Re: [lamps] [Anima] RFC 8366 / BRSKI / constrained-voucher: what is encoded in the idevid-issuer field?
Esko Dijk <esko.dijk@iotconsultancy.nl> Thu, 23 September 2021 14:44 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A16A73A0907; Thu, 23 Sep 2021 07:44:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnvjPXn9RX_e; Thu, 23 Sep 2021 07:44:22 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80105.outbound.protection.outlook.com [40.107.8.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01CB13A0902; Thu, 23 Sep 2021 07:44:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kD87HcP1QPl+TFxhP02AwjKh/9XuQMfv45sCP34QJnBZ8uoUP/1rQMCaBgMYV7YR3ahEWJBU+kyDRXLZIrYmxkvIADfP778lH53fUAijAeOl5KR39n/n+LuWOYOvsge+q66+O0M0dx9SFJ8hSj/wd3+0SE9rNi69tyWXi9uleF4N+Ju1a7jetYGFnvwBVpx8eyFoz3sVZ3d/S7t7BN8QPzH2Ub7nNj6VZwjZsyRzGcnDhQSMy1pOtKi9qvpl6+5sGFS5IK1TjtgIUd6SMPx3lZGby4ogX3hsJ49PPGSeY0u1psrvzzukjKOVmapfcrw/R/PVJid5e3NU301FvQBJsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=H597WGTLfz4wigqBON3CLqP4/6slgO6NT7UurcBWTtk=; b=GyqxOyt8iKfEFw5WZSnKXyZq8AnvsWgdSRxn2NASgsz5HKTbuj2fXaSdMmK6kZgcIqJJOfI/MVOx98NGR3wunih7uQringaZIGarc87axxDcJUoQs+LhGSQ3J/Na3Upj+JKQp1ejqahQ8H45lp+n8yZSjW53m/PMM2MweqjPI8KaxDoNxcpWhcU3mNrSXpS/dQErGQxkxi2P6ODqCjp4CeQgmL3GBgzhAxqgdSSrMNH5f7jXBkxpBG6pYjROJynG5m72f8iE/ceWXiwJttMYI2GOEcyE61QycU7jluddo5cRTU3XbaHtyYmnTwVNBbXZE+4CSNDJe2NcAvksS6tohA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H597WGTLfz4wigqBON3CLqP4/6slgO6NT7UurcBWTtk=; b=s2OMzEWZQ1SKS00QakLioFsBUDE9XZw7rLJig0rMvN3Oa+JCQdB13TQJ4l1D9/DBo7N77gXqfZSZexMTbxDfasZzt8fuWbid4VJJssU0BVKPH1G96WqhdlfYDTBZg5J52UJglfSKNQpEFLt9ZTSXQ2BJKjlzLZqQbdYeMtkM/bY=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM9P190MB1091.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:272::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.15; Thu, 23 Sep 2021 14:44:11 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::5562:f74d:728a:1a3e]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::5562:f74d:728a:1a3e%9]) with mapi id 15.20.4544.015; Thu, 23 Sep 2021 14:44:11 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Qin Wu <bill.wu@huawei.com>, "spasm@ietf.org" <spasm@ietf.org>
CC: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] RFC 8366 / BRSKI / constrained-voucher: what is encoded in the idevid-issuer field?
Thread-Index: Adeu0rxnYIHpKzlGQYWilHqDTsNwFABquaPQ
Date: Thu, 23 Sep 2021 14:44:10 +0000
Message-ID: <AM8P190MB0979BD0FA805D753C79282C7FDA39@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <968f8c3e981d455183bf6ffb79711129@huawei.com>
In-Reply-To: <968f8c3e981d455183bf6ffb79711129@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 20968fa6-31fd-4dcc-2a0d-08d97ea09b02
x-ms-traffictypediagnostic: AM9P190MB1091:
x-microsoft-antispam-prvs: <AM9P190MB109133C54EF43E2C1A09A3C2FDA39@AM9P190MB1091.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lps61Z94vPagyzDsNDI19GYoZ+hUEiYgfHddc0i5T/LRPe3JA0TOaLO7Ej/Zbs/1XXM0tdjKq9WaN05HHR7CV3aaL2/YEu6Wt4C2RSwuNdcG/Gi5p041o+6pzn7qqqvK9xPFGb3HyB1mTz26ZUta+15fVh0iEn5NIlMIUcbGgu6xhRfNTksam8WjF+cI2Z/EcTZg0Jrp1yw+VZ+z7Ggqzdu5cp3uPfox14PPDEd1cTxgQcuFuxa7G1NjlD80qv216vHtcAC3QaVF/0CKCpC3jmUzR/XHyKxvrYeSjnwHB6Gg9vhuWhENEjA16tucQCyVyjfUKjYT7RW7AuXuqh5BwkgGx5RLSF6CBYqdRYANUP7hLqW5IVcsCIhZWw+/LNzTRdUgJtypxjVgakzGDg7J736kM1sJ3ah7y6vveJKtzA4TKRN9utPCtiT/CpE96x3eFoG+8G1mJd7e9YmkqRC3ZUS7QTB+6A+lCi5uSVYel4XteQBVeaeLe/SPy7W/nm5kbPQV2bRyvtQzXdJBKpZ4z21i+Q7Eh9rnsqU6MS/jWL451l1G7hX5Yd//a8+uID2Pkq15keDiJ8vfxgCUBChu7zXu1w5Ch/1jDn3BNb9Y072HSKNbMRR6yoUI5l5ilEdiUzFhBL8bEIKbgAts6BKyML2ccuFZeNyyjAN5Q0LfdiuGGTizGKHcH4hOa0VysDCBZhYeywoqxfNgloJ+XxfYdyR10pNTPp/otjZNhDFFSBc9tTiiQXJKhMAUAaLRnMujGkNcRZEesig8r97kDzb7S0FjGNQTAZ86Kh0FY1WyJLs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(39830400003)(376002)(366004)(136003)(396003)(7696005)(8936002)(6506007)(66476007)(53546011)(110136005)(966005)(316002)(44832011)(186003)(64756008)(86362001)(76116006)(66946007)(52536014)(4326008)(83380400001)(66446008)(71200400001)(9686003)(55016002)(38070700005)(8676002)(508600001)(5660300002)(2906002)(38100700002)(122000001)(66556008)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cgxiYncJ7o0gsDM4Z78qFn/WuUsj1AaGN3+chIBLqaPmCq9B4j4KInWzzW8SWsEYSBzRMDP+f0+1OWnsjc7qT6QEo/ZkeDXdNPNo215BCVHh30ZFbaM2yjMWNKkYks77FoY41zy6ultZ4l8T1M4jOjeE7Tj8bQiRKi0B3JhY8kXxdaVeE8lA+FpXHNMKJMSZky8ujzL2MbrWLLbqxrx7elXSyJ8SrLsoLI35HX7qyzEdujEaTSHP+CZbtf4jDBAihaXrhOum4rzk1euaUBi6REbnXQ1YAqqMMKwrhnMXGIoULn1J+URCZxolhXqovoySoRgLd+YzuKzf2bKnjBqnDBx9Av1yzAXi6o/ksutuxYNqo5oLTFsU9dcVBYrGJ3vgvGnpg0WXM3g6/zVIN35f0gw+URZw7ob1AK59Ga87QP9GzTN2QXgEVqhcIh8Ztor2VWzydZ33otW644AM94o0pSKxMvkgtLv5TXCwvxbw/4mH+EwSjjxpkpA0XQJfz9I3XeMYAGsSDj38SkRZyINbH2rURQsXMU0qqfNsZsqqCDvYci9uq27nVBkIeypljTof2nu07HZptTply36HRIh+lOX/EUPAsdOQg67EQqdwjU/8deLLpTvBfAUBPgx+dPBEiSNxafeRr3EJaz/1jcSEb8wJ2VxO0ST+41vbAWNlQ7XP/dezZNrntbE2t4oGKwLDWsLJgXKigI/EiQ8R7pk2iC7Q8F9Co4oK89apEk77z6/b1CJAcuhBpabLyq3unWtMzOk0WBbM4EZZoJQx9cmZ6EwtkHMrQ2oJsC/fy26nBHsZj2Ir9IsYDiJ0w7ZmZ/X/f9LLZVdDwqFfnNQqlhgqECWF4tYSN1Cl4hUCu26rVO4zndd4bGnemVZKDRZYfxhjaAvaC+iIiBI7PWw8/CVXP52LrzeFFmvrQABV2f5Q2C4dAJopiUgPaj9gGvlxV+YOmpxh2+kytKlJ9cTwqY1OuIxGXHOgmRzOiXyBHdIaXeweCnuD5WnfsFcETf6PFI51taqud6+r0xdS1zzWSI6xzcMHKB1VEUklnkOTW50pigZHtiYFYkN63HVxa0RbuQaU9+VRth7LtVKvR1ablQxfXk/YXaMUAdquSvCIYJ4A9eosQe0qs9tRi68UYkNUEAp6jL3LnkDzgRXozd5LDaYuulpm9XIvmt1qOwH/JsObOYVyjtd3izyqI9Na1lRePb5tIMp8KJ+/tsVp10naGTmpvmUbcVpVwPPvx5p768sMrHR+r4YE2aIvil/SOeiD0Txd4xBWEj91PCO5bNVma2ZxwatHU/vQOtGSh3UaGLj3vfN/UjHlCp54edzcpmH0pkMyfbkpmJ7RXAztSstBblmVf6ErW9Ogpsi0N4AavCfjUixxin2hEQAZ46iJk39PkktA
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 20968fa6-31fd-4dcc-2a0d-08d97ea09b02
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2021 14:44:10.8988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Sq1v/qDtXkcZc9jjLxkD3FiIIa97cMFAjtTYwhW0dHXo1m8rxevHttflT0krD1qmSKTxDS7h+X+18WTH5R0Q0WG+yj49EShcsTnX2M+QdI4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1091
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/9Yz2QtRce7QqS0bLqS2i1TYgN28>
Subject: Re: [lamps] [Anima] RFC 8366 / BRSKI / constrained-voucher: what is encoded in the idevid-issuer field?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2021 14:44:29 -0000
Hi,
> [Qin]: Yes, I confuse with the option2 and 3,
> 1. first, I didn't see 2 bytes 04 18 appeared in the below 26 bytes example encoded data
> 2. Second I think ox18 standard for length of encoded data which is 24 bytes.
> 3. Since the 'SEQUENCE' is included in the encoded data, why not choose option 2?
1. Indeed for Option 3, the idevid-issuer field bstr would contain 26 bytes: 041830168014D5039FC78A4DC0468760191FD71B1534C2D88428
Option 2 is 24 bytes: 30168014D5039FC78A4DC0468760191FD71B1534C2D88428
Option 1 is 20 bytes: D5039FC78A4DC0468760191FD71B1534C2D88428
2. Sorry, not quite sure what you meant here! In this case the data inside the octet string ('payload') is 24 bytes but it could be another value depending on how the CA encodes its Authority Key Identifier ext, e.g. how it is hashed / how long the hash is, and what other of the optional fields are included in the AKI.
3. Option 2 and 3 are quite similar I think. In the Constrained-BRSKI draft + interop work we have just selected Option 3, though. This was based on the feeling that Option 3 was closest to the present RFC 8366 definition. The size was not really an argument here because the field is used always in the non-constrained network leg Registrar -> MASA (in Voucher Request) and hardly ever used in the constrained network leg (Registrar -> Pledge, in Voucher).
Best regards
Esko
-----Original Message-----
From: Qin Wu <bill.wu@huawei.com>
Sent: Tuesday, September 21, 2021 12:44
To: Esko Dijk <esko.dijk@iotconsultancy.nl>; lamps@ietf.org
Cc: anima@ietf.org
Subject: RE: [Anima] RFC 8366 / BRSKI / constrained-voucher: what is encoded in the idevid-issuer field?
Hi, Esko:
-----邮件原件-----
发件人: Anima [mailto:anima-bounces@ietf.org] 代表 Esko Dijk
发送时间: 2021年9月20日 20:48
收件人: Qin Wu <bill.wu@huawei.com>; lamps@ietf.org
抄送: anima@ietf.org
主题: Re: [Anima] RFC 8366 / BRSKI / constrained-voucher: what is encoded in the idevid-issuer field?
Hello Qin,
> naming of this leaf ' idevid-issuer ' is the root cause for
> introducing such confusion,
For me the cause of the confusion was the sentence " The Authority Key Identifier OCTET STRING (as defined in Section 4.2.1.1 of RFC 5280)".
There is only one OCTET STRING defined in Section 4.2.1.1, which is the keyIdentifier field, also named "Key Identifier" in the draft which is not the "Authority Key Identifier".
The actual Authority Key Identifier OCTET STRING is defined in Section 4.1 as the field " extnValue" which is present in the Authority Key Identifier extension, so one needs to look in another section (4.1) for the meant OCTET STRING. The interpretation is still ambiguous between options 2 and 3 even if you analyse closely.
[Qin]: Yes, I confuse with the option2 and 3,
1. first, I didn't see 2 bytes 04 18 appeared in the below 26 bytes example encoded data
2. Second I think ox18 standard for length of encoded data which is 24 bytes.
3. Since the 'SEQUENCE' is included in the encoded data, why not choose option 2?
> whether the voucher artifacts signed by manufacture, needs to closely
> tie with MASA
For nonceful Vouchers, the MASA would need to sign it or delegate the generation and/or signing to a manufacturer's server. (In the latter case there is a trust relation and operational interaction, but no close tie necessarily.) As long as the signer can be trusted by the Pledge's built-in Trust Anchor, it works.
[Qin]:Thank for clarification, if my understanding is correct, the MASA in the former case is the third party entity while manufacturer's server in the latter case should be deployed together with the device by the same manufacturer.
regards
Esko
-----Original Message-----
From: Qin Wu <bill.wu@huawei.com>
Sent: Saturday, September 18, 2021 11:41
To: Michael Richardson <mcr@sandelman.ca>; lamps@ietf.org
Cc: stokcons@bbhmail.nl; Esko Dijk <esko.dijk@iotconsultancy.nl>; anima@ietf.org
Subject: RE: [Anima] RFC 8366 / BRSKI / constrained-voucher: what is encoded in the idevid-issuer field?
I agree with this analysis, it looks the naming of this leaf ' idevid-issuer ' is the root cause for introducing such confusion, i.e., easily link KeyIdentifier to 'issuer' defined in section 4.1.2.4 of RFC5280.
Also I am wondering whether the voucher artifacts signed by manufacture, needs to closely tie with MASA. Maybe this relation can be decoupled as well.
-Qin
-----邮件原件-----
发件人: Anima [mailto:anima-bounces@ietf.org] 代表 Michael Richardson
发送时间: 2021年9月9日 1:12
收件人: lamps@ietf.org
抄送: stokcons@bbhmail.nl; Esko Dijk <esko.dijk@iotconsultancy.nl>; anima@ietf.org
主题: [Anima] RFC 8366 / BRSKI / constrained-voucher: what is encoded in the idevid-issuer field?
RFC8366 specifies a idevid-issuer to identify the CA that issued the IDevID.
It says:
https://www.rfc-editor.org/rfc/rfc8366.html#section-5.3
leaf idevid-issuer {
type binary;
description
"The Authority Key Identifier OCTET STRING (as defined in
Section 4.2.1.1 of RFC 5280) from the pledge's IDevID
certificate. Optional since some serial-numbers are
already unique within the scope of a MASA.
Inclusion of the statistically unique key identifier
ensures statistically unique identification of the hardware.
When processing a voucher, a pledge MUST ensure that its
IDevID Authority Key Identifier matches this value. If no
match occurs, then the pledge MUST NOT process this voucher.
When issuing a voucher, the MASA MUST ensure that this field
is populated for serial-numbers that are not otherwise unique
within the scope of the MASA.";
}
We have some discussion about what exactly this means.
https://github.com/anima-wg/constrained-voucher/issues/161 captures this as three possibilities:
1) only the KeyIdentifier OCTET STRING
2) the complete AuthorityKeyIdentifier ASN.1 SEQUENCE structure
3) the complete Authority Key Identifier extension OCTET STRING value 'extnValue' per Section 4.1 of RFC 5280
Esko suggests that (3) is the correct thing, detailed as:
OCTET STRING (26 byte) 30168014D5039FC78A4DC0468760191FD71B1534C2D88428
SEQUENCE (1 elem)
[0] (20 byte) D5039FC78A4DC0468760191FD71B1534C2D88428
> I meant here 26 bytes, sorry!
> So 2 bytes 04 18 are used to encode ‘OCTET STRING’, 2 bytes 30 16 for
> ‘SEQUENCE’, 2 bytes 80 14 for the ‘[0]’ and the rest is the actual
> KeyIdentifier (20 bytes).
We think this consistent with other users of Authority Key Identifier.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima