IETF Logo Mail Archive

Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)

David Woodhouse <dwmw2@infradead.org> Tue, 03 August 2021 11:16 UTC

Return-Path: <BATV+a9892ee4225384b73759+6554+infradead.org+dwmw2@twosheds.srs.infradead.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC53A3A1F41; Tue, 3 Aug 2021 04:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=infradead.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpFGffM9z4yz; Tue, 3 Aug 2021 04:15:58 -0700 (PDT)
Received: from twosheds.infradead.org (twosheds.infradead.org [90.155.92.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DE283A1F3A; Tue, 3 Aug 2021 04:15:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=twosheds.20170209; h=Content-Transfer-Encoding: Content-Type:MIME-Version:Cc:To:From:Subject:Date:References:In-Reply-To: Message-ID:Sender:Reply-To:Content-ID:Content-Description; bh=OPCBfFqKrh0djFa0vMW5lH8FT0zOI8dqqlRUoe+ofIk=; b=C6x8ntGqQbpzoVcP3ARtsFx/dJ SJCNTSq8e2L4IUkOHdA4adt2/jpBKAwrQxAOvaWavzscJzuZi/mNiaRIh+yYNMUaF5HKNEm9wRdS/ GUS7+yiHCi2nTyDwXahs0E7EAnqb8ua7hxAffPTYISNtm8LJVjtOR2X8y2E2YyLnnlQv0S+fia/O3 nt6mHqTHDuR6sz/g9vc6eTZ4HlZu7ESnZmPQpYVOsGx7J3zBIcDijHy4LQahFQIYm+anVsHHr3bC0 qbpmZUhyJXOGFIr2ilxEP+QaL509jg94AADAexk38SC3oFa3DnGWC92HbBWgWfToH1sNco0xXAWNr ATmrtwrA==;
Received: from localhost ([127.0.0.1] helo=twosheds.infradead.org) by twosheds.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mAsOR-00Gq39-Ey; Tue, 03 Aug 2021 11:15:33 +0000
Received: from 2a01:4c8:1095:9c83:1880:5547:aac1:a5b7 (SquirrelMail authenticated user dwmw2) by twosheds.infradead.org with HTTP; Tue, 3 Aug 2021 11:15:31 -0000
Message-ID: <20979807b6c55dd637d0a1645ec73ff1.squirrel@twosheds.infradead.org>
In-Reply-To: <SJ0PR22MB2542E1C2F5C08D9AF5024545E8F09@SJ0PR22MB2542.namprd22.prod.outlook.com>
References: <87czr0ww0d.fsf@fifthhorseman.net> <FF939B28-528B-47F9-9C0C-6585D1B02FBE@vigilsec.com> <87mtq3ukk0.fsf@fifthhorseman.net> <CAErg=HHQMZ1jk+bVxA=MzVvW+9ucie7bu-N6O8Asnp0V8Rf9Bg@mail.gmail.com> <30546.1627850836@localhost> <CAErg=HHKL-E5yT0UnPKcLfMQU41iDg7GGgjsSXs3eRg8daJRkg@mail.gmail.com>, <CAGgd1OfK4rhok5Je0A4VVcuFfTX2PZSRswGyrL=uxGth-UkVRA@mail.gmail.com> <SJ0PR22MB2542E1C2F5C08D9AF5024545E8F09@SJ0PR22MB2542.namprd22.prod.outlook.com>
Date: Tue, 03 Aug 2021 11:15:31 -0000
From: David Woodhouse <dwmw2@infradead.org>
To: Tomas Gustavsson <tomas.gustavsson=40primekey.com@dmarc.ietf.org>
Cc: Deb Cooley <debcooley1@gmail.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, LAMPS WG <spasm@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: SquirrelMail/1.4.23 [SVN]-5.fc33.20190710
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by twosheds.infradead.org. See http://www.infradead.org/rpr.html
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/0S1qXiWibZzikf_yvZNOWpj5nDg>
Subject: Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 11:17:11 -0000


>> Indeed - use PKCS#7.  Why are we importing keys and certs in this day
>> and age???

Hm, should I add PKCS#7 to the list in
http://david.woodhou.se/draft-woodhouse-cert-best-practice.html (which
already needs
updating for TPMv2 "----- BEGIN TSS2 KEY BLOB-----" wrapped keys now that
those are
standardised between different implementations)?

Slightly closer to the original question, IIRC, I have a bunch of torture
tests for
PKCS#12 and other formats in the OpenConnect test suite at
http://git.infradead.org/users/dwmw2/openconnect.git/tree/HEAD:/tests/certs
(generated by rules in tests/Makefile.am).

I feel quite strongly that any userspace application should JustWork™ when
the user
presents it with a cert+key in any fairly reasonable form (any half-sane
file type
or URI). And users don't have much control over *what* form their keys are
issued
in.

(Apologies if this ends up being a resend)
-- 
dwmw2

v2.23.0 | Report a Bug | By Email