Re: [pkix] DER encoding in RFC 3161
Koichi Sugimoto <koichi.sugimoto@globalsign.com> Mon, 03 August 2020 06:05 UTC
Return-Path: <koichi.sugimoto@globalsign.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90A573A0B6E for <pkix@ietfa.amsl.com>; Sun, 2 Aug 2020 23:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=globalsign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBxifiwU24QE for <pkix@ietfa.amsl.com>; Sun, 2 Aug 2020 23:05:47 -0700 (PDT)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-eopbgr1320128.outbound.protection.outlook.com [40.107.132.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F5793A0B6C for <pkix@ietf.org>; Sun, 2 Aug 2020 23:05:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XGgC+6H/O9z9F0GNyIZzBEKe695P7r62+D83ZDtOPtr4umJ+DXYyOmFWGObEKRsw/OnOD9bEOErNqCXbdEk66YcwDNV/lpwE7cIqimCX4dK8uWC/2SwrCJkxGbcvHfDw+k48462wcJEvFn9+5Yns1sr4/1QAagYBqTNbJSnff96TAi8JU916daf/0Fur7MsN5sICLNrxcEjDjAJi1ye84sTkaFjaKUBDVhnoK52Qm0+YaBCENSTC1d5GOfuEHC0F22KIXAdpytLmKAZ/FuGPP2euj0fzSuFoMcyH8GFnYkgMQ+qgGDlRAzSG0JQeV1mr/sqA0BCi2wtdmEWya865fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CtSEtWRh1g2loUTPAdQe0RgB96We48Ee4EAgY9PZ68E=; b=bZOqvhLtddDQVsah5aK9c3sg9n3vY1f24YH2Bd8diJ1lOp2brFLeGZIUfoP3gpWpYI7rpxqDVa18FYG8P6q5/irmumPCARFJne4VteN/lZl4f6dWFuwMmFOaDsiMV5WbxJndSsnTzeeMWD+FSapmUjStViLaFcT+BwUTZIDzKOnqEgiUIeMXKWwuMIY3LEkRg4OnkDnkhfJLGlqxd+WS1NXB77GWo5muS/4OcFqNwiGVcS/sedXlvpBAiE79ewgCV4MJmppa8nnozEXJcOGUFvWtw/rhqydPjqmZODWvUnz35Dml0p+xJb2gTwCPWNP1oIBGx2k5dSsukxEviJ6BvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=globalsign.com; dmarc=pass action=none header.from=globalsign.com; dkim=pass header.d=globalsign.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CtSEtWRh1g2loUTPAdQe0RgB96We48Ee4EAgY9PZ68E=; b=ZxwL84/CN25OMYW3qhWsM65P0fZRQzKQRm96c9ws6E8NNhjdWbc0KPSfsMWDpCPPm0m5HCUMaGDh8SqqjamW60txk6xGJALr1XAHTcYBaVON0vlTUmRnwBoZyxMELZ1Bov4WF6NBcyDS5avBjfWrvp1KzRA3NCE4BpCm2QdPHxo=
Received: from PS1PR03MB4892.apcprd03.prod.outlook.com (2603:1096:300:80::17) by PS1PR03MB4922.apcprd03.prod.outlook.com (2603:1096:300:79::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.13; Mon, 3 Aug 2020 06:05:25 +0000
Received: from PS1PR03MB4892.apcprd03.prod.outlook.com ([fe80::fdda:f729:fe10:baf0]) by PS1PR03MB4892.apcprd03.prod.outlook.com ([fe80::fdda:f729:fe10:baf0%2]) with mapi id 15.20.3261.014; Mon, 3 Aug 2020 06:05:25 +0000
From: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
CC: "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] DER encoding in RFC 3161
Thread-Index: AdZksx18VlMWy5IjSUeqIghIxhGjWgBOY4gAANug1aA=
Date: Mon, 03 Aug 2020 06:05:25 +0000
Message-ID: <PS1PR03MB4892E3B5E8DC3208E3E000089D4D0@PS1PR03MB4892.apcprd03.prod.outlook.com>
References: <PS1PR03MB48921EE23E93434559DF1ECE9D730@PS1PR03MB4892.apcprd03.prod.outlook.com> <CAMm+LwhdgfkbwXrfX8yiK3UDJRGOGzMJ2mXuyKqZWTdGbBE6gQ@mail.gmail.com>
In-Reply-To: <CAMm+LwhdgfkbwXrfX8yiK3UDJRGOGzMJ2mXuyKqZWTdGbBE6gQ@mail.gmail.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: hallambaker.com; dkim=none (message not signed) header.d=none;hallambaker.com; dmarc=none action=none header.from=globalsign.com;
x-originating-ip: [122.209.118.181]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2495250a-3eb2-42c5-e298-08d8377336dd
x-ms-traffictypediagnostic: PS1PR03MB4922:
x-microsoft-antispam-prvs: <PS1PR03MB4922EB294D299DB0386E39329D4D0@PS1PR03MB4922.apcprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:1728;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lUHn+GH0B/GcRo450IMME1bIRNv4WYBI0KNQMNMafVqv0UucwZfXmtMApwDPuepmkooScVaXsQaVKvoxtrcjiBzVEvRIG/M62opVCKkR+8RCvHRaQBOROIFzlvrvpUGoxKVTLOtsoSEdmZ7VZIFfiysCNC58yJU5u5yoMLgJIIzMDeRLldfnz95TKAdckRumnA7OtKRsMng/LtA9tKOX5d4SYZlt0yi2NK8s/9NZkGG0omRV5oHGxjAiZ3gj4S7MpRy5dSO0Yfscb9GGJXTpg+H4RffgpDubFtX7CISrHbltrO1KLbddGYJnmRHHsAHEa1Y5tp+cg3211x1T5Jlcj1oV76rbyRFnkEg0F3UbTgiR/+WvBlICq5sWvRB0LZI8luYLGSw13wbNRhfZfYBRrQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PS1PR03MB4892.apcprd03.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(136003)(39860400002)(366004)(376002)(346002)(396003)(478600001)(966005)(44832011)(5660300002)(66946007)(83380400001)(166002)(52536014)(66476007)(66616009)(64756008)(66446008)(76116006)(66556008)(86362001)(71200400001)(4326008)(2906002)(7696005)(33656002)(186003)(26005)(55016002)(9686003)(316002)(6506007)(53546011)(8676002)(99936003)(8936002)(6916009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: lqKGG8ieQK2pj5Pf+u9q2Ft7ThjjWMoi5d+5Mtgc7DN7RBdglLQQGf5T2cU2dNR8VNJZqa0qyKPc+LsFS5Ej+kDzXYoW/VUAWZFabPWoytyg39ncSkFQtZrb6WRjYo4xDUbhEx0P9DQLhXskf3mrFN/kxsfwpG/CTuk3apjFOj6mBaZECXklm9ot5A1PDMYtYb1DWpeIZzF8c4u5NH9S49bh8z1g/VzjLqyBUBiGfbs8JrskiTe6ZI/eAZjEnJ/7UPxBFNO4uOfYDyyZBRRD6LBrQsH/wWiBvFeB+La+Str+SeARqiLOwOpSec13g9De7z5gh+eiptdLWHbo6CZJ45Re1waaCh9qbPo3zglN7sHpVyKWWyyEwxx0jpCTg2cnSKGhdM/y36GD2c4nCg6n7lGEV9ar8Cy6TwjCkJmUexBXXku073gvKtWCt1pTKEgqRskHqCqKk9rTPJD+7Idhu2+RPN61k8b02PlbDlx46C8S1+7A+lMOo0KJx60giDUNoi1Ede88wvbjRFJ0LxD0wWxxOUssauxUaKqv3dsej4MM+N6lQCfQv/T0MqxvVdgjQ/YP0XXwg5gf6EP5bcyGE6ofusAQR83AWlw8JSlHsFZSs0V0HPPLbMd2Tkno4IVy7Cq1A5UAIvlv/5QhjO7NYg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0047_01D669A7.83476F00"
MIME-Version: 1.0
X-OriginatorOrg: globalsign.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PS1PR03MB4892.apcprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2495250a-3eb2-42c5-e298-08d8377336dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2020 06:05:25.3513 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8fff67c1-8281-4635-b62f-93106cb7a9a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RbwEhsKYI66b9s8tQWM1ZDlgYyJFgK1y8WkilvmU1UZq3FreMK1igL11hxZ3574ByiQhABNCcBDcFn52weirkucZjOxAOECd9PV+4KATttM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PS1PR03MB4922
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/0npTqAPZE6wd_ghCAKPb7Yf2rnI>
Subject: Re: [pkix] DER encoding in RFC 3161
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 06:05:50 -0000
Hello Phillip and PKIX members, Thanks for comments. I understand, ideally better to use strict DER encoding, but we can use BER encoding in practice. Regards, Koichi Sugimoto. From: Phillip Hallam-Baker <phill@hallambaker.com> Sent: Thursday, July 30, 2020 6:10 AM To: Koichi Sugimoto <koichi.sugimoto@globalsign.com> Cc: pkix@ietf.org Subject: Re: [pkix] DER encoding in RFC 3161 I have been doing X.509v3 for 30 years now. I have yet to hear a good answer to the question of why DER encoding is needed in PKIX. It is a requirement of X.509 but not one that makes the slightest sense in these days when you can store a billion certs on one disk drive and X.500 directory has fewer active users than Edison phonographs. Certificates are moved from point A to point B as an opaque binary blob which is encoded by the signer at signing time and only at signing time. This notion of signing the abstract data rather than the binary bits keeps coming up but I have yet to see anyone work out how to do it reliably, let alone add value by doing so. A digital signature is over a string of bits. The road to madness is paved by canonicalization schemes. It is sufficiently possible that there are ASN.1 parsers there that insist on strict DER with definite length encoding throughout that changing PKIX to allow BER encoding would now be a breaking change. And the same argument can be made for cases where BER encoding is indicated. So at this point, the best thing we can do is to just accept that the spec is going to be ugly and not try to fix it. On Tue, Jul 28, 2020 at 3:58 AM Koichi Sugimoto <koichi.sugimoto=40globalsign.com@dmarc.ietf.org <mailto:40globalsign.com@dmarc.ietf.org> > wrote: Hello PKIX members, RFC 3161 specifies “The eContent SHALL be the DER-encoded value of TSTInfo.” in “2.4.2. Response Format” Why RFC 3161 does not require DER-encoded value for full time-stamp token (CMS data)? On the other hand, following protocol encoding seems to require all DER-encoded for entire time-stamp message. 3..1. Time-Stamp Protocol Using E-mail 3.2. File Based Protocol 3.3. Socket Based Protocol 3.4. Time-Stamp Protocol via HTTP This seems time-stamp token requires DER-encoded indirectly. Regards, Koichi Sugimoto. _______________________________________________ pkix mailing list pkix@ietf.org <mailto:pkix@ietf.org> https://www.ietf.org/mailman/listinfo/pkix
- [pkix] DER encoding in RFC 3161 Koichi Sugimoto
- Re: [pkix] DER encoding in RFC 3161 Phillip Hallam-Baker
- Re: [pkix] DER encoding in RFC 3161 Peter Gutmann
- Re: [pkix] DER encoding in RFC 3161 Todd E. Johnson
- Re: [pkix] DER encoding in RFC 3161 Koichi Sugimoto
- Re: [pkix] DER encoding in RFC 3161 mrex
- Re: [pkix] DER encoding in RFC 3161 Peter Gutmann
- Re: [pkix] DER encoding in RFC 3161 David Chadwick
- Re: [pkix] DER encoding in RFC 3161 mrex
- Re: [pkix] DER encoding in RFC 3161 Peter Gutmann
- Re: [pkix] DER encoding in RFC 3161 Manger, James
- Re: [pkix] DER encoding in RFC 3161 Peter Gutmann