OCTET STRING, rather than using the existing, base 
ASN.1 data types. They elected to not use an ASN.1 structure here 
because one of the three ways to communicate this data to a client is 
via a TLS handshake. They believe that the TLS handshake will eventually 
become the predominant means of transporting this data. (I didn’t find 
the argument for this prediction compelling, but ...). Thus they chose 
to employ the syntax defined in RFC 5246.

Russ Housley and I have argued that using OCTET STRING here is 
inconsistent with the intent of 5280 (and 2594 and 3280), which defines 
an extension as:

Each extension includes an OID and an ASN.1 structure.When an extension 
appears in a certificate, the OID appears as the field extnID and the 
corresponding ASN.1 DER encoded structure is the value of the octet 
string extnValue.

Since the bulk of the data items have an obvious ASN.1 representation, 
and the certificate or TBS certificate are native ASN.1 structures, we 
feel that the decision to stuff all of the data items into an OCTET 
STRING is inappropriate, and that it sets a bad precedent for others 
developing certificate (and OCSP) extensions in the future

I’m soliciting feedback from this list on this topic, to pass on to 
Stephen, Kathleen, and the TRANS WG.

Thanks,

Steve