IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Fri, 08 October 2021 16:36 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32DD53A0646 for <spasm@ietfa.amsl.com>; Fri, 8 Oct 2021 09:36:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7BYKo44z5JZ for <spasm@ietfa.amsl.com>; Fri, 8 Oct 2021 09:36:42 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70044.outbound.protection.outlook.com [40.107.7.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3879D3A07A1 for <spasm@ietf.org>; Fri, 8 Oct 2021 09:36:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MXH8x8AEmnugWyGam6PEWKOnv14deGSrznCCd9xV+RMlmaEwwDnqiUeT0McKqyMjDiq/KPClUVF7yJ83U62n5f1tRbniUMefcOp4acg1PPKsgtL9FNsQXkztqvj6gMK2RT614fGYScnGUl0hMwZcdrAKzX9NEb0mkltGm/CNWkR4t+u/P1Wd16D6w+AmJA6sKq4zQe/eT35QDzTYabHVPzVvN8dy0ROwgk+bX3X8aU8be0F7rGo+V/8gyfoM5d+LAGGqZ/ZJ7dB6DiTAo50N5z31E5ceRC27pQ92pXZDuiiQIcE7BSUuUypOCZNbMIEqWmpbt7FwvxOheveqPMUqdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uMtuu/uErhYgogGrwpIgfytLCUE1r9ryf5nQFDPjlbQ=; b=mPuntTyZQBgTED9hZJYf7UayNxw1QfSGrESSW9faNrVOL0jvs+vGiqKw8mdZAgr49xVJSUDfnTFx6l5s8XCtq1rbrXltYQyCosUUYUjlsvu8rsVmYxZIaaOr8OTiJEIJa/t+BPn84rJjTDAw1lGeEd6yq9lDQHQmvsgMn4CRvDRSnfA2p1oo0To95yGnqHt2rUvlHCJUnuSDwgUIPe8HKCduRRHNzBODoPSPjt3qkT36sffN1VIiH0bts74UMUU4KWiRJ6jGKPnBTcpVJGPV8HoiDpPcc9NNxiefWICG0YyOXUmQdYeYM/RAldecAYlwnaG6/osfpgSAjRDL0POQ5A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uMtuu/uErhYgogGrwpIgfytLCUE1r9ryf5nQFDPjlbQ=; b=O65WhY9nySJ7NNOIGlhMypyn4pjGhUvEFkAT1X7+/pevrdckPKv/q3VEf7YhGhZ4M59Hg2DBqHmgDYUiFtUz4mVibai3aZVFPRtGUEBXBF/+HFHXzT5Ig2gaRBL3y6RsdGpC5syg3jDPYJaGmX5Z7rbAToCeeD4BVeHSrkqzXH8=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM0PR10MB2532.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:d8::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.19; Fri, 8 Oct 2021 16:36:38 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29%5]) with mapi id 15.20.4587.020; Fri, 8 Oct 2021 16:36:38 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, John Gray <John.Gray@entrust.com>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>
Thread-Topic: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
Thread-Index: AQHXu59CGogx/PCmf0qwFmmBtFhi4avIj6JAgACiGYCAAAShwIAAEFwAgAADHUA=
Date: Fri, 08 Oct 2021 16:36:37 +0000
Message-ID: <AM0PR10MB241865E9784CC03F81AA9D39FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM> <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com> <AM0PR10MB2418E1DE7004C868C0E3AEA2FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com> <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com>
In-Reply-To: <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ee1379d7-71dc-4b68-a3f5-08d98a79ccb9
x-ms-traffictypediagnostic: AM0PR10MB2532:
x-ld-processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM0PR10MB2532260E03CDC6EE4E4BCA68FEB29@AM0PR10MB2532.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HkXH5XdWDV0LEzVSAKtYTLjmADfay4eYES9PrHTNyiFZ4ka6b9PHjAblyiYX8q5B/xsZsLFEt3SGQvwGQshj05OPHkxIR3bIjE6qietqd2ojrznB7OceLZ3adwrvrYgRW3l4z+5fW3lXLJii41K6cqv3plsV6bwZ0nBWA6V7r+a7vTzAVkZeZdtt0V1+3Y/YJdQUaDfw0gcgAv6Wf5nI9N0y4gCTKu3ELa3/LDiO27IqYa8isDpBG103VcsYBLGSLQ/5ZttjB2ANEQiP4Rq17Nt2+y1fhEBtrvDbP16/gbxJK0fHXGkpOSBFxikivcrmkz7nD0Aco/Xyu33TwCt8eb01qMxCdSrgRYo2UDxE+cCBLc3kZTvbjLQXphd9Txh2fzFhLWRYQH1tZuEsTLxn7ud9pQVcPLQpDA5rZ1VNDXjSyCpjthgpP2Akh6AmCshYkJyo+UnOPFO2tIXmugZGHsStVht8dGReH+KZ0yEnDQZ1/BrI42+qxW0L++HiUINHGa4D9dDnH4Pb6GQC1OqHFFZBBLc46GC4udOKjPeGSHUqYZGIgPv3TzWVoxyKR2hO+QrLvUiuB5EEvAi8rRYN79SktGG6DYN0oaz31tP3Gk1ROXFpvcwqolbL2PuPNXjXT6tFLVwxRim1iMiFYmuOXraHAfQjoKjaLlOSWVSCfoBionqVBl/H4ffC9YK40Y6Daz/2xwGXBuutMx+79ZpgMw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(26005)(71200400001)(8936002)(38070700005)(9686003)(122000001)(316002)(54906003)(5660300002)(55016002)(38100700002)(52536014)(4326008)(186003)(6916009)(66946007)(66556008)(64756008)(66446008)(66476007)(2906002)(76116006)(107886003)(8676002)(33656002)(15650500001)(86362001)(6506007)(83380400001)(7696005)(508600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 87Dd5myijfTiC+KyXwkpurfSPSVDKJNedN2We3bs8nsjGGo24uzOKfsZ2cN4YKE2ecn3THpDisjX5IQVuavQdSEYMXKXnvyC2FZh9dHWDRk7pecAfc6JqKWoDVqHptj9e3fPSD+Uz9iHMuGv3ECHqZyCE1BFnosDyDYLp7ccfmioa5/P6Es/kz/QpBIiLOXX21xoKs0sh1/Qo1zl10f/B2tUkxBP1NvPXf35Sr4BWGHGnNjf88ljDcOf2kJqKI//VxC2ZexkoR+w6oWV6UXHb7QiOwxhAJo3if5TW1bmgddYP3EyaNnL64PMfKoXvCH3HtKz03x8mfMkztP05NQ4dA5f8e47deEASSxBt1yVq1QO8X/Vij3SHNbBPKk663RV7pMQvz1MA99X3M9+kYOqprjhIUGVr2GsntJyen+H/vUxrZafMf9QiARSVboHRQUr2fzP978+Ll5wVHgvp870JxScXMQeSVQF8CKlS/o5eq5pAJtqx+5t64SrC+5oJnViTxzhHdXhMNLNRuprbi/tELClI4ka8vlR7jCz81z1DMcrhlQdEJVKu9CN03ByNCzIldGPEn9TRstcj2mmymsRNJ0rS9U4aTVOMu7PlPNBRk9v+g4pybPLHRTXfzE7d+CL5uM3ixPkkBr3gOGGTEBUEaj8s4V1qleF3Wnop3WEdRwC/LSibqYrrHpxA87etOHIzQbsPMTq3ROYOD5rYboAKv7oGX00gw+2iICizKZCbwyrRoawz7rPNPzicdGzG5D04veuxuB++VpkTMM4KSpZ9X2ClGIfBeudjO2lFtnJmuBU96sXI9Yqtp34r/DUwfYaiR91FScNMi/dAutjlyvORP/tLFzGUZ8UPB3yxwoCQUfxCDyJpaW7ym754aNj/N5g9CAdVhs13/Ta98GXD+j0nSVsfAsKzU2PDv1DfuFh9jnoeQAIia/u9Rmb6hx75OH325KIi8mVN6h///kKDjJjS8TePb06xmi9E2d7z1QxUoA4dt8xK/TqrUyAhaT7nuVgRcb4aUI9rvpqlBg4fTSqgHWzKgOPrPOdYBfTsIo0k5SlYeaa1JG58ZVXsP510BnqfnpaRN7apR7pBuslv9ekLJYr1UqAsQK7g302sIpxAHy3Tnw54IDoXuXjV8IKOEp+SnIhnoXoPb4pBnTPcVOXP8nJsLv8FlDHRpUFnRXvjhTKtu8HZAxDiU0BhyexVPp9MFZRJ6I64YnV3l0/8oIB8yrogbUOgHEASJs/usiLyq3NfWNNitk2AmyW5KOcL5Y5gRR9+m9q7bUOXVVl5eETEISTYQp8xgbxe6fPgxwe8rq76gIfc5xCh3fG3iy5Ktlz
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ee1379d7-71dc-4b68-a3f5-08d98a79ccb9
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2021 16:36:37.8930 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +EdNxDrrWtEztfKWom2zGQkLpOXpXsIkwiQslHp+T7Q1DVv0TPF2cqyxIuuafVGMXxZdoTeFTgKuvETxg86QpHdZf6TZZGQhoABjI1pBdMo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2532
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/FEgmbcFYs77-_4xcExYk4qLbni4>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 16:36:47 -0000

Russ

I am sorry, I feel like I make it too difficult. 
I just want to be on the safe side not to request new OIDs if not really needed.

> Von: Russ Housley <housley@vigilsec.com>
> Gesendet: Freitag, 8. Oktober 2021 18:10
> 
> Hendrik:
> 
> Option 1A defines a new generalInfo, which is a InfoTypeAndValue.
> 
> Option 1B defines a new GenMsgContent, which is also a InfoTypeAndValue.

Yes, I am aware that both use InfoTypeAndValue.

> The difference is that the request and response have two different types, one
> for GenMsg and another one for GenRep.

Yes, this is the proposal of Option 1B.

> 
> The only hint that I find regarding the :
> 
>  -- Receiver MAY ignore any contained OIDs that it does not
>  -- recognize.
> 
> This tells me that in Option 1A, the server can ignore the new generalInfo that
> provides the CrlThisUpdate, and then always provide the full CRL in the CRL
> GenRep.

I would consider this as a reasonable behavior. If the server does not understand id-it-crlThisUpdate or if it is absent, the server should respond with the CRL.

My question is, is it OK to reuse id-it-currentCrl together with id-it-crlThisUpdate like this

    GenMsg:    {id-it 6}, < absent >
    GenRep:    {id-it 6}, CertificateList  |  < absent >

The server should only answers with <absent> in case the request contained id-it-crlThisUpdate in the generalInfo filed. In this case the client indicates that it knows the updated syntax. Therefore, I thought it is backward compatible.

Do you recommend to define a new OID to be used for this use case instead of id-it-currentCrl, but with using id-it-crlThisUpdate in the generalInfo filed?

 Hendrik

v2.23.0 | Report a Bug | By Email