Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-updates

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Wed, 28 April 2021 16:52 UTC

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-updates
Thread-Index: AQHXOGtOazTtXb84dEuVdUfSKgcwJKrGUqQwgACDzICAA0044IAACLmAgAAAPoA=
Date: Wed, 28 Apr 2021 16:52:10 +0000
Message-ID: <AM0PR10MB24185FF0B45F4C8B328428BDFE409@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <A2268B02-A30E-4C6F-9C76-6BD726CA9C83@vigilsec.com> <AM0PR10MB24184DBE20BFD57CF29D90C8FE429@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <FB74A5AC-73AD-475F-80E4-336C2ECA72F1@vigilsec.com> <AM0PR10MB24188B3EE703B9921260AE25FE409@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <5964C5FD-572B-4EA2-B571-41747EAE9FB6@vigilsec.com>
In-Reply-To: <5964C5FD-572B-4EA2-B571-41747EAE9FB6@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-04-28T16:52:09Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=1ca3b568-38b0-42be-a931-0a531575021a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [95.115.12.210]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: daf5eaae-059a-41cf-ad17-08d90a65f776
x-ms-traffictypediagnostic: AM9PR10MB4216:
x-microsoft-antispam-prvs: <AM9PR10MB421684B70EBC6DDD9CC43F42FE409@AM9PR10MB4216.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ubc29HXTh5JmhT9VWMEkQdqftuLcQEblqoLFq7w1kR+NgXaN3s2IQFbFoWxEAlcSPT/LaeYtX+dxVo8q4rE1ps50bUAGpLR8UlFvx8bBAyvLI91L6EXeg92C2fJQuxTf7glNt7SGLwxjai5uymYn0LC5KRcvXHL5AmNjdvH0bG5tI0hTB7rTXWFDlTDEQzw6lU6mpqnM7Ii7JjtrlYadrSHOaHKzXmJpd4d0+6/bCDIFL4wFTu+LKUDlLmj3jwblcBzfZdrzsKHFRhvmCotn7q34HWTSNgNDeorKwiwUfNRhHx2Yn3/41NckhIevauH83IdlMa831oGj7iHK9z6j01p0Km0QAa8N6dGwtUmWYwYX39RJXkKmn8kmKoDSftSBgu99jUzp3NxKRDM+itrWsTZlkqJ4jKTaURyC2miKaofDPbwnZL3+gKBmqFjFQ6lsvQjFJArqiyfLu9lT+ZT/x/wuxElDog4aZkMwT2Gy4Dh2hwmnrWZAegteeJc3kRLKlaoUosPB+n3pZumBb7SV2dqGAkzuCm+11I5HjVGl40Rx7Wi86gCpU9hy9gJOnMRoyTjZPz6K3B5J5Z9pxYa6yhyFAUvui2wqYs1F0tzZ4EI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(396003)(346002)(39860400002)(136003)(64756008)(66446008)(66556008)(66946007)(33656002)(26005)(76116006)(86362001)(66476007)(316002)(52536014)(186003)(6506007)(9686003)(83380400001)(71200400001)(55016002)(5660300002)(8936002)(6916009)(508600001)(4326008)(122000001)(7696005)(2906002)(15650500001)(53546011)(38100700002)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: iQpVZFJl/GMWZ1rDeqsXss/oRPNcyCf5uuvXeR69m9ODwYqjsvBEGI4WsIga+OHQdS1A2xZBG77NBfpTwyubVy+IN7+vydshSHUXdwiF6P4yNW2bsjISeo7kh5d1dLtFXIFJp1GFTun3YIQ2X9Go0CmmUsEz5ee6YEY+rfF23iMYO3A5NNYT1pMF1Rk7rancrmaphUeiIg8jkJphL87q+vTz8I4WZRwYPhSUQyAu4g8TVFdNz5YdrPJUzKlISETkDshFMXL3TVXa9/lqBY+PunV19GrwAAvnOyKpS18evubhdNrIdc0S4WGK4dsRDHrh/keti8UPdqx05ed8jLMSmgEhlCG9H2hZEXmwtk3rRXPAclnbjpJU2INjzH2+CZmfqAF7r6L+/Lo1DfDjcZ3FdAU/uyUDL/LYEsl2ISfKpEdQ4Oxmeay1WWU/HQbYSEg0XPWK+7e+JPq8VTYwWZm74u7QbulSZda09rfIkD4rREeW9619vFlrhnMaQSdD/8BOQ3JIu22/NP/oBBNOOufiqxHcdXLzYHowx8a1VwsnzGFiOdQS/Y3tdCStmcTSiJklzznPzVxhy90uz+uJSN7L7/9GVu/nJnYCQeomf6IJrPJ7KTd93ZH7M3OMqZuhwr0MuR2fryNLBPZhuotWHZl++ymG2MtAQo/vteo8rlqRPhr7UHj9EAS4BWmZpiAuD/8K5a3XvKGguwFPSPyb+ch251bXWP65ex18kW6xzbdw8FCO7wOAh82tHiw6SJk2uF3Fj91r/CsxHPvnfTrc3sPOCSlKL3O7LBlUUTro5Po/V+nkdt29ehYO6QSizBQS5IDWXGtdW5Gfg6bvCcc2fAGtbRdaQTyEilvPAVMNL0SF38FmGN9CU8lptCSdIsREOFOfYCGii1w/9GVBc2lN971aoRoqWx6Vj9W9+ArMwlwbLFAHemFexxFSJpBGlTION9Cc9VepZWMPPQNn+Wcn5kJudAf0M/GcoTRyGwnh722pHlhZewxdMG69wxwfL/kgUycTLl66SiQWoTkuH2E3aq2uCI6Ndk8NE4W5FpW1RUKceqVCIZ/LrYfakKaU7rmUENAjh4i9Ja7GWbqtZkOX4LQcuWriAHkvhnm+sDcNSultw9ecIvJIzf0TAyMdm7Z7ZNMS7rtZlqjiMa3Wv8J6ewsWGJEHuSXo6TLtYoYsr3p5+EP6Fut48ZnGJx4F2uga/Y0VCG9008pJa19OH61AfhvkryO7wQNBQa6awcUQM0hzRn7F0Gt7CxuUG7Vk3XfslBRTVxEOPY9bewe5dafX4Y36otbSfOGkmDWW67b1FV4Qt7H3Q7Up/Ikr8fJZrEsU1KKY
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: daf5eaae-059a-41cf-ad17-08d90a65f776
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2021 16:52:10.8340 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OcX+nQMumFVk5fZ+hNPHWjMt1b/n17AlmHS0jQyS1XCdmHglV2QcMiPCmcOiFRR61nQHlgr6KBYOKLeGakVCN3ArESw6J00muukOq9qFxRo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4216
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/8iHsd4e5tZKkQnFtZ3b40iQSQjY>
Subject: Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-updates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2021 16:52:19 -0000

> Von: Russ Housley <housley@vigilsec.com>
> Gesendet: Mittwoch, 28. April 2021 18:51
> 
> > On Apr 28, 2021, at 12:27 PM, Brockhaus, Hendrik
> <hendrik.brockhaus@siemens.com> wrote:
> >
> >
> >> Von: Russ Housley <housley@vigilsec.com>
> >>
> >>> On Apr 26, 2021, at 2:52 AM, Brockhaus, Hendrik
> >> <hendrik.brockhaus@siemens.com> wrote:
> >>>
> >>>
> >>>> Von: Russ Housley <housley@vigilsec.com>
> >>>> Gesendet: Freitag, 23. April 2021 20:06
> >>>>
> >>>> Hendrik:
> >>>>
> >>>> I do not understand how the AlgIdCtrl works.  Can you provide more
> >>>> text in the document?  Is it about the subject public key?  Is it
> >>>> about the signature algorithm to be used by the CA?
> >>>
> >>> The purpose of AlgIdCtrl is to provide the algorithm specification
> >>> the end
> >> entity should use for generating its new key pair.
> >>> We discussed the concept of the new controls in thread
> >>> "dtaft-ietf-lamps-cmp-
> >> updates and rsaKeyLen".
> >>>
> >>> The current text is:
> >>> 5.3.19.16.  Certificate Request Template  This MAY be used by the
> >>> client to get a template containing  requirements for certificate
> >>> request attributes and extensions and  optionally a specification
> >>> for the key pair to generate for a future  certificate request
> >>> operation.
> >>>
> >>> I could change this to:
> >>> 5.3.19.16.  Certificate Request Template  This MAY be used by the
> >>> client to get a template containing  requirements for certificate
> >>> request attributes and extensions.
> >>>  The controls id-regCtrl-algId and id-regCtrl-rsaKeyLen MAY contain
> >>> details on the algorithms whose subject public key values the CA is
> >>> willing to certify.
> >>>
> >>> Is this clearer?
> >>> More details on the usage will be provided in the Lightweight CMP
> >>> Profile
> >> document.
> >>
> >> Yes, but I would like to see another sentence about parameters.  With
> >> ECDSA, for example, the parameters tell which curve the client should use.
> >>
> >
> > I would propose to add the following text.
> >
> > "The id-regCtrl-algId control MAY be used to identify a cryptographic
> > algorithm, see RFC 5820 Section 4.1.2.7, other than rsaEncryption. The
> > algorithm field SHALL identify the cryptographic algorithm. The
> > contents of the optional parameters field will vary according to the algorithm
> identified.
> >
> > The id-regCtrl-rsaKeyLen control SHALL be used for algorithm
> > rsaEncrytion and SHALL contain the intended length of the RSA key."
> 
> This seems fine.  I might also say: For example, when the algorithm is set to id-
> ecPublicKey, the parameters identify the elliptic curve to be used [RFC5480].

I will add that sentence. Thanks!

Hendrik

[lamps] ASN.1 Module in draft-ietf-lamps-cmp-upda… Russ Housley
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Brockhaus, Hendrik
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Russ Housley
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Brockhaus, Hendrik
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Russ Housley
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Brockhaus, Hendrik
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Russ Housley
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Russ Housley
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Brockhaus, Hendrik
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Russ Housley
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Brockhaus, Hendrik
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Russ Housley
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Brockhaus, Hendrik
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Russ Housley
Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-… Brockhaus, Hendrik