Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
Dmitry Belyavsky <beldmit@gmail.com> Thu, 05 August 2021 12:49 UTC
Return-Path: <beldmit@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 523873A102C for <spasm@ietfa.amsl.com>; Thu, 5 Aug 2021 05:49:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N5nJ3NYiwsdt for <spasm@ietfa.amsl.com>; Thu, 5 Aug 2021 05:49:16 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFF2C3A1029 for <spasm@ietf.org>; Thu, 5 Aug 2021 05:49:15 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id oz16so9365068ejc.7 for <spasm@ietf.org>; Thu, 05 Aug 2021 05:49:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LQXQQzw9TS+z3lKRNzk4LqLS2sUnOygCKWJigBwNKK0=; b=sLkdee7Mxi8ZP3lUxLQ1XHvsxBq7YrovkIyCh5Rs+R6cmNsYAUauvSsCL75Xf/aFew aa9JefucmYWehtLrpuegytB87E8TFkcr8Nm5Qu2BoX39kaywgqAtuFLwiYtwO1jvADuw QM4SBmiiy7PRQ5suuPlkZFtz6zCshOZZfU5ndWJQkHYs2Q2xNpXC1WJHWvr+Zb31bsoy tvR+er6DuVYRtmF8x1a9S4uHWlFzP2lCHRtaoSHka1ibARwbkAsLWSFVNBdhExLzOQ/1 ys8Vxhkxeop+vR/9FSevLIhTTzFp5EOusVLRS0903cHXYFpEgyJWztu7axStO0sS5u8U DHIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LQXQQzw9TS+z3lKRNzk4LqLS2sUnOygCKWJigBwNKK0=; b=ocC8CjqMXdWvfS45Xt14KQnYKverK69+wTe4kabphLFYZ8mPbejXDTPaomseKChrNw TYCTb70qKZxvROMpSJSF7UWKSoYJ9aopf6GUfyxxB7pGgp0A9sk6Tv2jJy0MES86bC1L fO/hudwsbtg99Dn4xSFjIeiJjAPlA5HsymsK8SORhqUZ8jwhH9A9OUqLr5FH5SF5+Yrl Cxoijy7tpg+OL8mJlR1UctK9BIHoPX35sXJyktdsm3QIZAA9Dq/jhKlV5awxVwJ10sMl 1aoLXHvr9g2Gtb2wxBD91yb0B/xPEOGravRxig14phnJJFuKwgiJwlbfkHoGXrzCx3S7 oVFA==
X-Gm-Message-State: AOAM530J5F+uOhp/oR+IHF6X6BxcZWIPqaqf2czUQjwXXTecMKkYgpMs Fl/BT85OzikVsI4n1Pi5ErbSnP7+kxeMYrmRUyuSR0j4LNs=
X-Google-Smtp-Source: ABdhPJwZPFyLrr9Af9vKslcB0CBlGhb0sAlnN1e1MmI5rfhWbpe/b3T829rI+T73V+AYHadA5iG97VrPP7dwaPRjZdQ=
X-Received: by 2002:a17:906:d10a:: with SMTP id b10mr4605739ejz.26.1628167749356; Thu, 05 Aug 2021 05:49:09 -0700 (PDT)
MIME-Version: 1.0
References: <87czr0ww0d.fsf@fifthhorseman.net> <FF939B28-528B-47F9-9C0C-6585D1B02FBE@vigilsec.com> <87mtq3ukk0.fsf@fifthhorseman.net> <CAErg=HHQMZ1jk+bVxA=MzVvW+9ucie7bu-N6O8Asnp0V8Rf9Bg@mail.gmail.com> <30546.1627850836@localhost> <CAErg=HHKL-E5yT0UnPKcLfMQU41iDg7GGgjsSXs3eRg8daJRkg@mail.gmail.com> <87wnp347iu.fsf@fifthhorseman.net> <1388.1627996026@localhost> <87pmuu42hf.fsf@fifthhorseman.net> <87mtpy3zkl.fsf@fifthhorseman.net> <CAErg=HFvQ=5jN+BoDL-W33iYxHoPULov4TEzqYf9nONbtnANJQ@mail.gmail.com> <87a6lw4syd.fsf@fifthhorseman.net>
In-Reply-To: <87a6lw4syd.fsf@fifthhorseman.net>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Thu, 05 Aug 2021 14:48:58 +0200
Message-ID: <CADqLbzJjo0vJMLMoWEGjGT0aqyP2epabncEFx-uj-d6ZFB-CXA@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000055d2ce05c8cf5822"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BASoGqQQlncbj9ggw6p__l3Fp_Q>
Subject: Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 12:49:21 -0000
Dear Daniel, On Thu, Aug 5, 2021 at 2:49 AM Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > Thanks for the ideas and suggestions, everyone. > > I hear the consensus of the group that any sample object > included for reference should be in DER form, with no indefinite > lengths. I will definitely respect that. > > On Wed 2021-08-04 12:12:08 -0400, Ryan Sleevi wrote: > > When I compare the examples mentioned by Dmitry, it does seem that both > NSS > > and OpenSSL expect the PKCS#7 data (1.2.840.113549.1.7.1) to be an OCTET > > STRING with the encoded SEQUENCE, rather than the SEQUENCE itself. > > I might be having a hard time understanding what's in Dmitry's repo. > I can't tell whether it's supposed to represent PKCS#12 objects that are > produced by these tools or consumed by these tools, though README.md > seems to imply that it's kind of both. I don't see any script that > shows how they were generated. > It's not my repo, it's a Red Hat PKCS12 test corpse :) I asked my colleagues for more details. The certs in that repo were generated by openssl, gnutls or NSS, but some of them were generated by modifying the sources of those libraries so that's why there is no script to generate them. They also say there is no single implementation that can import all of them. Quoting them, "basically it's a set of pkcs#12 files that to the best of our knowledge are well formed (with the exception of the NSS files with unicode passwords)." These files mostly demonstrate various encryption options. I'll set aside the multiple-key case for now, to focus for the moment on > a single-private-key use case so that we can try to evaluate encodings. > I've never seen PKCS12 with multiple private keys so I totally agree with you. -- SY, Dmitry Belyavsky
- [lamps] draft-ietf-lamps-samples: PKCS12 expertis… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Salz, Rich
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Deb Cooley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Tomas Gustavsson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… David Woodhouse
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- [lamps] On the need for standardization of softwa… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Stephen Farrell
- Re: [lamps] On the need for standardization of so… Tomas Gustavsson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Eliot Lear
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Salz, Rich
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Bernie Hoeneisen
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- [lamps] Transferring cryptographic information in… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… David Woodhouse
- Re: [lamps] On the need for standardization of so… David Woodhouse
- Re: [lamps] On the need for standardization of so… Stephen Farrell
- Re: [lamps] On the need for standardization of so… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] Transferring cryptographic informatio… Michael Richardson
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Jonathan Hammell
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] On the need for standardization of so… Deb Cooley
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Deb Cooley
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- [lamps] advertising multiple S/MIME encryption-ca… Daniel Kahn Gillmor