Re: [lamps] Advertising S/MIME capabilities in a certificate?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 26 November 2019 06:18 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C76B120FD6 for <spasm@ietfa.amsl.com>; Mon, 25 Nov 2019 22:18:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=LEfMhvSY; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=s5hP1Tcd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHu8otW-SbRC for <spasm@ietfa.amsl.com>; Mon, 25 Nov 2019 22:18:24 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 862581209D6 for <spasm@ietf.org>; Mon, 25 Nov 2019 22:18:12 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574749090; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OcbfnGX8l2jws8SQm4dWPU/CA2Ar9eNpXH0m24iGRwg=; b=LEfMhvSYwZsiPhwquUGEIFuj+XnCjCdGpQmE0sjBODXX662ZQBFwj9Yi szBg3LnKm0S5qC+UUWwJAsKGWVnVDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574749090; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OcbfnGX8l2jws8SQm4dWPU/CA2Ar9eNpXH0m24iGRwg=; b=s5hP1TcdIdyosdwJyYwdiP1q1+SL+0Avi2UastOMPbq90Nie+moKuGE6 /tS8syUa/hMpEDDrxtKkn4paQYPMaJ85yPSlIuAvkxiSHMKAPm3/UgSnCa 5RYwwN6BpEG2408/e4z0MLbGrDHGDNsKwG3exMW3SFQQBgoyGJKU6mJZXD QlZsAfOLBNRAy/AtgTucJPy0C4x/73xhaCmH7E2LHUaCMI9MMCyBwYFbp0 RFRdxlOQm0A1vzklwvx2/xTCLbJEhE9Q8mEc8JG85WA6s59zML3Hf5MKOm w8n/F7NDILzPqkuKDeIXxjrZBaPDvReAInS3ObD0G1vykeAdgSyeuA==
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 8B70EF9A5; Tue, 26 Nov 2019 01:18:09 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 07451204BD; Tue, 26 Nov 2019 14:18:02 +0800 (+08)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Jim Schaad <ietf@augustcellars.com>, 'LAMPS WG' <spasm@ietf.org>
In-Reply-To: <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com>
References: <87blt4i2ye.fsf@fifthhorseman.net> <053201d5a34b$56e34fb0$04a9ef10$@augustcellars.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Tue, 26 Nov 2019 01:18:01 -0500
Message-ID: <877e3ngnza.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/46QCGfCpgZT2s4P98-Q_1Iz1fxo>
Subject: Re: [lamps] Advertising S/MIME capabilities in a certificate?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 06:18:26 -0000
On Sun 2019-11-24 20:46:42 -0800, Jim Schaad wrote:
> You are looking for RFC 4262
Thanks, Jim.
I see that the X.509v3 extension OID in RFC 4262 has been subsumed in
RFC 8551 (though it isn't clear to me from reading RFC 8551 that this is
the purpose of the OID).
Do you have an example X.509 certificate that contains an indicator that
the certificate holder can handle (some form of) S/MIME compression?
I'm trying to make sense of how that would be structured.
i'm not sure why the extension itself appears to contain a SEQUENCE of
SMIMECapability objects, and yet each SMIMECapability object itself
contains a sequence of capabilityID and parameters.
Why two layers of indirection there?
also, it's not clear to me how the SMIMECapability objects that are
present in the X.509 certificate are supposed to be merged with the most
recently-seen set of capabilities in a signed message. That is, §2.7.1
of RFC 8551 presents an algorithm for selecting an encryption
ciphersuite (and presumably can also be used for things like deciding
whether to compress any objects). But the algorithm doesn't take into
account any capability objects seen on the certificate itself.
Does the presence of a capability in a certificate supercede the most
recent in-message advertisement? does the *absence* of a capability in
a certificate supercede the most recent in-message advertisement?
How are implementers supposed to handle this? It's possible i'm just
not reading these document well -- i'd appreciate pointers to any text
or references that clear up any of the above confusions.
Regards,
--dkg
- [lamps] Advertising S/MIME capabilities in a cert… Daniel Kahn Gillmor
- Re: [lamps] Advertising S/MIME capabilities in a … Dmitry Belyavsky
- Re: [lamps] Advertising S/MIME capabilities in a … Jim Schaad
- Re: [lamps] Advertising S/MIME capabilities in a … Daniel Kahn Gillmor
- Re: [lamps] Advertising S/MIME capabilities in a … Jim Schaad
- Re: [lamps] Advertising S/MIME capabilities in a … Daniel Kahn Gillmor
- Re: [lamps] Advertising S/MIME capabilities in a … Jim Schaad
- Re: [lamps] Advertising S/MIME capabilities in a … Daniel Kahn Gillmor
- Re: [lamps] Advertising S/MIME capabilities in a … Russ Housley