IETF Logo Mail Archive

Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Fri, 18 September 2020 11:09 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BB0A3A02BC for <spasm@ietfa.amsl.com>; Fri, 18 Sep 2020 04:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PdjYS4upcO2p for <spasm@ietfa.amsl.com>; Fri, 18 Sep 2020 04:09:41 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140080.outbound.protection.outlook.com [40.107.14.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11E1C3A0112 for <spasm@ietf.org>; Fri, 18 Sep 2020 04:09:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YG8y5SrrV4VxFWJ2jWdef9bPjkJKOAyJme1DSI+8smRmMy0ixi/E80IjjcQy2SRdNl6EMdJf98IcFZTIPVj6TVkIf7mg5OaTo0i20SqGO06EsVWqptL7qKj+soVb80El3Rf1ZL0G6oo/TEa4YQR+ziS5+cqiobi+K744UHr5kL52kcyKHUkwnZwHfZn45WWTNSIU3iaEASb5yubEb39b4ClmiJURQOXmNXmBGJOX6GV9ndqP0uD6Aiygt7k0Ss0R5KigrYOFXnl7fwAW2aLnhZAVZOdn9W70oU+T6wJNjy5pX/CIGGu+axVNG0KjYdDPkDEST3i1HErUp+q9xpeBnQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XtzZdqB6uaihmXVlBmcNCw6c6STvNdRUWueqEyTDvvk=; b=Qm7z7o1YPeHaPWl2bF+yudqDce2qTDL1c+uVAlXd0loEfR/mT1RvExhh45Jpz3jV2pzSUr42f+QMTdf7Dxa8uWMmLW1ro+yPf16p5lDRdpm3GIosQXMtzLH0dwuqIYdp5zhSHNc+9m1voTMUagsaTeV9mr587jq1PMn+IIU/01YYHC9oszU72TVKciek+FPkrSNoo/3OxR2jPwNgttPFJrqsVpm+CLnnaHSlROe5HR86T6ZlOMH+vRQgaAZI3iVj/n3+0Hc0BNEwxLYBqM6NBdQ6iQ88J2e1sHqzQ8KyHGM1ve3U98mP+3qD5cr5tBLNJvzsUTRWob5gR9Bo2lI2LA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XtzZdqB6uaihmXVlBmcNCw6c6STvNdRUWueqEyTDvvk=; b=HZHFoCHwqCZDIkML1lSwhvVYt2oncrWt2dsSI+52/PIfKXpbI7XkgXvMlZn3LXiGQWQOm6qXSvS4dc9Bdj6JG4xRkD2llDnclVOO6A1W25WxWTfsud4+Ka8YPHkexpcLsmWEalv+JLvpSzhBSpW5INbxfeflVVtfmy6pVqz6iyI=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM9PR10MB4024.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1f6::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.11; Fri, 18 Sep 2020 11:09:34 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::815c:e3e3:e2be:5eed]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::815c:e3e3:e2be:5eed%6]) with mapi id 15.20.3391.015; Fri, 18 Sep 2020 11:09:34 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: dtaft-ietf-lamps-cmp-updates and rsaKeyLen
Thread-Index: AQHWi6YYHaZzdnX6XEOInEZKE7MbAalroxmAgAKa10A=
Content-Class:
Date: Fri, 18 Sep 2020 11:09:34 +0000
Message-ID: <AM0PR10MB24183CEEF92140D72BD00EE8FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB2418651EF480383C1FBAD448FE440@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <ECF4A046-3690-4B8A-9851-935CDACA89C2@vigilsec.com> <0368A990-F189-40C0-A63E-5A7CF1F0AD1D@vigilsec.com>
In-Reply-To: <0368A990-F189-40C0-A63E-5A7CF1F0AD1D@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-09-18T11:09:33Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=101907c8-11cf-4078-8a2d-12c2ff0ec7da; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [165.225.200.172]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: f1e5cced-bfdf-4c33-a2cf-08d85bc35345
x-ms-traffictypediagnostic: AM9PR10MB4024:
x-microsoft-antispam-prvs: <AM9PR10MB402423F0DF131F19BF198067FE3F0@AM9PR10MB4024.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 06WdYEDH5er0j7QqMdXvuu7gt3nCrwVX1fPzf9OtxOhY/QEPabfy0xvD5fzOhRvOmTnlrSo0vJM/YCdLq2KIzXL68X4ol6+3KYfmDOZI7wFXiAhANqJ80MwXN4ay3NHKnhwyxurmP3iLQkhVFYi7XPxG+Yl1dhpxLiSLwaxo6SigTLIRjer+0X/+cAdA4f22fV+UUMwzBVw7h/HzY1oEXmHt4xe/KioXEuwtouOb8xA7Ja//vcw83356sTLcgF+b7AkU5oyf3fwtxDlFZ4WowZ0FCmNSIJfvM0JpnuLlApxfhf7lztj4b8mQ+Zv0mGu4O4MdilFUMznooOjD13DSgw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(376002)(39860400002)(366004)(346002)(6506007)(7696005)(2906002)(64756008)(76116006)(8676002)(71200400001)(52536014)(66574015)(66946007)(66556008)(5660300002)(83380400001)(66476007)(66446008)(86362001)(55016002)(478600001)(26005)(316002)(4326008)(186003)(33656002)(55236004)(6916009)(8936002)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: LVV0ilWvMU1CGThRz1tGxa0sh1vRczNseZtKhnhRmH5Z3p9l//+7t44QeXxIpK6ahVnYds7+LZYwVCNmLW8PAGG2DBAANtE4o6EwzTS/mks1zckMDuk2vSOFCVhIzzWnz+4sqnkP2g/CoFSmUbyV9M4DAZ2CEg97psCT9bmfvjCV4XxJoiRz+lUw3MGn8xdjrbXlXx+PuD33vZ7gjENSo58JJ0v64DmvdNiwJxohoUubP48sx9HHI3a+6jAOdBUAO+g6D5aQeHSG6IoYozom/Kw7hkYDW7e0QqLOmsgeBhIdKMwyXgz5cVXPmmJCXuI8ub9XxINxulYdPU+UfxWPeKbdYLOL5zxuHvlGrs8qfu+H7xuk64pMfb6rJIVuaO7hfCuFGTMxwfnoj+S9NeK1F3xfUlpYYTW35vCWTtoMiEiG0cQGIAPsY72VriXDJAa6mRAeiVlDWdep1xzfvmUA7m2rnjGIaQNJxsn+c6+4VGL3wXmL1/bFFi0ycRAUGKdPyiTCWZKDr97HrvZqxJmSzpKOnz3VVQ6AgfGzMchKIVwh9Wlg3Np/OwyTkG+h6ey9fgtyefNyHMIC+qEwbL2J2NEMgG4mNJAdH0P5swf/71e4glYKYWITvfpTmUSWS+PdajhqrobcCBzkp/nj2r7rJw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f1e5cced-bfdf-4c33-a2cf-08d85bc35345
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2020 11:09:34.5248 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zOChKButnnhnJZjPXoKrvZ6b3x76Ya97g68vWXw7D0+B+p30QgkZYbwjvcemKJ16ih1qki0HqzGH218MvnIjNRym6XYMHleESm+zOB7gUyE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4024
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/k466904l-yab4o8kTiWiWkHy8Xw>
Subject: Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 11:09:43 -0000

Russ

> -----Ursprüngliche Nachricht-----
> Von: Russ Housley <housley@vigilsec.com>
> 
> Hendrik:
> 
> I had another though about rsaKeyLen.  RFC 4210 uses CertRequest as defined
> on RFC 4211 in the certificate request, which is:
> 
>    CertRequest ::= SEQUENCE {
>       certReqId     INTEGER,        -- ID for matching request and reply
>       certTemplate  CertTemplate, --Selected fields of cert to be issued
>       controls      Controls OPTIONAL } -- Attributes affecting issuance
> 
>    Controls  ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue
> 
> Would it be cleaner to define a new control for the rsaKeyLen?
> 
> These controls are already set up as an OID followed by one or more attribute
> values.  So this seems like a very clean way to provide a minimum RSA key size
> or a set of elliptic curves.

I am uncertain if this addressing the use case I had in mind. But may be I did not fully understand your suggestion.

I defined id-it-certReqTemplate to offer the EE means to request detailed guideline on the content of a certificate request it whishes to send. The response should include the option to specify the concrete algorithm to generate a key pair for. Therefor a prefilled certTemplate is exactly what we need, plus the key length for RSA keys in rsaKeyLen.
The EE does not need to specify the key length of the RSA key in the certificate request itself when sending it to the PKI.

May be it helps, if you explain your use case.

Hendrik

v2.23.0 | Report a Bug | By Email