Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 21 November 2022 10:42 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88D91C1524A0 for <spasm@ietfa.amsl.com>; Mon, 21 Nov 2022 02:42:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eN3U3zjq69B for <spasm@ietfa.amsl.com>; Mon, 21 Nov 2022 02:42:15 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2071c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::71c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0ADC1522C1 for <spasm@ietf.org>; Mon, 21 Nov 2022 02:41:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PCHTtTBrtqZDkQQDZRlBjGxPapkOnoucoIqcb12dftLd5hC9ywRasX9HN9ECRDqsqDXkmbhhty45IsX3MdOODzp3293j7MQGWo0wLE+ejJKDF4ubp1NfwQ1AA5o+GbGkGdob7PBVnpQqNgVUM/7eUlmpdcMUsp2MegfLWFkx8eoNJ5tEw85CNGGTskvePcSWQV7sJSprlfw9Ve/k7MqLlYLPffcwcWiTU65JSt/y+YWeNTkoGUe5Sq19gEesuYkDooFptMsZN5wNdUyphQH8o76HyR0QhTHz++SpV+/vqUwwz08WaGG3XaBwQBvjWQqZzqJ1pyoLxcN1DXlTHsPSqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5Frkcd8wmAs6L3HfhR43QbbrbyOfawhsk3LDgScC+8k=; b=OinZR7R0KlGU9H3/kPtbJAowMyNMhqzaphNZz1DbrAgN+AjEfdfDlsBhOVHDqHnesfsOpHV+a8DvE/ATIY35aQo0iCKx795Ku6StubVKdi5enXSu278Z7jIl7SrR1TcbdUPWIWpOQm7yuLYhgC0BQ2xgg4acqTKeeLMTDPb+JAd7qIKzum6y5yAezQFBHx8OQ4yy2by/KWruDTqTWUsXjoUTlrq5TqzT0OOqdCmX3cC8IlaP4Pv8jZ7Jg1rAg5UmENHo7ZtNj3FGBF9iAXCC0AjTjnBqwxyIRcAeExpsPjLowsrDWDo81PTEPOPMPH5yEeW2JFqQSJh6+ThEFcgiMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5Frkcd8wmAs6L3HfhR43QbbrbyOfawhsk3LDgScC+8k=; b=n10uFhcWBXK+FK2cbmF/EOL6fITuGN6wNM43EyDR4ZLae4l+a/WojJ03unwsEKIQXzhLvzd4YCZKwdZ1e6P+7SFFjk3r3dNZYRP9SbdFQI5DmSCaMiLOuJF8ZrpVe0Y8Y+A2qFcLGDEoa6DCnR1HcDsNznP6FutQmfQQa6ay+/M=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by AS4P190MB1856.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:507::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5834.15; Mon, 21 Nov 2022 10:41:43 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::90a1:12c9:de4a:6c26]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::90a1:12c9:de4a:6c26%3]) with mapi id 15.20.5834.015; Mon, 21 Nov 2022 10:41:43 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "von Oheimb, David" <david.von.oheimb@siemens.com>, "spasm@ietf.org" <spasm@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
Thread-Topic: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
Thread-Index: AQHYqK3xFpSUjfFSPEufb6tBhmPama341hQAgADJ0ICAUDYgUA==
Date: Mon, 21 Nov 2022 10:41:43 +0000
Message-ID: <DU0P190MB1978A5049FE06F438B6EBAFAFD0A9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com> <3758.1659557693@localhost> <399c3a1e-ee28-cc85-6e6a-cee210e70753@siemens.com> <DM6PR14MB2186188B8CFA66967F52A081929F9@DM6PR14MB2186.namprd14.prod.outlook.com> <19f4388a-49e1-d14e-2463-e9f0e181c2ea@siemens.com> <997117.1664573368@dooku> <cf6f2e271a0ecda5875e38a10c7455fcf03ddeb6.camel@siemens.com>
In-Reply-To: <cf6f2e271a0ecda5875e38a10c7455fcf03ddeb6.camel@siemens.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|AS4P190MB1856:EE_
x-ms-office365-filtering-correlation-id: 0d72ea68-55fb-4932-a8f7-08dacbacfb0d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: V2kBm8ThweDB6dD6kiloJSTrpAxlm+uTdAzMaaqTNFEaXKtgSR0+mV4kX37ZWQZHiS1noNVpIiV5wAEMb6+kMp6B4eM56b58bntdv7TId/MAFMi1Hi4YYH6LcpFbPwbvobh8Hz8YG0QQ9c4gYnzJ/6HYQeqozQ9d+7rGzU+9ztaUP6uKt/oQNaSbHGnLQ+yhelsRLMC7vqQswhVVd/XnnRGNhcmAnfHqTM1TkWecSPZTpFKj+kw5EJE+cJEnHF2/cD/GFuxry1c3kDxefvvt9dsNgzu6IHn+uhwt5laEEQnWCOwUYS+BmbfrrjVwO6yK60JlEbvvgNOeA7eHEIEYoCHtul0i/gKDuSAAlOAuGkFImsbwEvu/EIlXeWZjY1YZD3CMUQQt1mibihoglilx2V0pegYiYNrfdBQHQDUMov5cxRAGzKfYNLvTkeIe7Mq+ESPSFY3VgGzxw8BnhZTt2iG0efbbci5XrjM4F+L+EjZjGxJ0GgoNwi38xicCcDL7ZaHkIGEQw+JXbbzelNAk6C/oQTXbzN4sxwu0mSr5KQz+AnxXyKxRQ93impW+U1t6NtYzMLTtFHNYLtWswtd8pH0hntkjDeGpubdR/aAHrdGrlkloOikvstGebHNJNDT/kW1c/SrelqdsHaHhcsKBkO3Qyh44uaSR2OIyaJNGzjdUajdWJwTGU8yHVmrHT23TtUAmdw5Z7TNrdufuxaZUAg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(396003)(346002)(376002)(136003)(39830400003)(366004)(451199015)(66446008)(66556008)(64756008)(8676002)(66476007)(38070700005)(76116006)(38100700002)(66946007)(186003)(478600001)(83380400001)(53546011)(6506007)(110136005)(7696005)(86362001)(9686003)(316002)(33656002)(5660300002)(41300700001)(2906002)(122000001)(44832011)(55016003)(71200400001)(8936002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /t9O5ihiaPjn7qVmCqkNkxaoQxuUCoA4rLJbw81p4otLyn0LgmpaDJuFdlKkrir+i0mXYbTQfHVnniKzEORXzKsqph50BflLwLTmKDbrEmZ7QeMtnT07GrXkARcUkpP8/5hHAygnlCvxjga9yp/LkrzA7wbl5XEDFoacdEQjqe+DvolRrnJO5p3jL5AyMvIxak1k6vn19oZcJZW8jSfiTCkurd2AbkpR0NRFgl0CoYhSpHska7odQ5/bf4EvYp9lHLIoxuZA7IaL1kjxiWEqqheLygu8LfwGz1DTKKfxRSaQmgt3LzNQyfb+oH/Ozfqu563MCn7j4Bgg+60HUjevHPACORfTcn2ZD/Q4gn6TgtuuO1R2eNSO6PlUNvpUQDA73MAsmtOaM+7yBKSVRTXKPrXV3BkayO8iGjxmvY0e3fOoqolbm2zSRf7bKzUcmS1vIep8KjmXzG6bqxzelcOTwlNJsq3FQOF85c9ooa1Imo9lfUMDmt2tCDOWswl2aHKa2VbOPb+lYgW2e9OKu5vyB7iR94VqWKVT0zPeh9GPDw0SSzwBk1JTrgNj708I/veh/OCNU2WnMg7zCUGXtJMiVGzZj7vFgpCVrvo/+pcsF3OzU1QADVFrT30OLLVMJPLkYtmYqXUa3YjqnBnsiNbOOD544XKFTtApNNQe/bxn3oCV7+vHw4vrVhSzx3OJp+8kgLok1VSGrSXVj0TrOqf8pWdVPiVqK5xYWx57d7nJNFK1a2ITFs2MbAXB6rfvIkKtJ9ls8i76Gl7KnqqgpPx/0GkU7FYdqdCfsqze7Vg7Hj8gf7kz5GVdZ+XhLNQYV6twXKTl+uPIqSXLw6rTVu3UavkNLlEnFBa1IqONYa7f8QuqRaVW6qe0CQ1w2u3J0M6G8hsZShwYPKldsuf3aRLP6XrScOkDa64ZlYy3xMJuaEERr/KJzLanxoOJ4FITOgBzbmZ41sKAl7J95i8qHSUbBPuVwto5yw9RS9doafEe/lHwX0lfor5FSJFBFWF97XkXP6QZU6hT7JAnwtFfk1EV0cGYLPTdk5if6EXhj3dTaj8BkP4XtBtKShoJwfL0MFANulA55ym9cKU4/TZg4ex7SgK8F/pSQSHge2V1eC6pnMiNskYyIgIjHf/V1gu6jPIORW6dDQbig0IUaacHTwoWq6/hBY7EVSwssLGLyYKmsz+/83d/MHMrZqwEc8vXRiMYZJJ9f4Vgy8BQG0lir22VKBjFNoQAZjLdB7D9RVfBFDj8IrpefwoUxQdJ5gn9FjzyH32dfCgxn0+Tw66emOmu1JqMQha9dzWlROVjMdsoG0z4BvayMYVQYKgeC/PKBf45lvjbwBq5d10VBI2FFksesxS6B7g+W8CwcPTs2CSKNPRqzDWR02zKIBi1WmgdwZL+rGzPgnxJjfF1NQ/OiorhSBWoTRRBRvc3iwSc6vW+d6lIXgOKLZ4aeHQcQaM153KtX8AUFVK+VLrKN0SNR3NW2/twfS3ODwviISS2/uC40bi2zkGNNqI0Fv9ROQV4AyumxSYkFG/jPFykL9aRUjs2n5mPcaCzhLjxbOpmEr261GWRh/Eafwq2Jyw1uKMq+dry4c5qUPXp95z46X5ZU2vIDEpxwE+FmzPIvlrujhbgZmZblSniuZjugdjXBvthSshDEDVkbm9ouq9yg5CBP262dQ==
Content-Type: multipart/alternative; boundary="_000_DU0P190MB1978A5049FE06F438B6EBAFAFD0A9DU0P190MB1978EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0d72ea68-55fb-4932-a8f7-08dacbacfb0d
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2022 10:41:43.2823 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MzBddHlYURQpxgLgCgACRt/gVqPL1tb3V4FdgvkNdmqUJ6clFEIE52Km4pR98y7GQ+SjK58fwxx7bhBoxOtFI/rokcGXRm4B1Jccw6PbUfI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P190MB1856
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/AFz-99KpRI-hK4fKyG9nFYvDn_s>
Subject: Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 10:42:19 -0000
Hi all, ‘Struggling’ is the right word. I noticed that in version -01 of the draft the section 5.1 example is using a differently formatted address than section 5.2, namely: rfc8994+fd739fc23c3440112233445500000000+@acp.example.com why does this look different than typical RFC 8994 example addresses? (It has two ‘+’ characters, not one. And order of names is reversed?) Why not use the standard address example from RFC 8994 to make it easier to understand? Or is there a particular reason for this formatting. For such examples with a very specific node ID (like ‘fd739fc23c3440112233445500000000’) in the CSR attributes it may be good to point out that the BRSKI client (or, EST client) needs to be authenticated to the server at the time of requesting the CSR attributes. In general RFC 7030 says the client SHOULD NOT require authentication to request the attributes but it looks like BRSKI is then deviating from this recommendation and REQUIRES authentication. If not authenticated, the server can’t send the right node ID to the Pledge, right? If that’s correct then it is worth pointing out in text with the example because otherwise for people using RFC 7030 as a reference it gets quite confusing. Regards Esko From: Spasm <spasm-bounces@ietf.org> On Behalf Of von Oheimb, David Sent: Saturday, October 1, 2022 11:32 To: spasm@ietf.org; mcr+ietf@sandelman.ca Subject: Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs On Fri, 2022-09-30 at 23:29 +0200, Michael Richardson wrote: David von Oheimb <David.von.Oheimb@siemens.com<mailto:David.von.Oheimb@siemens.com>> wrote: > I've added to our repo a little script and config using OpenSSL for > producing the extended and corrected example ASN.1 encoding: I saw that, but it generates a CSR, not a CSRattributes :-) sure, but CSRattrs are designed to have essentially the same structure as CSRs. And unfortunately I don't have a better tool. David
- [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] strugling with CSRAttrs David von Oheimb
- Re: [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- [lamps] Fixed the RFC 8994 / ACP Subject Alternat… David von Oheimb
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… von Oheimb, David
- [lamps] IANA Considerations text for OID allocati… Michael Richardson
- Re: [lamps] IANA Considerations text for OID allo… Russ Housley
- Re: [lamps] IANA Considerations text for OID allo… Michael Richardson
- Re: [lamps] [EXTERNAL] Re: IANA Considerations te… Mike Ounsworth
- Re: [lamps] IANA Considerations text for OID allo… Tim Hollebeek
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell