[lamps] Questions on draft-ietf-lamps-rfc7030-csrattrs-01

Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 21 November 2022 10:56 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B73DC1524B8 for <spasm@ietfa.amsl.com>; Mon, 21 Nov 2022 02:56:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id siOi55f1jMoz for <spasm@ietfa.amsl.com>; Mon, 21 Nov 2022 02:56:31 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0715.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe02::715]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90D2BC1524B2 for <spasm@ietf.org>; Mon, 21 Nov 2022 02:56:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YWWZcvGwWwQLVimsdVAlYPVQFSTlWUmq/GwwrSpIbdKCtRfaZcz0aWXaVbnbXCxet+l/mHWdMix8YJyF2bf+Ibk3yZg/IoopD9cMhfxJYACsYbcqPn+Cf66QsR3FTMUt7JWTGjiqYcE8fIAVrA4IVkp4RvS/gRbrjyWmhktXvIj9RVpZN/gMdmBZZFZ9M5CzcFfjZkPYFd2NSXIaEtaotRVoj66Rfm6P2IewKQK8U9pWVsSMXdtbfogaBk7aGJm5ogL9bDGwObZYu/kSf2Zctso3qtdxfT+FCM8X+7qc8MyopPTKiCrS0O8vdyv5HwPr0muxm8t/rJKcd2h8U7cBcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aDu9PAzs/GYabY/1h+NMoaIyoATwMafxtoAeS5D+f0I=; b=c8nNLde4pgC32U1mJV8Gqu8sDhY/gsejLLV/2Cmioi6fRUCSijeNKKEWRwEm7Fx6ThjJw+/rc5SqzFEgf14QwYLm3NznS/JFk35ToUVvA9lp5YhytghtH88nh6vif6hcZTh7BXa0c1MvO2VE6mkqHcaSytfSbQwhBNvWSsHgqBVFuRSaiN2o4uy2UaVLu//qiTF1oHkuqeTTCWDfo3fTeiwA3HhpBH6qFQ4BkYcZ470W2QCIDlSui2lG5PyAQnPAjGXSUDn3sBE+rEUWXGWh1T5/xtHo/mrv07WVwMaO+DTu9FZyfr/NQhq4u9D7S4rk05RYv1ZFue5p4iXxLwnqOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aDu9PAzs/GYabY/1h+NMoaIyoATwMafxtoAeS5D+f0I=; b=k08L846FVfhN5zT+7nFe9LN+szXQTUKlXhyK8cSOQnKX60Dp2JqTXbXX2XSBgomBp1o3EQXpRXaqipGQUHEi/EcDMhdBCySgWIyuFlvu/deDpodNK4Wml8t8LQ4wXc/YBO38BuQvN0Z+kEbMf54j5rHkn0JtDA+0uTdBxQGHLnQ=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by AS1P190MB1701.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:4ad::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5834.15; Mon, 21 Nov 2022 10:56:26 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::90a1:12c9:de4a:6c26]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::90a1:12c9:de4a:6c26%3]) with mapi id 15.20.5834.015; Mon, 21 Nov 2022 10:56:26 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "spasm@ietf.org" <spasm@ietf.org>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "von Oheimb, David" <david.von.oheimb@siemens.com>
Thread-Topic: Questions on draft-ietf-lamps-rfc7030-csrattrs-01
Thread-Index: Adj9lgxOlCOXeqkASu6lmw/Ogv3xiw==
Date: Mon, 21 Nov 2022 10:56:26 +0000
Message-ID: <DU0P190MB1978863EC850DAC69838D354FD0A9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|AS1P190MB1701:EE_
x-ms-office365-filtering-correlation-id: 3cd2dcb3-f098-45bf-b88b-08dacbaf09a7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8hq/o8YAM40kfx3HTnkzA1Mczr6dyrrJzMhpitgV1cy482gnFkyxu7KwfBdVq4KqBl5FpIb3lUWgHlMR3oKYV0zvl4GmWUj7IO5cxntuGlfyKx6np+7gyabOnuftvyF4wSxFf9V9Tq63CTjI5dotMo6vJpO5hl1sCXVLkuxGwiF8IJYK0p7s/gprKoOAtnLqQc0asfQeQkV+EXW5Z2/0TwzL4+3IWre8b/oVuUuZGpmN+xII/Hlr2GDpJTIA8pLqzb1fQl1AbSndMFPDKl8LQPBj5gt62nU9TUA3gv7Js2uONSicPlCVfMtHBMJlmeMRGfDSjtLoQ7lKvuFBqH1M7G81vbjX/OTVidZ6xVPEudZhn7E45TwCYaEnEQmTy4YF0OFi/CZ8hf3WPEcNoeJMciOAukw/Ax+uPqNPipDxpr4A7DLq8xcMjkYKVXJnWdDU7Yi3zLrCUdpMsP7V/AF9YrnWf4WHSSSAcvQ0k9v3lpXYZ4GgJH3Wqezkcz6UPuaRPGsYu0J6msaxOxo+6K75W2JNvl86h08A7PIG0/FZZvGDdWqQ+KHPCvl/SdTIlIeSKyOqcfup2NXDJ+UjKuXSGWjlUyjkmNC22fn5STBO+xL47XlWFlAh8OmcG4crckcT9dUBkGI/0fSBzSwcaW0m2awUzmraX391y77CMpZIV098Dk0kPTpIhr+k8BhbcG4FQpQ2VlbnGQsb9hWzEENhXg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(136003)(366004)(39830400003)(346002)(376002)(396003)(451199015)(83380400001)(86362001)(38100700002)(38070700005)(2906002)(44832011)(52536014)(41300700001)(8676002)(66476007)(5660300002)(8936002)(55016003)(66446008)(7696005)(6506007)(478600001)(186003)(9686003)(4326008)(64756008)(76116006)(316002)(66556008)(66946007)(71200400001)(54906003)(66899015)(6916009)(122000001)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2rMPt9znED7Ceo00EdsXg/1Di+cPjvyPcB0vwxfaus9wmk8G9KSFVkve2XYWS7DZsUB4H/Qzc688gn0ULFYKsg7I+Cx8hhkeWK4xgZ4PCRLtr6reXqQwivESxAiodP7EECplTXA7ENeIXz9LYAa9d4uwKwLnQVF467HZipipKVtmBLXZVJ/GVlSOIIs39wrlLjT/yBYJ7rujWrXF4UczLKFQa6ojPrHRzr2gVGPCkfSLtlybKHSoAYHLQjWheq4TgVPhT4PV6SzlqZr3t5rxfrRkKRkIu3kjCt87N/UxQ5u0QIJykADNCt5qIuWjug/DpWA/30XoRRuSdSai16NBpGqGwXDgpi2wj6wSgMXgJaHAS8YsiNzpdLbxj7N3hYkWCNleNfzp2v3J6rinYlvY6DzZRrJacqcEBVROE6tByABFy6hvjTSsPpt6Wk79v+exBFZu2MafYUBuiA8jKwSvMYMGbQOAU39iZoGcjmwD3ZmIRpaVxZ9+yop6kHGM1UjaMC47j+o9cZ/bBfcKMXwdbdjYoNs2MrcQbNurRKHwWXsbwMJ4QciA79K+J1jrUm5sxLk21KOIGwmRRjeeULrwY4dnbqqKUMLTWLVLoTqHCx0hA3z5BD5mUXeSrRujcz2r/9qTJ56jsO9NPjnNb/NYK16tlctxPccDAyUkZs1oRhOXzAWDyqxafu1Anu5677wIjQdxOgnqsblCyjMCIjQBuD2VtbNz42u6rbZNDNDbSvxYTonGA0ZwxiB3ZsfoTuVEpamsUdz9pR5nQ16zRhwi0B5kVsc7QSrQGnthi83KBhmjFRj2sjBum0EuZJQQwJY+n0oSFa9K19/+xGwGdyffcAbCuOAbTgyBUWSeq+Nr0Wdguwq0fBMqAWtbK/A7rNisGi73mLXhuIW5Nuj87PyHkYUkqs4fVNWchTKYlTZIpq5BQAUlkUz0hNeeY7SPF0tiIOG/tYH/ZsPuc85SrlQQnWzqjxrwiRCl7noihGmRsCLa2J987PYeoRLPMnguxd0JBLiFMN188i8dgitVk2yy1jR+Cj67Agq5VUx9mFe0Ke5CXwWGw6NGSpxxBfQ9161fE+oUx3p17PSQH8V0e3D/4uOt5LOTBmqN6o9umRrC3nm6qh2m+pJd6mDOiON7vSopG2AJDYlr4AhIEb64FJUyGpBZ1eHiVso7X0yqYnquLIqElQhSCl6Z0r6PoT/DQ3fB4Sx1fERcqWmfo3u+twwY6YPyLJTv6lWSz6eCrpyLgDys9uGouH+P2ezddZXU8ANW2JRw1t/BhteAmOyvC9mMO7jMMcU9opNKqYFWgN9AOgEZ0SlOz3Zsc1j1J9/8ntB4dq57DOfzx8QVbGmndw6jy/3CNgkBVds4QA6o7oQovVu7hAcLytnbL8+F5raIQf7Te4YyAi2pJNE0mWVuD2xYvR4fyROtbpWW0LMNaq230mZcejP12pf0Sco2YPg9y1g+tLP35bPKKHUFRg+ewPuG3cPOsm7riGJwL1XXqHo2Lm3S3MHWIVXZmR/UwOGNH0wrVTJ5Kre+LL09v4jwHc4agEp9FpXl4nb17EQSFukfwbJ9+iwci7Cm0eY/EXovvLwyUeefqdn6qPzixNL+U53aDi8ia/9jaqmARHa2oEK+ksgXnauv1IMy7Sxewu5THpTcqcrmeAPU7TjX+Srk+SYWRg==
Content-Type: multipart/alternative; boundary="_000_DU0P190MB1978863EC850DAC69838D354FD0A9DU0P190MB1978EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3cd2dcb3-f098-45bf-b88b-08dacbaf09a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2022 10:56:26.7736 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UAToEyC9hjV3cClHL27VEbzdF4pVgxVx0zYuKS4mSzP0VCV1HsIFqmXp1WqptTb0sfiP7mL4RbZyU5FxO8OS/xXZuCWkUn6KsUFe8EIQd24=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1P190MB1701
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/DkcF5fZUeAnlmZ59YrKWsX7qj94>
Subject: [lamps] Questions on draft-ietf-lamps-rfc7030-csrattrs-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 10:56:36 -0000

Hi all,

Looking at the document draft-ietf-lamps-rfc7030-csrattrs-01 and my interpretation of CSR attributes so far I notice some differences.

For example we had used a CSR attributes response as in the example below:

SEQUENCE (5 elem)
  OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
  OBJECT IDENTIFIER 2.5.4.5 serialNumber (X.520 DN component)
  OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
  OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
    SET (1 elem)
      OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)

Hex: 30 30 06 03 55 04 03 06 03 55 04 05 06 03 55 04 0A 06 08 2A 86 48 CE 3D 04 03 02 30 15 06 07 2A 86 48 CE 3D 02 01 31 0A 06 08 2A 86 48 CE 3D 03 01 07

So this looks simple to me; a list of OIDs that the client must be including in its CSR (with its own specific value chosen by the client: it’s name, serial, etc.).
And one attribute is used to denote a (key,value) pair to specify the client must use a particular type of curve for ecPublicKey. So the ‘set’ here is size 1 which means only 1 choice is available for this value of the property 1.2.840.10045.2.1 .

Now we have the draft currently not mentioning even the above use of OIDs in the sequence, and saying the for the attribute the ‘type’ has to be 1.2.840.113549.1.9.14.
This is really hard to understand, coming from a background of above example use.

So the above example is incorrect according to draft-ietf-lamps-rfc7030-csrattrs-01?
Now I don’t want to redo all discussions that led to this draft but for someone who didn’t follow these discussions it is hard to see the logic in the outcome of it.  It does not clarify for me.  And so much more complex than I thought.

Best regards
Esko

IoTconsultancy.nl  |  Email/Teams: esko.dijk@iotconsultancy.nl