IETF Logo Mail Archive

Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs

Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 21 November 2022 10:42 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88D91C1524A0 for <spasm@ietfa.amsl.com>; Mon, 21 Nov 2022 02:42:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eN3U3zjq69B for <spasm@ietfa.amsl.com>; Mon, 21 Nov 2022 02:42:15 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2071c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::71c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0ADC1522C1 for <spasm@ietf.org>; Mon, 21 Nov 2022 02:41:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PCHTtTBrtqZDkQQDZRlBjGxPapkOnoucoIqcb12dftLd5hC9ywRasX9HN9ECRDqsqDXkmbhhty45IsX3MdOODzp3293j7MQGWo0wLE+ejJKDF4ubp1NfwQ1AA5o+GbGkGdob7PBVnpQqNgVUM/7eUlmpdcMUsp2MegfLWFkx8eoNJ5tEw85CNGGTskvePcSWQV7sJSprlfw9Ve/k7MqLlYLPffcwcWiTU65JSt/y+YWeNTkoGUe5Sq19gEesuYkDooFptMsZN5wNdUyphQH8o76HyR0QhTHz++SpV+/vqUwwz08WaGG3XaBwQBvjWQqZzqJ1pyoLxcN1DXlTHsPSqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5Frkcd8wmAs6L3HfhR43QbbrbyOfawhsk3LDgScC+8k=; b=OinZR7R0KlGU9H3/kPtbJAowMyNMhqzaphNZz1DbrAgN+AjEfdfDlsBhOVHDqHnesfsOpHV+a8DvE/ATIY35aQo0iCKx795Ku6StubVKdi5enXSu278Z7jIl7SrR1TcbdUPWIWpOQm7yuLYhgC0BQ2xgg4acqTKeeLMTDPb+JAd7qIKzum6y5yAezQFBHx8OQ4yy2by/KWruDTqTWUsXjoUTlrq5TqzT0OOqdCmX3cC8IlaP4Pv8jZ7Jg1rAg5UmENHo7ZtNj3FGBF9iAXCC0AjTjnBqwxyIRcAeExpsPjLowsrDWDo81PTEPOPMPH5yEeW2JFqQSJh6+ThEFcgiMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5Frkcd8wmAs6L3HfhR43QbbrbyOfawhsk3LDgScC+8k=; b=n10uFhcWBXK+FK2cbmF/EOL6fITuGN6wNM43EyDR4ZLae4l+a/WojJ03unwsEKIQXzhLvzd4YCZKwdZ1e6P+7SFFjk3r3dNZYRP9SbdFQI5DmSCaMiLOuJF8ZrpVe0Y8Y+A2qFcLGDEoa6DCnR1HcDsNznP6FutQmfQQa6ay+/M=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by AS4P190MB1856.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:507::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5834.15; Mon, 21 Nov 2022 10:41:43 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::90a1:12c9:de4a:6c26]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::90a1:12c9:de4a:6c26%3]) with mapi id 15.20.5834.015; Mon, 21 Nov 2022 10:41:43 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "von Oheimb, David" <david.von.oheimb@siemens.com>, "spasm@ietf.org" <spasm@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
Thread-Topic: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
Thread-Index: AQHYqK3xFpSUjfFSPEufb6tBhmPama341hQAgADJ0ICAUDYgUA==
Date: Mon, 21 Nov 2022 10:41:43 +0000
Message-ID: <DU0P190MB1978A5049FE06F438B6EBAFAFD0A9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com> <3758.1659557693@localhost> <399c3a1e-ee28-cc85-6e6a-cee210e70753@siemens.com> <DM6PR14MB2186188B8CFA66967F52A081929F9@DM6PR14MB2186.namprd14.prod.outlook.com> <19f4388a-49e1-d14e-2463-e9f0e181c2ea@siemens.com> <997117.1664573368@dooku> <cf6f2e271a0ecda5875e38a10c7455fcf03ddeb6.camel@siemens.com>
In-Reply-To: <cf6f2e271a0ecda5875e38a10c7455fcf03ddeb6.camel@siemens.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|AS4P190MB1856:EE_
x-ms-office365-filtering-correlation-id: 0d72ea68-55fb-4932-a8f7-08dacbacfb0d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: V2kBm8ThweDB6dD6kiloJSTrpAxlm+uTdAzMaaqTNFEaXKtgSR0+mV4kX37ZWQZHiS1noNVpIiV5wAEMb6+kMp6B4eM56b58bntdv7TId/MAFMi1Hi4YYH6LcpFbPwbvobh8Hz8YG0QQ9c4gYnzJ/6HYQeqozQ9d+7rGzU+9ztaUP6uKt/oQNaSbHGnLQ+yhelsRLMC7vqQswhVVd/XnnRGNhcmAnfHqTM1TkWecSPZTpFKj+kw5EJE+cJEnHF2/cD/GFuxry1c3kDxefvvt9dsNgzu6IHn+uhwt5laEEQnWCOwUYS+BmbfrrjVwO6yK60JlEbvvgNOeA7eHEIEYoCHtul0i/gKDuSAAlOAuGkFImsbwEvu/EIlXeWZjY1YZD3CMUQQt1mibihoglilx2V0pegYiYNrfdBQHQDUMov5cxRAGzKfYNLvTkeIe7Mq+ESPSFY3VgGzxw8BnhZTt2iG0efbbci5XrjM4F+L+EjZjGxJ0GgoNwi38xicCcDL7ZaHkIGEQw+JXbbzelNAk6C/oQTXbzN4sxwu0mSr5KQz+AnxXyKxRQ93impW+U1t6NtYzMLTtFHNYLtWswtd8pH0hntkjDeGpubdR/aAHrdGrlkloOikvstGebHNJNDT/kW1c/SrelqdsHaHhcsKBkO3Qyh44uaSR2OIyaJNGzjdUajdWJwTGU8yHVmrHT23TtUAmdw5Z7TNrdufuxaZUAg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(396003)(346002)(376002)(136003)(39830400003)(366004)(451199015)(66446008)(66556008)(64756008)(8676002)(66476007)(38070700005)(76116006)(38100700002)(66946007)(186003)(478600001)(83380400001)(53546011)(6506007)(110136005)(7696005)(86362001)(9686003)(316002)(33656002)(5660300002)(41300700001)(2906002)(122000001)(44832011)(55016003)(71200400001)(8936002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /t9O5ihiaPjn7qVmCqkNkxaoQxuUCoA4rLJbw81p4otLyn0LgmpaDJuFdlKkrir+i0mXYbTQfHVnniKzEORXzKsqph50BflLwLTmKDbrEmZ7QeMtnT07GrXkARcUkpP8/5hHAygnlCvxjga9yp/LkrzA7wbl5XEDFoacdEQjqe+DvolRrnJO5p3jL5AyMvIxak1k6vn19oZcJZW8jSfiTCkurd2AbkpR0NRFgl0CoYhSpHska7odQ5/bf4EvYp9lHLIoxuZA7IaL1kjxiWEqqheLygu8LfwGz1DTKKfxRSaQmgt3LzNQyfb+oH/Ozfqu563MCn7j4Bgg+60HUjevHPACORfTcn2ZD/Q4gn6TgtuuO1R2eNSO6PlUNvpUQDA73MAsmtOaM+7yBKSVRTXKPrXV3BkayO8iGjxmvY0e3fOoqolbm2zSRf7bKzUcmS1vIep8KjmXzG6bqxzelcOTwlNJsq3FQOF85c9ooa1Imo9lfUMDmt2tCDOWswl2aHKa2VbOPb+lYgW2e9OKu5vyB7iR94VqWKVT0zPeh9GPDw0SSzwBk1JTrgNj708I/veh/OCNU2WnMg7zCUGXtJMiVGzZj7vFgpCVrvo/+pcsF3OzU1QADVFrT30OLLVMJPLkYtmYqXUa3YjqnBnsiNbOOD544XKFTtApNNQe/bxn3oCV7+vHw4vrVhSzx3OJp+8kgLok1VSGrSXVj0TrOqf8pWdVPiVqK5xYWx57d7nJNFK1a2ITFs2MbAXB6rfvIkKtJ9ls8i76Gl7KnqqgpPx/0GkU7FYdqdCfsqze7Vg7Hj8gf7kz5GVdZ+XhLNQYV6twXKTl+uPIqSXLw6rTVu3UavkNLlEnFBa1IqONYa7f8QuqRaVW6qe0CQ1w2u3J0M6G8hsZShwYPKldsuf3aRLP6XrScOkDa64ZlYy3xMJuaEERr/KJzLanxoOJ4FITOgBzbmZ41sKAl7J95i8qHSUbBPuVwto5yw9RS9doafEe/lHwX0lfor5FSJFBFWF97XkXP6QZU6hT7JAnwtFfk1EV0cGYLPTdk5if6EXhj3dTaj8BkP4XtBtKShoJwfL0MFANulA55ym9cKU4/TZg4ex7SgK8F/pSQSHge2V1eC6pnMiNskYyIgIjHf/V1gu6jPIORW6dDQbig0IUaacHTwoWq6/hBY7EVSwssLGLyYKmsz+/83d/MHMrZqwEc8vXRiMYZJJ9f4Vgy8BQG0lir22VKBjFNoQAZjLdB7D9RVfBFDj8IrpefwoUxQdJ5gn9FjzyH32dfCgxn0+Tw66emOmu1JqMQha9dzWlROVjMdsoG0z4BvayMYVQYKgeC/PKBf45lvjbwBq5d10VBI2FFksesxS6B7g+W8CwcPTs2CSKNPRqzDWR02zKIBi1WmgdwZL+rGzPgnxJjfF1NQ/OiorhSBWoTRRBRvc3iwSc6vW+d6lIXgOKLZ4aeHQcQaM153KtX8AUFVK+VLrKN0SNR3NW2/twfS3ODwviISS2/uC40bi2zkGNNqI0Fv9ROQV4AyumxSYkFG/jPFykL9aRUjs2n5mPcaCzhLjxbOpmEr261GWRh/Eafwq2Jyw1uKMq+dry4c5qUPXp95z46X5ZU2vIDEpxwE+FmzPIvlrujhbgZmZblSniuZjugdjXBvthSshDEDVkbm9ouq9yg5CBP262dQ==
Content-Type: multipart/alternative; boundary="_000_DU0P190MB1978A5049FE06F438B6EBAFAFD0A9DU0P190MB1978EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0d72ea68-55fb-4932-a8f7-08dacbacfb0d
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2022 10:41:43.2823 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MzBddHlYURQpxgLgCgACRt/gVqPL1tb3V4FdgvkNdmqUJ6clFEIE52Km4pR98y7GQ+SjK58fwxx7bhBoxOtFI/rokcGXRm4B1Jccw6PbUfI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P190MB1856
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/AFz-99KpRI-hK4fKyG9nFYvDn_s>
Subject: Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 10:42:19 -0000

Hi all,

‘Struggling’ is the right word. I noticed that in version -01 of the draft the section 5.1 example is using a differently formatted address than section 5.2, namely:

rfc8994+fd739fc23c3440112233445500000000+@acp.example.com

why does this look different than typical RFC 8994 example addresses? (It has two ‘+’ characters, not one. And order of names is reversed?) Why not use the standard address example from RFC 8994 to make it easier to understand? Or is there a particular reason for this formatting.

For such examples with a very specific node ID (like ‘fd739fc23c3440112233445500000000’) in the CSR attributes it may be good to point out that the BRSKI client (or, EST client) needs to be authenticated to the server at the time of requesting the CSR attributes. In general RFC 7030 says the client SHOULD NOT require authentication to request the attributes but it looks like BRSKI is then deviating from this recommendation and REQUIRES authentication. If not authenticated, the server can’t send the right node ID to the Pledge, right?  If that’s correct then it is worth pointing out in text with the example because otherwise for people using RFC 7030 as a reference it gets quite confusing.

Regards
Esko

From: Spasm <spasm-bounces@ietf.org> On Behalf Of von Oheimb, David
Sent: Saturday, October 1, 2022 11:32
To: spasm@ietf.org; mcr+ietf@sandelman.ca
Subject: Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs

On Fri, 2022-09-30 at 23:29 +0200, Michael Richardson wrote:

David von Oheimb <David.von.Oheimb@siemens.com<mailto:David.von.Oheimb@siemens.com>> wrote:
    > I've added to our repo a little script and config using OpenSSL for
    > producing the extended and corrected example ASN.1 encoding:

I saw that, but it generates a CSR, not a CSRattributes :-)

sure, but CSRattrs are designed to have essentially the same structure as CSRs.
And unfortunately I don't have a better tool.

David

v2.23.0 | Report a Bug | By Email