Re: [lamps] New suggestion for a full and straightforward solution - Re: I-D Action: draft-ietf-lamps-rfc7030-csrattrs-04.txt
David von Oheimb <it@von-Oheimb.de> Thu, 22 June 2023 16:58 UTC
Return-Path: <it@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16129C15108B for <spasm@ietfa.amsl.com>; Thu, 22 Jun 2023 09:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04fOZ6zI3FQC for <spasm@ietfa.amsl.com>; Thu, 22 Jun 2023 09:58:22 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D768C1522A4 for <spasm@ietf.org>; Thu, 22 Jun 2023 09:58:20 -0700 (PDT)
Received: from [100.70.180.169] (ip-109-43-49-89.web.vodafone.de [109.43.49.89]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 150F96141B07; Thu, 22 Jun 2023 18:58:17 +0200 (CEST)
Message-ID: <99e9c34707b84ec72980b8839a805920f930b401.camel@von-Oheimb.de>
From: David von Oheimb <it@von-Oheimb.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>, spasm@ietf.org
Date: Thu, 22 Jun 2023 18:58:16 +0200
In-Reply-To: <19251.1687376241@dyas>
References: <168687004656.20234.4344396997105904558@ietfa.amsl.com> <05277edb6f344d74c793d02d1aeb9fa9f015d50e.camel@von-Oheimb.de> <19251.1687376241@dyas>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-LPH7+HZhs+dO4/3L3yyR"
User-Agent: Evolution 3.38.3-1+deb11u2
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/OrLAQTf0nFFvUH9thaUmHHp6epY>
Subject: Re: [lamps] New suggestion for a full and straightforward solution - Re: I-D Action: draft-ietf-lamps-rfc7030-csrattrs-04.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 16:58:24 -0000
On Wed, 2023-06-21 at 15:37 -0400, Michael Richardson wrote: > > David von Oheimb <it@von-Oheimb.de> wrote: > > thank you for the update. > > > The draft (so far) solves reasonably well the very specific > issue > > described in the intro, > > well... you are co-author already :-) Yes, and I already contributed various parts around early August last year. > If this is something you want to add, then let's do it. I've just pushed a couple of minor improvements. Yet before I contribute any more substantial things, all authors should be in agreement on the way forward. How about having a design call on this? > > * it remains entirely unclear how a server could specify regular > > subject DN values, which may be needed in addition to specifying > > SANs, > > possibly including partial specification of RDNs (such as : > "include > > a CN with value chosen by the client, while OU should have value > > 'xyz') > > Given that we want to stop looking at DNs, I hadn't considered this > mattered, > but I agree that there are many cases where it does. I think that it > should > already be possible, but it's escaping me right now to think how it is > specified in the CSR. Two years back I mentioned several options how it could be done. With the new idea it can be done most naturally: as a DN (pattern). > > * the spec how to interpret algorithm OIDs is very weak: just by > means > > of a few examples - no systematic semantic rules are given > > That's a reasonable criticism. > > > * there are no rules preventing conflicting "algorithm > requirements", > > such as OID ecdsaWithSHA384 and OID SHA256, > > You are right. So what does a client do when it see such a thing? As I wrote in the other current thread on csrattrs, IMO an RFC should not specify any resolution strategy on malformed CsrAttrs but just rule out that such nonsensical or ambiguous CsrAttrs are provided by the server. > > * nothing general is specified how to use and interpret the > multitude > > of other OIDs that could potentially be given > > True. > > > * while addressed by examples, a general description is missing > what it > > means if for instance a cert extension > > will have a value but the CSRattrs only give the OID - this > issue is > > the only one easy to cure in the current form of the draft. > > > So, while the draft so far gives clarification for a particular > use case > > of SANs and partly for other X.509v3 extensions, > > the use of CsrAttrs is still heavily underspecified and thus > > implementations are still far from reaching interoperability. > > .... > > > As I did already on 2021-07-30, I invite everyone to have a look > at the > > solution we took in the Lightweight CMP Profile, > > which also defines a "Get Certificate Request Template" feature > > in section 4.3.3 including an example in Appendix A. > > The basic idea is to re-use the certificate template structure > that is > > also used in the actual CSRs (which in this case is in CRMF). > > > Today I had the thought that we can take over the same principle > also > > for EST CsrAttrs, even in a backward-compatible way! > > > Namely, by placing a partially filled CertificationRequestInfo > structure > > as the only(!) AttrOrOID element in the CsrAttrs > > (with an OID identifying it, which likely needs to be defined > for this > > purpose). In this way, the server can specify in a > straightforward > > and pretty self-evident way what it expects from the client in > the > > actual PKCS#10 CSR, which has the very same content structure. > > okay, so I'm open to this idea, but how backwards compatible is it? > Maybe the WG doesn't care. I just want to specify the SAN. Pleased to hear that you are open to this new idea for a more through solution. What do others think? > > Within the CertificationRequestInfo structure, > > the server can give for instance SANs and an other X.509v3 > extensions as > > well subject DNs etc. with desired values > > exactly in the way they will appear in the CSR (and in the cert > derived > > from this data). This should also simplify implementations. > > It can also give OIDs while leaving out the associated values, > which > > means that the client is expected to fill this in. > > This scheme also works for specifying the type of the public > key, where > > an AlorithmIdentifier can be given with an empty key value. > > So, it would replace the SAN method here too. Yep - it would be implied naturally by the way SANs are to be specified in PKCS#10 CSRs. > > Examples would look very similar to the one given in Lightweight > CMP > > Profile Appendix A with the difference being that > > there the structure used is of type CertTemplate, while for EST > it will > > be of type CertificationRequestInfo as in PKCS#10, > > embedded in a simple CsrAttr sequence with one element > containing the > > "attribute" choice with the new OID > for CertificationRequestInfo. BTW, the only thing I am aware of that does not structurally fit in such a PKCS#10 pattern is what has been given in the original CsrAttrs example used also in the new document: An OID such as ecdsaWithSHA384 intended to indicate what kind of hash alg is expected to be used for the self-signature of the PKCS#10 CSR structure. I see no real value in specifying the hash algorithm to use for the CSR self-signature. Note that anyway this hash alg and value will not become part of the certificate requested, and that the type of the public key can be specified by other, more direct means: by giving in the subjectPublicKeyInfo field an AlgorithmIdentifier indicating the key type and an empty subjectPublicKey BIT STRING. Hmm, I just realized that (as opposed to the certificate template structure of CRMF), the subject and subjectPublicKeyInfo fields are not optional. Yet we can simply specify that * in case the server has no requirements on the subject field, it MUST provide a NULL-DN (which is the empty sequence of RDNs) * in case it does not have requirements on the type of the public key, it MUST provide an AlgorithmIdentifier with a NULL OID and empty parameters. David
- [lamps] I-D Action: draft-ietf-lamps-rfc7030-csra… internet-drafts
- [lamps] New suggestion for a full and straightfor… David von Oheimb
- Re: [lamps] New suggestion for a full and straigh… Michael Richardson
- Re: [lamps] New suggestion for a full and straigh… David von Oheimb
- Re: [lamps] New suggestion for a full and straigh… David von Oheimb
- [lamps] Dates for Meeting - Re: New suggestion fo… David von Oheimb