Re: [lamps] Proposal for errata to RFC 2634 and 5035 - Re: Need clarification on ESS
Russ Housley <housley@vigilsec.com> Thu, 15 April 2021 14:52 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFCAC3A22D7 for <spasm@ietfa.amsl.com>; Thu, 15 Apr 2021 07:52:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hefgmd_WJuf5 for <spasm@ietfa.amsl.com>; Thu, 15 Apr 2021 07:52:46 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D182F3A22CB for <spasm@ietf.org>; Thu, 15 Apr 2021 07:52:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 4F121300B90 for <spasm@ietf.org>; Thu, 15 Apr 2021 10:52:42 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id v6hffLJfig_e for <spasm@ietf.org>; Thu, 15 Apr 2021 10:52:39 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 784C4300AA6; Thu, 15 Apr 2021 10:52:39 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <AD91D46F-07D0-4C60-B528-F585DFD3DF1D@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9656F56F-E17E-4FEA-B603-D93EC3CB828A"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Thu, 15 Apr 2021 10:52:40 -0400
In-Reply-To: <ec8e11df-a014-669a-10ae-60a2b24dfd6e@von-Oheimb.de>
Cc: LAMPS <spasm@ietf.org>
To: David von Oheimb <nl0@von-Oheimb.de>
References: <23AF3BD2-A969-4BE9-9DCF-89B0715D847E@vigilsec.com> <46324713-28bf-f215-0cc8-ce024b99f447@von-Oheimb.de> <49300CF2-2488-4C29-9AC5-4809F593C157@vigilsec.com> <CAHm+eR8fR-Xvd=hAGpZEiq6hB4RWnnQN0ZY8OYQzXT0-zrR6MA@mail.gmail.com> <0B1526E4-4E20-4C70-8577-ED6C1DC46CE4@vigilsec.com> <8c5af39c-6a5b-5314-c82c-85c150a20d56@von-Oheimb.de> <FA796830-C530-4A51-BD94-DB786365AEE5@vigilsec.com> <80ab3f1b-b733-abb8-133e-288f856e20df@von-Oheimb.de> <F1939EE0-C3DD-4FAA-A887-90760362BC75@vigilsec.com> <c62414ba-8132-3313-c349-146a97d301c0@von-Oheimb.de> <20210318055717.GA79563@kduck.mit.edu> <6dfd3e87-bc46-ce7b-27b7-bae26fe7dc95@von-Oheimb.de> <ec8e11df-a014-669a-10ae-60a2b24dfd6e@von-Oheimb.de>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/N-YvsOydlg9XZ6ryYzbV2pzqke8>
Subject: Re: [lamps] Proposal for errata to RFC 2634 and 5035 - Re: Need clarification on ESS
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 14:52:51 -0000
David: I think you should submit the errata at https://www.rfc-editor.org/errata.php I encourage you to put the whole text in the original and new so that the inline errata tool has a hope of doing the right thing. Russ > On Apr 15, 2021, at 10:28 AM, David von Oheimb <nl0@von-Oheimb.de> wrote: > > Some 3+ weeks ago I provided as requested the below text for discussion. > So far I did not see any reaction on it. How best to proceed? > > David > > On 23.03.21 08:57, David von Oheimb wrote: >> Hi Ben et al., >> >> according to your feedback on how to (re-)structure the errata texts to be discussed here before they get submitted, >> here is an update of my proposal, which essentially is the same as before but in the required format. >> >> David >> >> >> Proposal for erratum to RFC 2634 >> >> Section: >> >> 5.4 >> >> Original text: >> >> The first certificate identified in the sequence of certificate >> identifiers MUST be the certificate used to verify the signature. >> [....] >> If more than one certificate is present in the sequence of >> ESSCertIDs, the certificates after the first one limit the set of >> authorization certificates that are used during signature validation. >> >> Corrected text: >> >> The sequence of certificate identifiers MUST contain at least one element. >> The first certificate identified MUST be the certificate used to verify the signature. >> [... (unchanged)] >> If more than one certificate identifier is present in the sequence of ESSCertIDs, >> all certificates referenced there MUST be part of the signature validation chain. >> >> Notes: >> >> Some aspects of the 'certs' field of a SigningCertificate attribute: >> >> SigningCertificate ::= SEQUENCE { >> certs SEQUENCE OF ESSCertID, >> policies SEQUENCE OF PolicyInformation OPTIONAL >> } >> described in the sentences quoted above are very vague. >> This lead to major confusion and wrong implementations. >> As meanwhile has been clarified, they should be re-phrased; >> see suggested new version above. >> (One may further mandate/clarify that the certificate identifiers must be given in the same order >> as they are expected in the validation chain, but I think this is not important because >> the order should not play a critical role and will be determined by the validation chain anyway.) >> >> Proposal for erratum to RFC 5035 >> >> Section: >> >> 3, which inserts new section 5.4.1 >> >> Original text: >> >> certs >> contains the list of certificates that are to be used in >> validating the message. >> [...] >> If more than one certificate is present, subsequent certificates >> limit the set of certificates that are used during validation. >> >> Corrected text: >> >> certs >> contains the list of certificates that are to be used in >> validating the message. It MUST contain at least one element. >> [... (unchanged)] >> If more than one certificate identifier is present in the sequence of ESSCertIDv2s, >> all certificates referenced there MUST be part of the signature validation chain. >> >> Notes: >> >> Some aspects of the 'certs' field of a SigningCertificateV2 attribute: >> >> SigningCertificateV2 ::= SEQUENCE { >> certs SEQUENCE OF ESSCertIDv2, >> policies SEQUENCE OF PolicyInformation OPTIONAL >> } >> described in the sentences quoted above are rather vague. >> This lead to major confusion and wrong implementations. >> As meanwhile has been clarified, they should be re-phrased; >> see suggested new version above. >> (One may further mandate/clarify that the certificate identifiers must be given in the same order >> as they are expected in the validation chain, but I think this is not important because >> the order should not play a critical role and will be determined by the validation chain anyway.) >> >> >> >> >> On 18.03.21 06:57, Benjamin Kaduk wrote: >>> Hi David, >>> >>> On Wed, Mar 17, 2021 at 09:09:08AM +0100, David von Oheimb wrote: >>>> On 14.03.21 23:17, Russ Housley wrote: >>>> >>>>> I do not find the existing text as confusing as you do. >>>> I agree in the sense that I see the topic of the 2nd clarification less >>>> confusing and critical than the 1st one >>>> because the question whether a ESSCertID{,v2} list shall contain at >>>> least one entry only influences >>>> the corner case whether signingCertificate{,V2} attributes can be used >>>> to express policy constraints only. >>>> >>>> Yet the 1st vagueness, whether the ESSCertID{,v2} list is supposed to >>>> mean a lower or upper bound of the allowed certs in the validation >>>> chain, is major. >>>> As mentioned, several implementations including Bouncy Castle simply >>>> ignore the case that that ESSCertID{,v2} contains more than one element, and >>>> the only implementation that is known to take care of them, in OpenSSL, >>>> has been confused and thus wrong from its beginning nearly two decades ago! >>>> >>>>> That said, I would suggest getting review of proposed replacement text >>>>> on the mail list before posting an errata. >>>> 1. Here is my proposal for an erratum to RFC 2634: >>>> [ >>> [...] >>> >>> While your formulations are useful for the mailing-list discussion, when it >>> comes time to actually submit errata reports they will need to be >>> formulated a little differently. >>> >>> The form just has (in addition to some other metadata) the section of the >>> document, "original text", "corrected text", and "notes". So all the >>> commentary will need to be in one place, and after the OLD/NEW text. So, >>> with this digression over, we should continue to review the OLD/NEW text >>> and get support for the specific NEW texts. :) >>> >>> Thanks, >>> >>> Ben >> >> >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org <mailto:Spasm@ietf.org> >> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm> > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] Need clarification on ESS (RFC 2634) Midnight Wonderer
- Re: [lamps] Need clarification on ESS (RFC 2634) Russ Housley
- Re: [lamps] Need clarification on ESS (RFC 2634) David von Oheimb
- Re: [lamps] Need clarification on ESS (RFC 2634) Midnight Wonderer
- Re: [lamps] Need clarification on ESS (RFC 2634) David von Oheimb
- Re: [lamps] Need clarification on ESS (RFC 2634) Midnight Wonderer
- Re: [lamps] Need clarification on ESS (RFC 2634) David von Oheimb
- Re: [lamps] Need clarification on ESS (RFC 2634) Russ Housley
- Re: [lamps] Need clarification on ESS (RFC 2634) David von Oheimb
- Re: [lamps] Need clarification on ESS (RFC 2634) Russ Housley
- Re: [lamps] Need clarification on ESS (RFC 2634) Midnight Wonderer
- Re: [lamps] Need clarification on ESS (RFC 2634) Benjamin Kaduk
- Re: [lamps] Need clarification on ESS (RFC 2634) David von Oheimb
- Re: [lamps] Need clarification on ESS (RFC 2634) Midnight Wonderer
- Re: [lamps] Need clarification on ESS (RFC 2634) Russ Housley
- Re: [lamps] Need clarification on ESS (RFC 2634) Midnight Wonderer
- Re: [lamps] Need clarification on ESS (RFC 2634) David von Oheimb
- Re: [lamps] Need clarification on ESS (RFC 2634) Russ Housley
- Re: [lamps] Need clarification on ESS (RFC 2634) David von Oheimb
- Re: [lamps] Need clarification on ESS (RFC 2634) Russ Housley
- [lamps] Proposal for errata to RFC 2634 and 5035 … David von Oheimb
- Re: [lamps] Proposal for errata to RFC 2634 and 5… Benjamin Kaduk
- Re: [lamps] Proposal for errata to RFC 2634 and 5… David von Oheimb
- Re: [lamps] Proposal for errata to RFC 2634 and 5… David von Oheimb
- Re: [lamps] Proposal for errata to RFC 2634 and 5… Russ Housley
- Re: [lamps] Proposal for errata to RFC 2634 and 5… David von Oheimb