IETF Logo Mail Archive

Re: [lamps] EST CSR attrs discussion

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 01 August 2021 21:26 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 664283A11D9 for <spasm@ietfa.amsl.com>; Sun, 1 Aug 2021 14:26:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mo4Rp0eOUUoj for <spasm@ietfa.amsl.com>; Sun, 1 Aug 2021 14:26:01 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A30143A11D8 for <spasm@ietf.org>; Sun, 1 Aug 2021 14:26:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id F00A638A22; Sun, 1 Aug 2021 17:30:04 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id gHOQPICY7yhU; Sun, 1 Aug 2021 17:30:01 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 5AE9538A21; Sun, 1 Aug 2021 17:30:01 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id DAEABB24; Sun, 1 Aug 2021 17:25:55 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Dan Harkins <dharkins@lounge.org>, spasm@ietf.org
In-Reply-To: <e87a9fef-9e8c-d470-a6dc-77684cac0005@lounge.org>
References: <e87a9fef-9e8c-d470-a6dc-77684cac0005@lounge.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 01 Aug 2021 17:25:55 -0400
Message-ID: <10585.1627853155@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/0awHede06XgN-u8cOuVfF5U2QDY>
Subject: Re: [lamps] EST CSR attrs discussion
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 21:26:07 -0000

Dan Harkins <dharkins@lounge.org> wrote:
    >   Sorry, I wasn't aware that this issue was being discussed and I wasn't
    > on the lamps/spasm list. But I'm largely responsible-- i.e. to blame-- for
    > the CSR Attrs text in RFC 7030 so perhaps I can try and explain.

okay.

RFC7030 section 4.5.2 includes the example:

       MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ
       BgcrBgEBAQEWBggqhkjOPQQDAw==


obiwan-[~](2.6.6) mcr 10076 %base64 -d </tmp/k1 | dumpasn1 -
  0  65: SEQUENCE {
  2   9:   OBJECT IDENTIFIER challengePassword (1 2 840 113549 1 9 7)
 13  18:   SEQUENCE {
 15   7:     OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
 24   7:     SET {
 26   5:       OBJECT IDENTIFIER secp384r1 (1 3 132 0 34)
       :       }
       :     }
 33  22:   SEQUENCE {
 35   9:     OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
 46   9:     SET {
 48   7:       OBJECT IDENTIFIER '1 3 6 1 1 1 1 22'
       :       }
       :     }
 57   8:   OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3)
       :   }

which sure looked to me like it's asking for extensionRequest with value 1.3.6.1.1.1.22.
Is it in fact asking for an extension of 1.3.6.1.1.1.22?
And ecPublicKey should have value 1.3.132.0.34.

(which presumably, also means you'd better provide a key of that algorithm)

It seems that some errata needs to be files.

The RFC899[45] design team included Max Pritikin, who seemed fine with the idea
that we could send values, but maybe he just missed this point.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email