[pkix] a question of cert (and OCSP) extension syntax
Stephen Kent <kent@bbn.com> Tue, 17 March 2015 19:34 UTC
Return-Path: <kent@bbn.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 103691A88B9 for <pkix@ietfa.amsl.com>; Tue, 17 Mar 2015 12:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJPQsVP1WulD for <pkix@ietfa.amsl.com>; Tue, 17 Mar 2015 12:34:56 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C2271A88B4 for <pkix@ietf.org>; Tue, 17 Mar 2015 12:34:56 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:51235 helo=COMSEC.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1YXxGR-0008Eq-2i for pkix@ietf.org; Tue, 17 Mar 2015 15:34:55 -0400
Message-ID: <550881DE.8090304@bbn.com>
Date: Tue, 17 Mar 2015 15:34:54 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: pkix <pkix@ietf.org>
Content-Type: multipart/alternative; boundary="------------010005000102060202000500"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/mjSlYfRkMgLyd1v7WF1IE-GZ3no>
Subject: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 19:34:58 -0000
Folks, Stephen Farrell suggested that I pose a question to this list based on an ongoing debate in another WG. A certificate and OCSP extension has been proposed in TRANS. The extension consists of a few data items, principally: version number (an integer) a log ID (an octet string) a time stamp a certificate or TBS certificate a hash value (a bit or octet string) an optional set of TBD protocol-specific extensions The authors of the proposed extension elected to encode all of these data items as one big OCTET STRING, rather than using the existing, base ASN.1 data types. They elected to not use an ASN.1 structure here because one of the three ways to communicate this data to a client is via a TLS handshake. They believe that the TLS handshake will eventually become the predominant means of transporting this data. (I didn’t find the argument for this prediction compelling, but ...). Thus they chose to employ the syntax defined in RFC 5246. Russ Housley and I have argued that using OCTET STRING here is inconsistent with the intent of 5280 (and 2594 and 3280), which defines an extension as: Each extension includes an OID and an ASN.1 structure.When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. Since the bulk of the data items have an obvious ASN.1 representation, and the certificate or TBS certificate are native ASN.1 structures, we feel that the decision to stuff all of the data items into an OCTET STRING is inappropriate, and that it sets a bad precedent for others developing certificate (and OCSP) extensions in the future I’m soliciting feedback from this list on this topic, to pass on to Stephen, Kathleen, and the TRANS WG. Thanks, Steve
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla