Re: [lamps] AlgorithmIdentifier parameters NULL value - Re: InfoTypeAndValue in CMP headers

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Mon, 21 September 2020 15:59 UTC

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: "Peylo, Martin (Nokia - FI/Espoo)" <martin.peylo@nokia.com>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: AlgorithmIdentifier parameters NULL value - Re: InfoTypeAndValue in CMP headers
Thread-Index: AQHWisO2vajruGgquEqHFV9K9oNE26lpgUsAgAApB4CAABxVgIAABMEAgAABqACACV2kIA==
Content-Class:
Date: Mon, 21 Sep 2020 15:59:03 +0000
Message-ID: <AM0PR10MB2418D165412209BC64A5435AFE3A0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <e649e4c6-d349-7bfb-15d2-9d7ef5fb4fdd@siemens.com> <D0E22972-42D5-4E64-9497-BB6E69E32443@vigilsec.com> <f10ec248-d06d-079c-2098-81d219733a8e@siemens.com> <HE1PR07MB3100DFE27740CE863AF2EC049B200@HE1PR07MB3100.eurprd07.prod.outlook.com> <3FF3366C-91DC-4B5E-8724-5C2C15AE1372@vigilsec.com> <2140bb28-326e-1d63-3c56-bfc875242432@siemens.com> <A9069D62-687B-4C07-9CCA-CB713F9E9140@vigilsec.com>
In-Reply-To: <A9069D62-687B-4C07-9CCA-CB713F9E9140@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-09-21T15:59:01Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=874faf74-0aa5-46cc-bef3-c6d12ec8d076; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [165.225.200.169]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 075571d7-b362-49f9-a2cc-08d85e4742f9
x-ms-traffictypediagnostic: AM9PR10MB4037:
x-ld-processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM9PR10MB4037A241FE700BAA2CE4335EFE3A0@AM9PR10MB4037.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:1227;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fWqCSNPTyHNz7hIYmGL0Oys1vWFOvx6XaxDcCaggg9U9nkplQ0sLvbU/i/HzIs8eikQKTFRvRamSPyV6O1kVwV837KlYkXTYXRQEVJfVhhtZzEs0YM7T+i/leyhyRpOOxyXf56UIizYMeidZzmujxL+EtXW3v+h7hlm5vXpAIUsUKtgi9rZvn6f/7vfbCY9k93ri8YFWErp1zT3f+ik0WhBCEVpMmh9Tk0VYFIUKHrtQd0eXFYPtWhla72Ou3a/Ab9iyLfUUsDdXveiDiFB8qDsQ+N2D0aDbzUqH5S4VQTKQs4/yb+aM+I5m3F8rhIaf4Wu6DREeZujr7ys5eAb6rg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(39860400002)(366004)(376002)(136003)(316002)(2906002)(86362001)(33656002)(8676002)(8936002)(66946007)(76116006)(55236004)(6506007)(7696005)(83380400001)(5660300002)(52536014)(66556008)(9686003)(55016002)(4326008)(66476007)(6916009)(71200400001)(54906003)(26005)(186003)(478600001)(66446008)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: cqAh1B+tD68XIsscDuZQCWlxpzIcTU0hBn+gGEfvCsWX10FFFPi2ixiYV2/p4BZ7cga1p46HN99q04Lfwn3remeUFCiMCWIQkZPKnyrMcEoH9z4nBroqncL5w8nvkk9X3BRDMbPZ/zg5ZBxG4MlV+vmlmAXJAqpPoo+zll0GQUBkRR1sHnHpkMp7zLWznNjgWpvh577PW2h/b/AQHw2HIwp5l+B85F6ibMGYqRbyfGH6rHIJDr+wEn68F7pGx62XJhm90RxL6n+ztLmG/CT/cVAyooMuN6/geXMk+YQ1SibCCZEQo6XA8SJYeOxuKkyD0yBcwDCB7t4cL2FpeakfGGc2nF1mKtXIbVZacbMORlmXs+KY6LmzJJ96rSGrqtd1RrlpRbIJw4K6wHGFrHhKpVmYG0ZGjx/GaE9t6u69h6D1eDokb3YPHbGiVbb0tCAwv7B8Qa4ctpopVDA2LueXd9y1QFn2UUoDzc+xnABYTIOVVasQ6IPA2VjE+zyTHnvWEheeGO0fcEQrnceQW8HuEvp6eMTZvCgAwVlguWhxAuryONDJvnDljDxEWtdOlLzlK/GvwSdQx+NUNJGRZ7OMl/oB5zIwAEwxa05Qx98SUAqRlRlqfsWWbWG+iVNVgmlNgVaaZx9F+g0R0c+4zZ+PvQ==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 075571d7-b362-49f9-a2cc-08d85e4742f9
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2020 15:59:03.1530 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ANql8YHrYfzQAllNdULDsTkcS4M+AajpRlsdHNrV0Z/TXNqSassxSEC8xm8TkkJN6+DgiJClHtkGr9Qu8/CsyZR2QaI7yK3plhfa/KR8pjM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4037
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/5wnHxbRsms9NPYIyDW2dVZsUGDI>
Subject: Re: [lamps] AlgorithmIdentifier parameters NULL value - Re: InfoTypeAndValue in CMP headers
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 15:59:07 -0000

Russ

> Von: Russ Housley <housley@vigilsec.com> 
> 
>> David:
>>
>>> Hendrik:
>>>
>>> I think that draft-ietf-lamps-cmp-updates should be revised to say that the parameters field MUST NOT be present in the description of the Signing Key Pair Types (s 5.3.19.2), Encryption/Key Agreement Key Pair Types (s 5.3.19.3), and Preferred Symmetric Algorithm (s 5.3.19.4).
>> Here I disagree - why not allow CMP servers to specify specific key parameters, e.g., to accept only certain elliptic curve(s).
>>
> The parameter only allows one, so to do that, ECC would have to appear over and over.  If that is the right answer, much text needs to be added.
>

Sorry, I missed the continuation of this thread. 
I would add the following note to 5.3.19.2 and 5.3.19.3:
-------snip-------
Note: In case you whish to offer several EC curves, you need to put several id-ecPublicKey elements, one each per named curve.
-------snip-------
In Section 5.3.19.4 only one specific symmetric algorithm with specific parameters can be specified. I think the note above is not required there.
Does this solve your issue?

- Hendrik

Re: [lamps] AlgorithmIdentifier parameters NULL v… Brockhaus, Hendrik
Re: [lamps] AlgorithmIdentifier parameters NULL v… Russ Housley