Re: [pkix] [Technical Errata Reported] RFC3029 (6444)

Erwann Abalea <eabalea@gmail.com> Sun, 28 February 2021 18:53 UTC

Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A7BB3A1AAA for <pkix@ietfa.amsl.com>; Sun, 28 Feb 2021 10:53:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8f93OTZnmtr for <pkix@ietfa.amsl.com>; Sun, 28 Feb 2021 10:53:56 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7961E3A1AA8 for <pkix@ietf.org>; Sun, 28 Feb 2021 10:53:56 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id jt13so24180213ejb.0 for <pkix@ietf.org>; Sun, 28 Feb 2021 10:53:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nlsMfEq96+3E+e2KF9WB1PE3Het2l5eGKfY2ttabv0E=; b=AyV3lWaJQrlksm76NLuiPm0MxB+b89b0Yo9zE2UyZu7RaX/Jg8jpGjirtr+9fXClG+ yUuyUmHzdMSDUucwsmuTP3mLorymF5bUXt1U7JizgGrqfc2BcSaQv6hLxSQbWFyhglxD 385yMf//qanNJpFUCijNXRi+3g5TJ4EY2xlt3qgzjTb7nQzd23AVJ3xf+fAb+eFI+Y8x dyikeUlPp2dtw2e56z8oZJdBwth1rOQWR1WPInao1VsK96Ms4QLNLvMXkpAqdQ5JiV1A eoR40DO3/ByIzWZ1c/4LgbNJvjJFiwvkcREx1EQ3pWiV/GYS8CHhggGan7AQ1Nt79f1K 04Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nlsMfEq96+3E+e2KF9WB1PE3Het2l5eGKfY2ttabv0E=; b=slYgzKGTXw+X7DVRA0eI2c0GkRT5E96FN78mF4JselsGxMoZBm6NJeEuDLtwLDey5N SsTFcL2C1O1mAUcinjeKiBRxUS7cecFR8/gg/+akBae0GGQNxWAzDjWA+pSufyxtK8jh Eao+dlNCIpHI8HankOolD9ab8fBr77cN/7fu5MK2+f1oL7ZO9TEladl/v2kKLJjSOn4P Dwg+UwWTn6fskYT8DjDkysk8pVjygA+L7xbl9bnkigtI/wUS7X5+zSSRFIcCjsEDUILg KWkKVqmiinAZkglPdY4ZrMs1dfhNVqLe4in1XZFrTP/7r3/KrfkSeFr2/QkMPAvjolVT cAnw==
X-Gm-Message-State: AOAM531Ghv1KmWv60GLFIZa0Mp065ihALm8kOM6PZt3qKXNnjcXOQ0hi qzWo3L5bw6d1QIEFVZRXClU6RbrFnhZTaay4GqQ=
X-Google-Smtp-Source: ABdhPJz24OSLTDXmCXV+isevMIG0qbQcDKdHX8zCKC7Ln7druKhOl1DJRimfVNO5P8BisuDHCpbMccYGntWTnxLFMFQ=
X-Received: by 2002:a17:907:9495:: with SMTP id dm21mr12595640ejc.462.1614538433028; Sun, 28 Feb 2021 10:53:53 -0800 (PST)
MIME-Version: 1.0
References: <20210226205457.C1E5FF40764@rfc-editor.org> <109BE558-3363-4030-A906-E329B7ED28B4@vigilsec.com>
In-Reply-To: <109BE558-3363-4030-A906-E329B7ED28B4@vigilsec.com>
From: Erwann Abalea <eabalea@gmail.com>
Date: Sun, 28 Feb 2021 19:53:42 +0100
Message-ID: <CA+i=0E4K6nWAAfiuuQ-uOR+9+9G+9=T9J=EMmqqP7-oA00tP6w@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: "Roman D. Danyliw" <rdd@cert.org>, Ben Kaduk <kaduk@mit.edu>, Stefan Santesson <stefan@aaa-sec.com>, IETF PKIX <pkix@ietf.org>, Carlisle Adams <cadams@site.uottawa.ca>
Content-Type: multipart/alternative; boundary="000000000000c6eaa405bc6a050e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/tedb74Jugz12_YSAGPsrKskJjic>
Subject: Re: [pkix] [Technical Errata Reported] RFC3029 (6444)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2021 18:53:59 -0000

Le sam. 27 févr. 2021 à 08:45, Russ Housley <housley@vigilsec.com> a écrit :

> I guess I should have held off on reporting this ASN.1 error.  Once I
> corrected it, I discovered two errors that I do not know how to fix.
>
> There is an implementation somewhere because Appendix F contains
> examples.  I do not know how the implementer got around these two problems.
>
>
> PROBLEM 1:
>
> CertEtcToken ::= CHOICE {
>      certificate                  [0] IMPLICIT Certificate ,
>      esscertid                    [1] ESSCertId ,
>      pkistatus                    [2] IMPLICIT PKIStatusInfo ,
>      assertion                    [3] ContentInfo ,
>      crl                          [4] IMPLICIT CertificateList,
>      ocspcertstatus               [5] IMPLICIT CertStatus,
>      oscpcertid                   [6] IMPLICIT CertId ,
>      oscpresponse                 [7] IMPLICIT OCSPResponse,
>      capabilities                 [8] SMIMECapabilities,
>      extension                    Extension{{ExtensionSet}}
> }
>
> CertEtcToken is a CHOICE with tags 0 through 8, but CertStatus CHOICE with
> tags 0 through 2.  You cannot nest a CHOICE in another CHOICE is the
> IMPLICIT tags overlap.
>
> The use of EXPLICIT tagging would have solved the problem, but the authors
> clearly preferred IMPLICIT tags.
>

Here, it's easy. The outermost IMPLICIT tag is transformed into an EXPLICIT
one by the ASN.1 compiler (it will probably emit a warning, though).

PROBLEM 2
>
> DigestInfo ::= SEQUENCE {
>     digestAlgorithm   DigestAlgorithmIdentifier,
>     digest            Digest
> }
>
> Data ::= CHOICE {
>       message           OCTET STRING ,
>       messageImprint    DigestInfo,
>       certs             SEQUENCE SIZE (1..MAX) OF
>                             TargetEtcChain
> }
>
> DigestInfo is a SEQUENCE, and certs is a SEQUENCE, so the two have the
> same tag.  A recipient cannot tell which one the sender intended.
>

For this one, there's clearly no solution. Tagging would have solved it
(any kind of tagging mode), but it's missing.


>
> > On Feb 26, 2021, at 3:54 PM, RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
> >
> > The following errata report has been submitted for RFC3029,
> > "Internet X.509 Public Key Infrastructure Data Validation and
> Certification Server Protocols".
> >
> > --------------------------------------
> > You may review the report below and at:
> > https://www.rfc-editor.org/errata/eid6444
> >
> > --------------------------------------
> > Type: Technical
> > Reported by: Russ Housley <housley@vigilsec.com>
> >
> > Section: Appendix E
> >
> > Original Text
> > -------------
> >  GeneralName, PolicyInformation
> >  FROM PKIX1Implicit88 {iso(1) identified-organization(3)
> >  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
> >  id-mod(0) id-pkix1-implicit-88(2)}
> >
> > Corrected Text
> > --------------
> >  GeneralName, GeneralNames, PolicyInformation
> >  FROM PKIX1Implicit88 {iso(1) identified-organization(3)
> >  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
> >  id-mod(0) id-pkix1-implicit-88(2)}
> >
> > Notes
> > -----
> > The ASN.1 Module uses GeneralName and GeneralNames, but only one of them
> is IMPORTed.  The suggested fix IMPORTS both of GeneralName and
> GeneralNames.
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC3029 (draft-ietf-pkix-dcs-07)
> > --------------------------------------
> > Title               : Internet X.509 Public Key Infrastructure Data
> Validation and Certification Server Protocols
> > Publication Date    : February 2001
> > Author(s)           : C. Adams, P. Sylvester, M. Zolotarev, R. Zuccherato
> > Category            : EXPERIMENTAL
> > Source              : Public-Key Infrastructure (X.509)
> > Area                : Security
> > Stream              : IETF
> > Verifying Party     : IESG
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>


-- 
Erwann.