Re: [pkix] a question of cert (and OCSP) extension syntax

Sean Leonard <dev+ietf@seantek.com> Wed, 25 March 2015 14:30 UTC

Return-Path: <dev+ietf@seantek.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AAA81AD357 for <pkix@ietfa.amsl.com>; Wed, 25 Mar 2015 07:30:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJ5MZUID-xT4 for <pkix@ietfa.amsl.com>; Wed, 25 Mar 2015 07:30:07 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB94B1AD352 for <pkix@ietf.org>; Wed, 25 Mar 2015 07:30:06 -0700 (PDT)
Received: from [10.9.132.6] (unknown [23.105.140.20]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 65304509C0; Wed, 25 Mar 2015 10:30:03 -0400 (EDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_BDE977DA-B4D8-4C20-861C-8E8D986D1D23"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Leonard <dev+ietf@seantek.com>
In-Reply-To: <EF3BDB0E-F3FB-455F-88E7-7196ADCCE60B@vpnc.org>
Date: Wed, 25 Mar 2015 09:28:16 -0500
Message-Id: <A6CB2612-1EC0-45FD-B0B5-7356BABBD169@seantek.com>
References: <550881DE.8090304@bbn.com> <EF3BDB0E-F3FB-455F-88E7-7196ADCCE60B@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/ulI7fiXGDwhQFCKNR9_Plw7MrJo>
Cc: pkix <pkix@ietf.org>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 14:30:09 -0000

On Mar 18, 2015, at 10:12 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> There is no problem with an extension being a blob of data that does not have an ASN.1 structure. Any PKIX-y application that *needs* to read the parts of the blob can do so in the same way that a TLS-y application does, using the same decoder. To be clear: most PKIX-y applications don't descend into ASN.1 structures for extensions they don't know about, so this isn't really any different.

Another argument for ASN.1 encoding is that there are “PKIX-y applications” that are not TLS-y applications (at least, not at that level of the software stack). All TLS-y applications are PKIX-y (because TLS pretty much requires certificate validation or parsing in some form), but not all PKIX-y applications are TLS-y. Thus a TLS-oriented decoder may not be available to the PKIX processing part of the app. To the extent TLS is used, the decoder may be hidden in other layers of the software stack, rendered inaccessible to other parts of the application.

This comment comes from experience. Even in PKIX-processing code, if something (e.g., CRL, OCSP) needs to be fetched over HTTPS, usually some basic library call with the equivalent functionality of “wget https://foo” is used to fetch the data.

From a debugging/analysis perspective, using ASN.1 just makes more sense. That way wire sniffing diagnostic tools can unpack the ASN.1 extension so you can see individual values, even if they are not specifically labeled with the TRANS semantics.

Sean