Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen
Russ Housley <housley@vigilsec.com> Fri, 18 September 2020 13:31 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232D33A0825 for <spasm@ietfa.amsl.com>; Fri, 18 Sep 2020 06:31:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A_s7uT6aH3u0 for <spasm@ietfa.amsl.com>; Fri, 18 Sep 2020 06:31:11 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E529B3A0812 for <spasm@ietf.org>; Fri, 18 Sep 2020 06:31:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 860A5300AA4 for <spasm@ietf.org>; Fri, 18 Sep 2020 09:31:08 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TrRVJtMhDCjr for <spasm@ietf.org>; Fri, 18 Sep 2020 09:31:07 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 51A85300AA2; Fri, 18 Sep 2020 09:31:07 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <AM0PR10MB24183CEEF92140D72BD00EE8FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
Date: Fri, 18 Sep 2020 09:31:08 -0400
Cc: "spasm@ietf.org" <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8B89D138-CC58-45E2-8A2A-859ABBF28DD1@vigilsec.com>
References: <AM0PR10MB2418651EF480383C1FBAD448FE440@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <ECF4A046-3690-4B8A-9851-935CDACA89C2@vigilsec.com> <0368A990-F189-40C0-A63E-5A7CF1F0AD1D@vigilsec.com> <AM0PR10MB24183CEEF92140D72BD00EE8FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
X-Mailer: Apple Mail (2.3445.104.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BsB12E3Mt8Lhgtqzqbj6mGc0Ipw>
Subject: Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 13:31:12 -0000
Hendrik:
>> I had another though about rsaKeyLen. RFC 4210 uses CertRequest as defined
>> on RFC 4211 in the certificate request, which is:
>>
>> CertRequest ::= SEQUENCE {
>> certReqId INTEGER, -- ID for matching request and reply
>> certTemplate CertTemplate, --Selected fields of cert to be issued
>> controls Controls OPTIONAL } -- Attributes affecting issuance
>>
>> Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue
>>
>> Would it be cleaner to define a new control for the rsaKeyLen?
>>
>> These controls are already set up as an OID followed by one or more attribute
>> values. So this seems like a very clean way to provide a minimum RSA key size
>> or a set of elliptic curves.
>
> I am uncertain if this addressing the use case I had in mind. But may be I did not fully understand your suggestion.
>
> I defined id-it-certReqTemplate to offer the EE means to request detailed guideline on the content of a certificate request it whishes to send. The response should include the option to specify the concrete algorithm to generate a key pair for. Therefor a prefilled certTemplate is exactly what we need, plus the key length for RSA keys in rsaKeyLen.
> The EE does not need to specify the key length of the RSA key in the certificate request itself when sending it to the PKI.
>
> May be it helps, if you explain your use case.
I see. Never mind.
Russ
- [lamps] dtaft-ietf-lamps-cmp-updates add section … Brockhaus, Hendrik
- Re: [lamps] dtaft-ietf-lamps-cmp-updates add sect… Fries, Steffen
- [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen Russ Housley
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Tomas Gustavsson
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
- Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley