Re: [pkix] a question of cert (and OCSP) extension syntax

Melinda Shore <melinda.shore@gmail.com> Tue, 31 March 2015 15:51 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A29A41AC422 for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 08:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vaE0MDPjaC0D for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 08:51:44 -0700 (PDT)
Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AD961AC423 for <pkix@ietf.org>; Tue, 31 Mar 2015 08:51:44 -0700 (PDT)
Received: by patj18 with SMTP id j18so23423241pat.2 for <pkix@ietf.org>; Tue, 31 Mar 2015 08:51:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=GMwlIoBhKRycuJ7vd6WvBBVFiis6jB7Xp802kUAzdQ4=; b=P2UmsA5BZeqsscPDkC4Yn1E/In2OSzWqrPQPgHIekn868H3t2aO8M0I+cjFUOH3YLq 61WnIkXGOZcNxTWqyR6GeJ0OXsf4wtv2lhM2Fp7gZ5xioJSTEMPp6iMa9nLCD/ydWHoA 7nx3jimP/gKaFw0MIoPRMRNN+VxIMXO6tb1TykLxfHYacb8h9pCoIfJIoUMYoovcOsep 0GSzzXQ0UX4afaozU+drPsnO1U0YaJzlvQDnlcGqxqbnv3GEAOYYnOhqEXT+C9UIAU40 L0XLqpui8oODwZjwCTDZu72VbTrEMCa6lShW34KKMZ5RjG85TT6mR07bO90e67F0n+nA E3sQ==
X-Received: by 10.70.8.130 with SMTP id r2mr3881763pda.4.1427817104057; Tue, 31 Mar 2015 08:51:44 -0700 (PDT)
Received: from spandex.local (209-112-223-242-rb1.sol.dsl.dynamic.acsalaska.net. [209.112.223.242]) by mx.google.com with ESMTPSA id cz10sm14361745pdb.9.2015.03.31.08.51.42 for <pkix@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 31 Mar 2015 08:51:43 -0700 (PDT)
Message-ID: <551AC28D.3010202@gmail.com>
Date: Tue, 31 Mar 2015 07:51:41 -0800
From: Melinda Shore <melinda.shore@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: pkix@ietf.org
References: <00d201d06b68$779e2c90$66da85b0$@akayla.com> <B679DABC-5B8B-40C4-A7C3-527227D4A876@vpnc.org> <9CF25F90-396C-4341-B04D-E850BDBA7339@vigilsec.com> <5C63864B-CE7F-4118-BDC5-2E0419704CB5@vpnc.org>
In-Reply-To: <5C63864B-CE7F-4118-BDC5-2E0419704CB5@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/sZWbb2XkaXmWAMMDZl32O5W5bdA>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 15:51:45 -0000

On 3/31/15 7:18 AM, Paul Hoffman wrote:
> On Mar 31, 2015, at 8:03 AM, Russ Housley <housley@vigilsec.com>
> wrote:
>> ASN.1 processing is needed to get the value of the OCTET STRING
>> from the extension, so I do not understand the point you are trying
>> to make.
> 
> At the beginning of the thread, it seemed like the issue was
> *encoding* the values, not decoding them. 

Right, but there seems to be some suggestion that there is
certificate processing software out there that tries to decode
the contents of an extension it doesn't recognize or
understand.  I'm hopeful that people raising this concern can
be more specific and point out what software it is.  *That*
would be a pretty good example of the new information we've
been asking for.

Melinda