Re: [lamps] key algorithm in CSR

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Thu, 27 May 2021 15:58 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA453A147C; Thu, 27 May 2021 08:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.293
X-Spam-Level:
X-Spam-Status: No, score=-10.293 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=kvJjZTRG; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=B/YbCABp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9k5YT321PPSN; Thu, 27 May 2021 08:58:43 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D71813A1476; Thu, 27 May 2021 08:58:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8386; q=dns/txt; s=iport; t=1622131122; x=1623340722; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=6HMslOO6UPxfN9VW7mTUICTUavpxi+zQ21DncHDtf/g=; b=kvJjZTRGj+nvbJcr/vN4LNxMqpd7um5QICif5GnSxog2zJ2fqNaUyPah WwJriI9xFnPvFPth1Li2ZQWSYu2CX83To6rMJlZ1xJxjMvR7v1QjBTDyt PdeGk1E37pFSstmKKTmLKCFPv5L6q39bCLAosxag28ZlNlV5Km4sHjUWg Q=;
X-Files: smime.p7s : 4024
IronPort-PHdr: A9a23:lLRXfBeOIfdmM9RQOHAIhYmglGM/UYqcDmcuAtIPkLtIfqmn+p3kekfWtr1hj17MCIPc7f8My+/bqLvpVmFI55Gd+GsDf5pBW15g640WkgUsDdTDBRj9K/jnPDczGshPUFps+TewOBsdFMP3fVaHpHq04HYbEQn+MgwgIOPzF8bSgs272vr09YfUZlBDhSG2ZvV5KxDlxTg=
IronPort-HdrOrdr: A9a23:DkAgo6PpmdJbI8BcTx7155DYdb4zR+YMi2TDiHoRdfUFSKKlfp6V88jzjSWE9wr4WBkb6Le90dq7MA3hHP9OkMcs1NKZPDUO11HYV72KgbGSpgEIXheOitK1tp0QMpSWaueAd2SS5PySiGLTfrpQo6jkzEnrv5ai854Hd3ANV0gU1XYANu/tKDwOeOApP+tcKLOsou584xawc3Ueacq2QlMfWfLYmtHNnJX6JTYbGh8O8mC1/HOVwY+/NyLd8gYVUjtJz7tn23PCiRbF6qKqtOz+4gPA1lXU849dlLLau5h+7Y23+4oowwfX+0KVjbdaKvq/VfcO0aeSAWMR4ZzxStEbTp1OAj3qDzmISFDWqnjdOX4Vmg/fIBmj8CDeSQiTfkNmNyKH7rgpKCcxonBQz+1UweZF2XmUuIFQCg6FlCPh58LQXxUvjUasp2E++NRjw0C3fLFuIoO5l7ZvsX+90a1wVR4S47pXX9WGzPusr8q+VGnqGUwxklMftOBEb05DVituGHJyz/B9+wIm60yR4XFotvAiog==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DCAQAKwa9g/5ldJa1aHAEBAQEBAQcBARIBAQQEAQFAgUYEAQELAYFSUQd3LC43MQuIBQOFOYh1mgmCUwNUBAcBAQEKAwEBNQoCBAEBgVyCdAKBfgIlNwYOAgQBAQESAQEFAQEBAgEGBHEThWgNhkQBAQEBAxIuAQE3AQsEAgEIEQQBAS8CMB0IAgQBDQUIBhSCUIF+VwMfEAEOmxwBgToCih94gTSBAYIHAQEGBASBSEGDSxiCKgcJgToBgVKBKIlPgR4nHIFJRIEVQ4JfPoIEXgEBAgGBXxUngw+CLoQDAQGBGEErnWaBKp0yCoMXhRqCfIF1k3ERpVOVQYwUmAwCBAIEBQIOAQEGgWolgVlwFYMkCUcXAg6OHwsXgnpUhRSFSnM4AgYKAQEDCXyJWQGBEAEB
X-IronPort-AV: E=Sophos;i="5.83,227,1616457600"; d="p7s'?scan'208";a="881903057"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 May 2021 15:58:41 +0000
Received: from mail.cisco.com (xbe-aln-004.cisco.com [173.36.7.19]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 14RFwf3p009461 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 May 2021 15:58:41 GMT
Received: from xfe-aln-004.cisco.com (173.37.135.124) by xbe-aln-004.cisco.com (173.36.7.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 27 May 2021 10:58:41 -0500
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 27 May 2021 10:58:40 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 27 May 2021 10:58:40 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hvmZ8tUfoI/jBpS9j9I1LSXePIom+P2lRxi+gOw25meXo8jwS1DP+JJuxrQQjSRhR2KdOK1DmpF//z2j+1asPLnePMMbaJSHHHqdDmKcOHUWpahleewMS8eR2ef8j4udnABepdRW5q8ZrA1/Jpc6ivYAlQgXioMq0qwm/aLp5kmsZKWwmiXrWN8vrtyvWcnfDFzLCNeRogAsnZ/yTw581OyO97EAqShKl8Z7lAp5zDjoq3LzpNRK2t0kBt64SxwETi0YpnOZVOoZU9xIZXSMlUPa6GmTx+Tu3fsWDLTnxeCTh3ndJOIv3IyP2Qe5z/XKm0JPsw4Y/PLQ10UkzBXYiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l6nb0o6CQqrjA7k905Rk6pV5SXhtehTDbt2X2Zpndic=; b=U2qxSQ3B8eFaRYV0OH342YSKtbmZ7VIkNS4Y9qWXSIfzEP5xmxcivuJiO1yPvibpomgjSIWV32vCHFGv67g5674QUmoFN1ORuCltsg4K2OOZkOLUIk1Lf1TllknH4rG3lL9WMEFK8UrQaw2gElXGuq6tZiDOUTjdvOlNG7XqplHfFNlHOz6/h/Yx4DLrEUsi9S/DkFPzpSQUvvPiiTMFvtmKd3uklU10/BQC1W/86BGk9ZrYJZKkxWYJEYCrFGeD9UZeW1gD+lgeBMrEu1DiCqLV7kbm4jQVS/jjpiGX95XB02dglRjTyFa60eKdYTHvU4HpsrhsXxT1zEZ8Tyafiw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l6nb0o6CQqrjA7k905Rk6pV5SXhtehTDbt2X2Zpndic=; b=B/YbCABpScPOhMfk9RjycSrhxJtSUi8e/xJu1YJkesUz6eVPRXR0k5CkBGSygxn4/DhsBuWDZWjN3EDpD0na1P7o6gmgqUUThu2l11grGiBVgduNr+3ieD7MaHAE2csVVWMiuo5gr04ehf8JVa3ZzUBTSHcxf7MYxK16dvy7NPE=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR11MB3873.namprd11.prod.outlook.com (2603:10b6:405:83::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.26; Thu, 27 May 2021 15:58:40 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::5953:aef:db60:ad36]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::5953:aef:db60:ad36%4]) with mapi id 15.20.4173.024; Thu, 27 May 2021 15:58:40 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "spasm@ietf.org" <spasm@ietf.org>, "Max Pritikin (pritikin)" <pritikin@cisco.com>
CC: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [lamps] key algorithm in CSR
Thread-Index: AQHXUwLu7QXQU9lANUaDYd6mG9mh8ar3ejPg
Date: Thu, 27 May 2021 15:58:39 +0000
Message-ID: <BN7PR11MB25471013374D7C7E17ACB2EDC9239@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <29593.1622124970@dooku>
In-Reply-To: <29593.1622124970@dooku>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.78]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5c41d173-f3f4-48ef-cd32-08d921284b9b
x-ms-traffictypediagnostic: BN6PR11MB3873:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BN6PR11MB38737128FEB79C681D5D8C7BC9239@BN6PR11MB3873.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UpepWH/Xo8kTp2o4dGNpUt/cUl8XfqwsHdpdxyxF1bmTt+5bRnR9zrl83dvjax6tLaPaPG/bOCG02E+mBe+vScqtLQAYMSd7ONJE54NJOBRtXCYzG3Cz7hKEU88Vq3GuWWPYVBeH0tn4UsOFdZsRJcAiG5FzoiwqYZiuKY36TnW48W1w2RTPTpAobOl72XTBfGUpBzLddMuUooUP9s6129I6GnMZtcE8r5C+KjGBDajIbrca8jd9aa8TR8J9gfO+v0j/er9aN8tdTpzTy4hYFzi3smFptjzqbFx6jj+rHqsGIjsUbgCyCucfXwDa6w6v2EbaFNiuM4qbcMizVrCWj3GqIQPjlIe+Vl9Pr3R5lGZu8jcRQeq7xPNV/SghTdVUbokUilz+jaCv1E2CqmbS/FksmniA65eg4megQ864czI41ZjcqbXXAgHgxbJj22ASwlJuPauRh0ktgzBdRM+wPw0Iw0CUpvyLUurWWF5KW9YgEgC0DjmoAu08iOc2BNbduSdSFpctXBX1BG9G4nXx7USQUwCOlBMoWXWQ5Ls6OqbIraunKZisFptKBy/3pMKDcFL8qXVeVu5RkjM0XIIcVamLw9q3vtFaw4jadpsIu4uA9iEpSj5ZTH+pQLZGmWqvLNGLnZNiS03nj3QGSC+5zpwJll4YrWn5pJNKvtxq/MyrfgOkCD3zQ9OzDntB9eW3jhpZ3Mt12DEQENnDsfvYNA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(39860400002)(396003)(136003)(346002)(55016002)(26005)(478600001)(4326008)(316002)(76116006)(2906002)(966005)(6506007)(19627235002)(7696005)(9686003)(71200400001)(33656002)(99936003)(8936002)(53546011)(86362001)(66446008)(110136005)(186003)(83380400001)(64756008)(6636002)(66616009)(66556008)(66946007)(66476007)(5660300002)(52536014)(8676002)(122000001)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: il3wXnixYJ+36rIiLOTVoK90DCzLKINL1KUczWpRoUBhXObYnauOy1A2cxaY8DC46I9WsDn310csyXwgUeBVHXDrUoOgXKAF7BuUBkeKLUh+BkOnaNKNbv6VF6CHXq8gSjxqsISGrcfyTX1lKfaEPOuw/5Px3V78D3dlcTehVSJkvjnbIJmQH/z/W4yUVS6QcLjGqbuUl2E3WZKnVt4+7yhctFKYA7PgwNySeLqZ3kANt5f09hP0Ingzrdb1r1A0BO23cpLlGMky7JXQNynGMy0/VXwzASgPU5LTD5oLtZJJMBCCyWlj8gCw95GbgcxvmLHlPKb4ulLI3DGt/64AMM3KqLUZw5E4C98fvgP0ureb1qxrX1ilVnZc9JaFSpVxpi+//3nsjQvTBDOg/bj5MnOJp7H+SqwjHMAHRLhsvmmroDgsrKO/TKcaqEIiA36wzPIqiRrpy58EBiT2XY2+CUHoeY3H+nd89UCMxTcBSq5C7CtUTM+NT4qcpl41c+y7AkWSbF+4heGBwOEQb11RGZa0mMHgzUvjMbKYCtOBn4wvjNdjWfQOlXHAzFcVJGEtqQyWTUQw7rJ0n08OopHWyOy8PLi4xJ9i/1f38+aFzTjv6SdVGcUUpeBtP5Tvvw4ssIKb/wvc/dggXVJt0qpk9859jzsVG2lJbQAqlxYMt9fd9AO/+QqiOqlInKqMgAAFH01vdXaS8F0955EyaraUTfKQ1t2mOlUws1x50eT8Q/5udrPoWh9A5k6WsSaNAj2aQ8EHzJpgbgJQPNeAajYdjxCArnmz4Sjnpd0c6s2Gb6R5jROCXHdyaTjSFP7kxFnAb96KYGBBfM4/DyrGFWpa3hOnMeCxOkiCiWdU1oFHpT1sy9urfPWtROqREjh2Ww9CXJZFIp2cX9J7AjCeTQlHex1uCF47UJEYNebd6S9kSXF1J6mVue17U01QqjaGtZY+SB5ZzAKk+j20DNByCQrlsYD3exe3qR1hzKS9TvO57mfg/lfB1oJ2dJKKproF1Cj8Q/A3Vn65pNhs/v3ohgPjp20a7/r3NkkhGupeFUoCvwESwoDIPUbG2mQrq9k4PuOfhc9JjqnVw8MnJUKEETm+tduGwidRxXyy9KuSfa5V1jPW970iRy0s/IgH9Dqsm+jUtQ/zpMklkLNrOrkA3RNRf00P2E2fDftyKbgklAkrIRytroBI80/o+grawRCPhx+Sf9IEec4FA2QOxloFC1ZfXKVj/ZEOYmJ1aGiL8Gsudse0l5OwfttRYiqySJ3F8vnPLGYGM9YOi+JHewGqOn3Ja0bAZzmP1PUga7U/WfWUOTVsMNlvO3gnNKsOcEbVKF7p
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0005_01D752EF.A0C86CF0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5c41d173-f3f4-48ef-cd32-08d921284b9b
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2021 15:58:39.8197 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eey/uhEFsJ03ZoCeYS33AzPJEvq4pGfYZWt03hmhfuzkKC7VqygtEfKEtooTmxaqAZ1WehpEZCZnQ1TXBJNyBQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB3873
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.19, xbe-aln-004.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/EcNZCdvjFnE29t7XFqrk1vfBBMc>
Subject: Re: [lamps] key algorithm in CSR
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 15:58:48 -0000

Hi Michael,

The csrattr response can include OIDs + values which will be in the client
CSR. They do not necessarily need to be DN attributes. A  CSR could have
more like 

   CertificationRequest ::= SEQUENCE {
        certificationRequestInfo CertificationRequestInfo,
        signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
        signature          BIT STRING
   }
   AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
        algorithm          ALGORITHM.&id({IOSet}),
        parameters         ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
   }
   CertificationRequestInfo ::= SEQUENCE {
        version       INTEGER { v1(0) } (v1,...),
        subject       Name,
        subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
        attributes    [0] Attributes{{ CRIAttributes }}
   }

as specified in https://datatracker.ietf.org/doc/html/rfc2986

Any of the CertificationRequestInfo attributes can be included in the
csrattrs. 

We have not been using many of them in our use of csrattrs and overall I
have not seen CAs implementing them either. Pretty much support for both RSA
and ECDSA alg OIDS is assumed. 

Rgs,
Panos


-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Thursday, May 27, 2021 10:16 AM
To: spasm@ietf.org; Max Pritikin (pritikin) <pritikin@cisco.com>
Cc: anima@ietf.org
Subject: [lamps] key algorithm in CSR


RFC7030 defines the CSR attributes.
It says:
   "In addition, a CA may desire to certify a certain type of public key and
   a client may not have a priori knowledge of that fact.  "

and:
  If the CA requires a particular crypto system or use of a particular
  signature scheme (e.g., certification of a public key based on a
  certain elliptic curve, or signing using a certain hash algorithm) it
  MUST provide that information in the CSR Attribute Response.

I think that this means, if a CA wants RSA, then it should include the
attribute sha256WithRSAEncryption ( 1 2 840 113549 1 1 11 ).
It feels odd, because that's not an DN attribute.

I am asking this because my ACP implementation has to deal with RSA
certificates until everything is ECDSA happy.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks
[ 
]   Michael Richardson, Sandelman Software Works        | network architect
[ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails
[