Re: [lamps] EST CSRATTRS specifying the SAN
David von Oheimb <nl0@von-Oheimb.de> Mon, 05 July 2021 21:50 UTC
Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 009413A1CEC; Mon, 5 Jul 2021 14:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.233
X-Spam-Level:
X-Spam-Status: No, score=-2.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzLPm-jbzoDh; Mon, 5 Jul 2021 14:50:04 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34EAB3A1CE0; Mon, 5 Jul 2021 14:50:03 -0700 (PDT)
Received: from [192.168.178.100] (dynamic-077-009-024-098.77.9.pool.telefonica.de [77.9.24.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id F1615422D89; Mon, 5 Jul 2021 23:49:59 +0200 (CEST)
To: Michael Richardson <mcr+ietf@sandelman.ca>, Russ Housley <housley@vigilsec.com>
References: <83844291-5785-434E-8956-3FF81ECD761C@cisco.com> <9820.1618358856@localhost> <MW3PR11MB47462121627A10A62E006497DB369@MW3PR11MB4746.namprd11.prod.outlook.com> <26435.1623269725@localhost> <25C432F7-EDEE-4FEA-B871-5D7F9311BBF7@sn3rd.com> <6e29b64d-0bc0-d129-beff-4072a482cfbd@von-Oheimb.de> <2219.1625510251@localhost>
From: David von Oheimb <nl0@von-Oheimb.de>
Cc: Sean Turner <sean@sn3rd.com>, Eliot Lear <lear@lear.ch>, anima@ietf.org, SPASM <spasm@ietf.org>
Message-ID: <bf91794a-d8d9-6319-627d-e83fa8b2b399@von-Oheimb.de>
Date: Mon, 05 Jul 2021 23:49:29 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <2219.1625510251@localhost>
Content-Type: multipart/alternative; boundary="------------1649300031CAB91C501905C6"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/7xmIQuB02Jjj_5Xu1q4CEw1awUc>
Subject: Re: [lamps] EST CSRATTRS specifying the SAN
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 21:50:09 -0000
On 05.07.21 20:37, Michael Richardson wrote: > David von Oheimb <nl0@von-Oheimb.de> wrote: > > would have been more apparent. > > well, you just used ASN.1 we didn't understand to explain other ASN.1 we > didn't understand :-) My point is that we don't actually need to understand its details - it is sufficient to exploit the analogy to regular PKCS#10 CSR attribute encoding. > What I took away was that my interpretation was not quite right for getting a explicit value. Yep. > > Further, RFC 7030 section 4.5.2 does not cover the fact that names and > > name components in a CSR may be part of not only various X.509 > > extensions such as SAN (which are to be encoded via the extra > > indirection of the extensionRequest OID) but also of the subject > > field/attribute of type (Distinguished)Name. > > Could you construct an example? Perhaps we could slip it in as errata. I fear that RFC 7030 does not support expressing requested contents of the subject field. For any X.509 extension values, just take excerpts from a DER encoded X.509 request constructed using, e.g,. OpenSSL. For instance, Requested Extensions: X509v3 Key Usage: Digital Signature gets encoded as: 417 28: SEQUENCE { 419 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14) 430 15: SET { 432 13: SEQUENCE { 434 11: SEQUENCE { 436 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 441 4: OCTET STRING, encapsulates { 443 2: BIT STRING 7 unused bits : '1'B (bit 0) : } : } : } : } : } > > At least a more comprehensive example would have been very helpful to > > clarify the details of the intended encoding, and likewise any serious > > reference/example implementation, for instance in Cisco's libEST, which > > has remained extremely sketchy regarding the csrattrs topic. > > Are there examples in libest that we can use? > Is there unit test code in there that could be exercised to validate other examples? No, the libEST repo just contains the same minor example given in the RFC, and the example client does not make proper use CSR attributes received. > Are we back to redoing this in JSON? CMP Updates also uses ASN.1, but we define a more straightforward and more capable structure for cert request templates, also exploiting the structural analogy to cert attribute/extension templates used in regular CMP+CRMF cert requests: https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cmp-updates#section-2.16 <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cmp-updates#section-2.16> https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#section-4.4.3 <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#section-4.4.3> https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#appendix-A <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#appendix-A> (example) On 05.07.21 21:41, Russ Housley wrote: > This proposed "isomorphic" definition: > CsrAttrs ::= SEQUENCE { > oids SET OF OBEJECT IDENTIFIER > attributes SET OF Attribute{{ IOSet }} > } > > Does NOT produce the same bits on the wire as the structure defined in > RF 7030. > > Further, the use of SEQUENCE in RFC 7030 was to avoid the need for the > sort that is imposed when DER encoding SET. Sure; "isomorphic" is a semantic/mathematical term, which deliberately abstracts from any representation and its issues. As pointed out above, I gave the analogy just as an aid for obtaining example encodings of EST CSR attribute items. David
- [lamps] CSRATTRS specifying the SAN Michael Richardson
- Re: [lamps] CSRATTRS specifying the SAN Eliot Lear
- Re: [lamps] CSRATTRS specifying the SAN Michael Richardson
- Re: [lamps] CSRATTRS specifying the SAN Eliot Lear
- Re: [lamps] CSRATTRS specifying the SAN Michael Richardson
- Re: [lamps] CSRATTRS specifying the SAN Sean Turner
- Re: [lamps] EST CSRATTRS specifying the SAN Michael Richardson
- Re: [lamps] EST CSRATTRS specifying the SAN David von Oheimb
- Re: [lamps] EST CSRATTRS specifying the SAN Russ Housley
- Re: [lamps] EST CSRATTRS specifying the SAN David von Oheimb
- [lamps] discussing EST CSRATTRS specifying the SA… Michael Richardson
- Re: [lamps] discussing EST CSRATTRS specifying th… Russ Housley
- Re: [lamps] discussing EST CSRATTRS specifying th… Eliot Lear
- Re: [lamps] EST CSRATTRS specifying the SAN David von Oheimb
- Re: [lamps] EST CSRATTRS specifying the SAN Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] EST CSRATTRS specifying the SAN David von Oheimb