Re: [lamps] [EXTERNAL] CMP vs RFC5280
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Wed, 20 March 2024 10:05 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F508C14F6BF for <spasm@ietfa.amsl.com>; Wed, 20 Mar 2024 03:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.006
X-Spam-Level:
X-Spam-Status: No, score=-7.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5VsSp4XKdQ5 for <spasm@ietfa.amsl.com>; Wed, 20 Mar 2024 03:05:01 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2054.outbound.protection.outlook.com [40.107.22.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17E23C1E9C75 for <spasm@ietf.org>; Wed, 20 Mar 2024 03:04:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D1CCZl2CgXJ50QULZWS/V1Ny7qHODvNTTHWK96cuCpnSdkb9L0n3ELAHtDlN8fa3sQq9a/xL+OGyYC5xpbCU1WQ6NIIse4A7x2CyGOlAfwKUvHN5kiPNep96SDUr/Vt7yHmJI85oOkqOQI+wlTWxM9Di1DDJrKEK4sUThlNR/PsQF0BVfVvd6QKNOXB8gu/IM17vENJHpoHBPw821mrmuj10AncDmXH0Vsd8bTplkM4BjisRF31fFbaslca0tJPzgdSkLpfG9/Vt/RlyitteRGa5QTKNpnCWbtRGwktu5x3MKd1gg/j2FvAyc5CpOkYbvTQoC4ugqo+OCNd5e0l+aw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8JLZKvyhhtmAYixfWzyJvMJJSGv1tuker61DV5UnFb8=; b=MFcU+pLb1oynZw/kTbusuArEfVFzKJWbNGzuHQaueeGQ0bViMUIo6VNKDQBb7E61ql7ap0/xd23RPZrBQxqjcu7g9ZCBhkpRNtd9Ay3WfkbYXhoUMBogmIofTvXdiublux11cXpF1RGRtQM25fbrzn/M/6qWAHjwRzfpDF3NbvY3BjiSDF5/tLcsGOWbR/KjHZaAfcIia4d5kYdwgGFB6VTeCD0a9jKzJuhhwm3ZgaxkqrS/RoUbWnLh+0z8BnLtS0pdIMw7mYqbK52nPDNjUpAQuRSNGciGeplhgavyoGLLBeOcSX5I2OLH9IuaG/IoY7S/MZw7PF3REoxDMsMmwQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8JLZKvyhhtmAYixfWzyJvMJJSGv1tuker61DV5UnFb8=; b=IPggK+Ke0m67cNJ237/LlJfi4m9E4Y9zk+3PwfgLN1PULSRBOuhzOBk7Kkz1xhZ32wy1TZdaBRq3Dw2FAv3mHGUFgkATBou+f7eL4A8xJx1mmGRmDi408MAt0DrW8m0H+Hkof1rRvIHmQg028RdHd7PUCZAzLlgoJxxTZuK68dENxFvjaGehjt6ulXcES62EJ2p3ufHOUITqt/2a7is+UznhjEWTBSCBcM+fGLaNcHI8/DB0uSPudECOPr1FXTDbr1uj6vUGMxjy47ZzrxdkJ14Esdp6KPiXequI5NbQUaZMWfd+TTGszuKSNh6EGv96UuD8OJpd/tgfSXsItgSR2g==
Received: from DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2ee::5) by VI1PR10MB8111.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:800:1da::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.30; Wed, 20 Mar 2024 10:04:19 +0000
Received: from DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM ([fe80::72c0:1aea:fa85:3820]) by DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM ([fe80::72c0:1aea:fa85:3820%6]) with mapi id 15.20.7386.025; Wed, 20 Mar 2024 10:04:18 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: madwolf <madwolf@openca.org>
CC: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] CMP vs RFC5280
Thread-Index: AQHaeobCyi+lp8bbfUaNqwPJxWNKh7FAWg4AgAAMQyA=
Date: Wed, 20 Mar 2024 10:04:18 +0000
Message-ID: <DB9PR10MB5715A9F5650D7F597A45F000FE332@DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM>
References: <93275.1710814199@dyas> <CH0PR11MB5739A1AE43D6172C9E73FD6A9F2C2@CH0PR11MB5739.namprd11.prod.outlook.com> <BA1E830D-6456-4455-8D16-9642EEB74228@vigilsec.com> <CH0PR11MB5739B0FED19B7B5118402E6E9F2C2@CH0PR11MB5739.namprd11.prod.outlook.com> <DB9PR10MB5715EB3A3590B5CBA7C3AD58FE2C2@DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM> <6909209d-6304-4436-9790-6c3673b03025@openca.org> <CH0PR11MB5739056FCB00DDCD7F2A4BA39F332@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739056FCB00DDCD7F2A4BA39F332@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=3ae6732c-c14a-4370-9d03-1bded2d304aa; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-03-20T10:02:15Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9PR10MB5715:EE_|VI1PR10MB8111:EE_
x-ms-office365-filtering-correlation-id: c237475f-7ed1-4377-6ed5-08dc48c51b73
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6/FFP+9is3iY3Y4WrXLbEeqptUR7zfcfKRel6ZOJcvGksLbKgIJlIUkzCwVvBbY5XB1wOTvVZG/kZpEuIfBOvuwtxE9T+Xh2L09Ihk2ZNebRmBLJah24UuBNOeiJPBUFsHSxczzA6dmhUn1lADIZHFMa2utVOJfMc5f5GNnfx4LOWjFkgmZDMqQjNsGdA8DRhKOMZrcwpP3hE13PZcn0J1pCnwpRHpBBuUSsyAeYNkP/PcgftsCuLa2dE22LLJQXBiQIU7sQRCLb7pvi3+SR9g5nwG/2D8QxcKkNNo44lc/KmZY2ejjay8NZ3Hb+hgn4HcBuPsQIRecdN1kSpnLJeCC3dKRdvVVdKJQEu45EuuY/fc7ttUQ+cNJ9Xz64XZx8naasPyCJLPUP8Nu8mJ4n/6SkNSmxCdzF43TIHWC9cd/XTBiXWRwIWcmaG6jHBh/+UnN76rjzU7BG8eNmtGVBKEi081rdHyhhb0PZ/BGr8PyUY7mRevy2hufNt8zprfFG4laG7QyhVXlWVWcKPjg7vP/4gecrTzGeJi6vcb7X+HAUsLh7aBXK9mqaJhIY+5B+4IwPcEeCLxIMWVXA9Vv9dvPi5nQK+lcyoxrWFqkzMzGhPO87jNsiK7ZCaCEMY0Aj3fQj0pGsL5iRW7TNHPvPAqM+lneWjHpd5p30qpG1AGE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bIur6v+JQ9r9pMqUaCjj1Xqp9LMK4qaeN4rlCp43HpJWrOIcjdYuLj+mrrbYDDFdf9uLS35hv9jHQ2HNbiKg+8qBNxUL/Ds2T9q04jWQkmCEWapPNfLLV6tcku91yo6qtndSEJIBgXN88XiFaTML4NFsmA33cjodXOxQzDEvC2D25iwKFTe8xxub3VQPenyBbQBJMoUMWylHfa3ZEzoHagd0pcuD4cy3BaDsolj/qVCX8qysvgQYML5TJpbddAVH1fZbdp1dRThUvly7LtB9cR7MAWjpuUf7vb2m5tZrRSeHyz5Gg/x5AAuo914+eshN2GJ5raMjNq5/FCEhzSH+JDh5ocQVoY8gtFUR8D1HTsOPPupZ67gTmr++RfgAEunWgOs4ZxsYAhm2+ccnRcqPxpOwmjrAjRIf2tEROGGp3Ev93mRUCKV0flA1meXbD16xWjvHjcdjVqBujBHgdIylq6qANdO6pbsBd8/DsG6ZBbRJbd4EMGWX/DRUDfp8oFXzcWxkLMDUMjKZLnnAlXsKqH14kPxhHo/xZbNSzLXu89TydhpTNROZfcSOXdB70F3IaGlCTxLO0K/zEewWG0fkJ+QNkxpmCnvd8nL65NQvXWooxA97npxrlsUZMVNUQ2oUCHOPMwpqXa0xuccNoxDmPry17LWNUnswAWb8kSzFB7QphHPUuO7gIGSQNLrJqbWrPUmkiqKHSq6zNrShQiOs0jm3/rPiiAvK/a79N2NKVc1etXPUPvwEG5CIiaMfi6Eoxj7YLUiAl6Qb85hFPPux1jnlbptoCMYVx7Y+UtBs015Q+jd5AhXso+rGdnMJR2vJrGZCosqoaBkOqUc/Ck1nZN3F/brNaeBTBHNRnwKoyOjEGlpEx5JqRDu2GaLEeeWMkJN6xN5Fae/w7uBrWX9wj/ynOX18GlSMhx90vGcrsjWP9ic/DZ2WRHtIZdnArLhD0wsVwDz2vs4rJjIchCFEl1xlEd/k7aNVVV5U3Bn0tixA7GvIZhT7iPHtS4D5e+kOlLe2zw9A6nP0FZ38PP+xlqsZAoTx1ZL01txE6Vy/xtbGlPkdDEzrkiFrRCfliyu6yNOoTgXjQ8R5LtCyJSsd5nMG2YI4Zacothf9GPtuApkBAzHTieh2wjzlfWNsMzV07B4AbfWfrcPGGI8U4dFZP31VkKTsa5Ya3nj4Mny5gPVxJAiyATNA8zRHl1Usk5UTqj04+lMCDg0NxGX+almXy8oYGiO1VUr8xjl1tuQy23m+eOHAZ8rEixD/saclgdclmpdaBQ25TjTriKSXLTl8nAXqPSBPseqeFx4cSR8kkQCRA5vbIqKxj2Js0OG2hA/lTcIQTAOR4VGZmEox2d0KEtcP8bZSr4EixMxa1SNl+EJ2L7IIz1KQRFNa/I+7IFpQ+VZCwPkaRzpkMlugNuxgXTHXgQ9TlHGfawViAulWqbcVpBAY+cQCwzDLGiUDnNHtyvEBrUA5BCE4wBnuhIrXhzQXKHA1Fal4TF1bq6ayH1yqKCtCtFnHihj/AvLyPtpYhVcb/5EhhQFata7mn2IlI3Bz3gbI3Tpt/BG3W53oN+nLrWQo7XTm5al/dLSZ4JHGEBpqOTd+v0h5MSpCMNQ06w==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.2"; boundary="----=_NextPart_000_0022_01DA7AB6.5850D560"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: c237475f-7ed1-4377-6ed5-08dc48c51b73
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2024 10:04:18.5500 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ty8JXek0zqrqfJnu2OGaUl/942ukrqCuB7No6mqdLWxAqhyFBjwYbY9uSQu6rrAyGEcqLZX2sUqeYXLYzJ4VH/+rkvcjUoDYN0y0Xht0hew=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR10MB8111
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/DNIDCqi4Y-dLvtAKk3Smfst5wpU>
Subject: Re: [lamps] [EXTERNAL] CMP vs RFC5280
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 10:05:05 -0000
Max Thank you for pointing at the differences of ITU-T X.509 2019 and RFC 5280. I just submitted a new version of the draft completely removing the reference to ITU-T X.509. Hendrik Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Mike Ounsworth Gesendet: Mittwoch, 20. März 2024 10:18 An: madwolf <madwolf@openca.org>; spasm@ietf.org Betreff: Re: [lamps] [EXTERNAL] CMP vs RFC5280 Good point Max. I think the intent here is to fully reference the RFC 5280 definition of X.509, and fully separate from the ITU definition of X.509. - Mike Ounsworth _____ From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org> > on behalf of madwolf <madwolf@openca.org <mailto:madwolf@openca.org> > Sent: Wednesday, March 20, 2024 3:23:10 PM To: spasm@ietf.org <mailto:spasm@ietf.org> <spasm@ietf.org <mailto:spasm@ietf.org> > Subject: Re: [lamps] [EXTERNAL] CMP vs RFC5280 Hi Hendrik, All, I support the change. I too think it should be safe. I just wanted to add something for the initial question about updating the reference to the 2019 version of ISO (or subsequent errata) and I think it might not be a good Hi Hendrik, All, I support the change. I too think it should be safe. I just wanted to add something for the initial question about updating the reference to the 2019 version of ISO (or subsequent errata) and I think it might not be a good idea since the 2019 version introduces support for altSignature* and keys for hybrids that we do not have in 5280. Kind Regards, Massimiliano On 3/19/2024 6:40 AM, Brockhaus, Hendrik wrote: Thank you for this finding. I opened https://github.com/lamps-wg/cmp-updates/issues/55 Doing some research on the topic, I found following: RFC 2510 / RFC 4210 define certificate as defined in ITU-T X.509 in the abstract / in the introduction. Of course, the term certificate is used on many many places. RFC 2510 and RFC 4210 use the types Certificate as defined in RFC 2459. RFC 4210 introduces the ASN.1 type CMPCertificate. CMPCertificate ::= CHOICE { x509v3PKCert Certificate } -- This syntax, while bits-on-the-wire compatible with the -- standard X.509 definition of "Certificate", allows the -- possibility of future certificate types [ ] With the 2002 ASN.1 module updates the type Certificate is imported from the 2002 ASN.1 module of RFC 5280. As the ASN.1 module in rfc4210bis in based upon that 2002 ASN.1 module, it clearly imports from RFC 5280. Therefore, I think it is safe to change the reference from ITU-T X.509 to RFC 5280. What do others think? Hendrik Von: Mike Ounsworth <mailto:Mike.Ounsworth@entrust.com> <Mike.Ounsworth@entrust.com> Gesendet: Dienstag, 19. März 2024 06:07 An: Russ Housley <mailto:housley@vigilsec.com> <housley@vigilsec.com>; Michael Richardson <mailto:mcr+ietf@sandelman.ca> <mcr+ietf@sandelman.ca>; Brockhaus, Hendrik (T CST SEA-DE) <mailto:hendrik.brockhaus@siemens.com> <hendrik.brockhaus@siemens.com> Cc: spasm@ietf.org <mailto:spasm@ietf.org> Betreff: Re: [lamps] [EXTERNAL] CMP vs RFC5280 <mailto:hendrik.brockhaus@siemens.com> @Brockhaus, Hendrik we should create a GitHub issue for this. - Mike Ounsworth _____ From: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> > Sent: Tuesday, March 19, 2024 2:59:20 PM To: Mike Ounsworth <Mike.Ounsworth@entrust.com <mailto:Mike.Ounsworth@entrust.com> >; Michael Richardson <mcr+ietf@sandelman.ca <mailto:mcr+ietf@sandelman.ca> > Cc: spasm@ietf.org <mailto:spasm@ietf.org> <spasm@ietf.org <mailto:spasm@ietf.org> > Subject: Re: [lamps] [EXTERNAL] CMP vs RFC5280 Mike: > Hmm. 4210 pre-dates 5280. I suppose there are two questions here: > > 1) can someone who was around please illuminate on why 2510/4210 references an ISO doc and not an IETF doc (2459/3280/5280)? I do not recall why RFC 2510 Mike: > Hmm. 4210 pre-dates 5280. I suppose there are two questions here: > > 1) can someone who was around please illuminate on why 2510/4210 references an ISO doc and not an IETF doc (2459/3280/5280)? I do not recall why RFC 2510 did not reference RFC 2459. However, the development of the two documents was going on at the same time. My guess is that we did not know which would reach the RFC Editor first. > 2) Is it a trivial change to swap out the X.509 reference? Or will that turn into a cascade of difference-hunting and backwards compatibility? Is that worth doing? Reference to RFC 5280 seems like the right thing to do today. Russ Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ Spasm mailing list Spasm@ietf.org <mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm
- [lamps] CMP vs RFC5280 Michael Richardson
- Re: [lamps] [EXTERNAL] CMP vs RFC5280 Mike Ounsworth
- Re: [lamps] [EXTERNAL] CMP vs RFC5280 Russ Housley
- Re: [lamps] [EXTERNAL] CMP vs RFC5280 Mike Ounsworth
- Re: [lamps] [EXTERNAL] CMP vs RFC5280 Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] CMP vs RFC5280 Russ Housley
- Re: [lamps] [EXTERNAL] CMP vs RFC5280 madwolf
- Re: [lamps] [EXTERNAL] CMP vs RFC5280 Mike Ounsworth
- Re: [lamps] [EXTERNAL] CMP vs RFC5280 Brockhaus, Hendrik