Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 30 January 2023 08:25 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EE0EC1524B3 for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 00:25:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5SRiE3wFB98 for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 00:25:08 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2105.outbound.protection.outlook.com [40.107.22.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4609FC1524AA for <spasm@ietf.org>; Mon, 30 Jan 2023 00:25:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ffXQsHVyxwHKnAkVLj2jimvr6MoeSvcpAqizeXERHDFDaiC5mdLimpbO+VrauXzu68T/VnpShcA+nF+aBbsPexUoKYF3k2li5EleoLNdpvHISdIPzDPqII9SpVx7DrZvZ95zbrfAtNosZU9iCxBLx4w6TXCakJZZg5o9J96W4DJogRSQn4YtBfqf5kjrBSHBhgxMtMN8cl1ddQS084PnxmnKRCuhHYRQaAE63sxTBRFEEv9RXbAxzZJsGUYcju1o0MopzjgL0wrISamPgsSxlE5XuCr0FD7kTIKmQVIrghZbvpb/Ua7GJE8XLydiSTV7Ska/vAkXXtb+sjmgYZLDLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ltsEuruiZhIEuA+AZ78GskwyjnjyFVjvSAUUCmkG5cA=; b=fYRbuULaAzEZyJ4AGcN6cZ1FUOT5U0DeAu40WmEqXf5d7fc1YSqrGvUCPRpbcq8L2qg4139iqwSXJr4PwFLggxCUg1cINqRyvPJAQ2abu8UoV4KXH7Pu8iN8Uh41IbSh+XiuDHPtuPegsLSCb9VkuIH+ATS8MGMj9tTpXp5fcrehcnZluDmuEHJnry2aoQ6NFYXsjGmvhrvrSJQgMMy1FkpbaH1bOrQhip0+OB1taZQAdop2Oyrsh1d9e5goqI8xTfwy6fYDuc9K/SBM1w/THS5kXTzfJja93MJI8k8xzod8wrPyOV7K4fAQZWDWDjC+4SF3QnXoqZ+xEsqBNcPNTA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ltsEuruiZhIEuA+AZ78GskwyjnjyFVjvSAUUCmkG5cA=; b=Q5eDLcXAVwIZkTWI+h52ZYrSI6ZoSCTv9oThx9ZCSGwB+K35qCg6baCF4P4+wFnT0CmK1mrtSvlCerGptRhULZDj5YY819jkl257YYzSoDPt9cuwtT3tH152LIJnRJN3t6cBAumpb3WWWjzaNkQRLjvBQVX6YkrTL8LrTNKSfFs=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by PR3P190MB0858.EURP190.PROD.OUTLOOK.COM (2603:10a6:102:80::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.36; Mon, 30 Jan 2023 08:25:03 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::491a:6a13:eba4:e991]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::491a:6a13:eba4:e991%7]) with mapi id 15.20.6043.030; Mon, 30 Jan 2023 08:25:03 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "von Oheimb, David" <david.von.oheimb@siemens.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
Thread-Index: AQHYqK3xFpSUjfFSPEufb6tBhmPama341hQAgADJ0ICAUDYgUIBqKOoAgAO1DDA=
Date: Mon, 30 Jan 2023 08:25:03 +0000
Message-ID: <DU0P190MB1978C90F443E9DE3D8EE1078FDD39@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com> <3758.1659557693@localhost> <399c3a1e-ee28-cc85-6e6a-cee210e70753@siemens.com> <DM6PR14MB2186188B8CFA66967F52A081929F9@DM6PR14MB2186.namprd14.prod.outlook.com> <19f4388a-49e1-d14e-2463-e9f0e181c2ea@siemens.com> <997117.1664573368@dooku> <cf6f2e271a0ecda5875e38a10c7455fcf03ddeb6.camel@siemens.com> <DU0P190MB1978A5049FE06F438B6EBAFAFD0A9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <1345183.1674862574@dyas>
In-Reply-To: <1345183.1674862574@dyas>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|PR3P190MB0858:EE_
x-ms-office365-filtering-correlation-id: f6cf45d6-8810-4141-7930-08db029b7c5b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: P3uHXinJjCMUVRILzuch0g2T2ueXwR/p0REPQwUKlRqP2YpP5FIW79GcaqT9qwF2YxJ0mrRjKgNV3/qttnq7a1N2ijiZM9DPWmaa7LCBwj1vLeLF/IAhmcsdix1776Mjgc/be/0rn6/gtkfcliAXC1ggb3uUu/oTBCZzq6lUgOih9kSrZYn+oagskEbpB0g4nqcL8tV00yvDrLIw+0rLLuE4Aryu7NUg09wn3h1mhs48srHmMCtbp6u7UFeEX6ev9Ccq32+PYaHR4UQStOHiXFb/XxzeUPoXM1L8q0Hf59ACzwytHSLSEAzXhsFGfz7HyizD+hPOYbFNHBY3eQ6Ur4eHjr1ScfR1Bq+PmgYeegWYOZZ2d2s6vQM6LIsf4gKJf6HhnVy1vfdg7TVRPA81h4iBtkjcUcz8xdvQ4U6GBDAuvFYWw0fFOb9Kqu6KslYw6cZ2aVs3OGuNhRDE7P5sEkgj6tsD7q9sV3D++h6fRlxxYMd28Lbo1W47/ImTHWJsJX8Wi9AzoEZNDTPjCETIWgwBqTIppD0VBHSTDTIf92SoLPyY3Of5OUWcnjsj9jZmw9E+UpfmRl9zbSj2QqFW6W8JC8L3T9NjuQkgvNuTB6Xi5MNBt8WCofzq4wCpBeE73uxqAQvVwlc/rtLkpgu9ieLPIr+68ZS7epXCv+EK26+JUw41W3LBS4B4kXWrsW3XATFBETTItF3K9lwhNTZsIw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(136003)(376002)(396003)(366004)(39830400003)(346002)(451199018)(316002)(54906003)(66946007)(64756008)(8676002)(4326008)(66446008)(76116006)(66556008)(66476007)(8936002)(41300700001)(52536014)(5660300002)(38100700002)(122000001)(86362001)(33656002)(38070700005)(71200400001)(186003)(53546011)(9686003)(6506007)(26005)(66899018)(44832011)(55016003)(2906002)(478600001)(7696005)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: KSb/FprGUN1CL8h0H1gYYqKvWopgHW5SKryMFXKgGbM6JwfPyPAqLnl3993NDBcdDqouOue4+2HCD5X/hgxQ9HuGNRoB37uGx6wMlj0UwFbTtTgvTg3kMvVLmaWUtx6e6LGYe5yq+MyRcl6OrbYF/Gg2zFNFRq3UI2XJMF1CyxfUEqgcwDFmwtFsz06/xlSrvaeSk8JHVnQPY7krPEIC8dms/8XZ5oG0FLfqU8aOvjqLItFIrTk6ECD4yOC/anzMQFgAVcKjfzXfmpunymEZy7UrE/0W3UqSRov4tUVRiZPBniF33xIkaCpH7d44E6eZA3czDHn72ayqF1NKB+3x2LVbnQJladZxGYLCOUuwllHK4SXj5qR0ku7ja2ATqmjjJbQqXPKK8JdZQ1kKvTYEZuyNe4V2U1ZXjSEqudLyef/oI1TX/U6RmClOJbULJ1wcq7kTSE+S1W3E3j9HAj1FhTHcqsydwGDoJJxNOcAB+l5cDgTxLO1mT1iTjPFGgEWhWyPQ/q2zjo+NxC4a3VEl6VWo5n7+a+SXfY3H3vS+Wuu4xFFQWohfd/l7ZShndLiZ0xtlr3Z3GvyLjite6v9C/BX8OazAjZZi5GMLRl2+Ojo5jusMWbiDe6W6s3rYqmEMbFKFgOXDmPHHj8Q0HAis1QeHZI2ofCQOMZTxkSXI0wdpheOY5b5DkDrcYdNT0p8u3aLvmWB05lgfC0slHOTE7zk8Sx0FD4+JjTJOtNCQtm6DWaFy/LxE/dZ5vyBupEg81Ty65M7FhSPHFUAt6a/7LyfFIFTP9ARThRP2HTdBEW/NHFI0KrLtJq7ohnhc58HBsBlU5tZCMqusgA2Ntcnyl3b2ERJFJOERRfqyQZ5UcXxL8Wy/1qnwFdsOy7QCuliHUNODTnQ9CvxULO+SQ31XEN+vqZ8FPqMcIRJsUVaawGUhU/t3aikxnUH2kU60CsMqBAjyZwgaS7RDzcPUryiWnNMVFR1NnjEClV/Gf1JewEYd+9vw0rNUAMhJGpaqXccBuPU6AO0nGjlB4dbRkxYVYO2TCU+9Xn2YVGucrzaVRK8VLp/Cmcn8LpNBNhulPyqiHoVibUq4s52VT69pHSOOqOzFhUHV2hF5duEn0IeSX+NIxB47gATNzQEMlsLOrvtDcx0lXV5Sd7e1cauGiHkuYvAr4dkhUx19VDNzZ5i3qhLYdqq0rgcRaN9s5nNhG8/ou5Z5BKzzR06jMgmlO9156oPaGpJIgtZ6G8pMNtvzcZs5JbVB3AUv7KZiFiDYTKDlQRRy6I0sJfmqWN5VKs5NyRhblv0KW/5lQ6JxF88r+IJFoC4fhWQOUqFeaH5ths+c+KCLCS7RTWuHgREtCZjtc87BKogRttoBNqpsg0fxsHr17HmQ/zkmNsgLVaSdv+iyPxr/xhbQMq+Klmrl8kGMZLZps+Q4wvNwLNdWG3tPwsrTe5UADAVlXDfbFLLcWqPdDCliHlOllObKp8rByveT+Vgtkl4hWCzNqoP9BGhdUMa2nBuPI6+OfYg/m4fhJQLQPogwCleMxvzoEe/aNOPmzHs08sRRAra6HRhoxGgT9mzme57jFhHtvu3SiFZu808H
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f6cf45d6-8810-4141-7930-08db029b7c5b
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2023 08:25:03.2444 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HJ6uuvP9fCBiCMFK3SMAwqZ6khylZoSJIo78scdjV6x70mJDlbxZPocGiyvJIMAbcgud7/bB5EGaROJscNHk7kg9LiY1csuVIQj8az2a9LE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3P190MB0858
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/P2irnP6ueRln604BYJksaC75XME>
Subject: Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 08:25:14 -0000
Thanks Michael for the clarifications, > Yes, exactly. > The get /csrattrs commits the Registrar to allocating a specific AcpNodeName. My reasoning was that the Registrar could only allocate a specific AcpNodeName if it would know the identity of the EST client. (So, TLS authentication is required.) Suppose the client was anonymous, and then a second anonymous client connects, or the same client reconnects, how would the Registrar distinguish clients and allocate the right AcpNodeName again? Or maybe that's not important in practice. The Registrar could also return a '0' as 'acp-address' part in that case. > > In general RFC 7030 says the client SHOULD NOT require > > authentication to request the attributes > >To request them, yeah hmmm. >What the use case? I'm just pointing out that for people not very deep into this topic, it becomes confusing quite quickly. So I read that a client preferably doesn't require authentication to read the CSR attributes, but on the other hand I read implicitly in the new draft that the EST server require authentication to give back the correct information for this request. And that's not adding up. And nowhere it's explained how & why. I don't know if there's any use case for doing an unauthenticated request to get 'CSR attributes' and then authenticating later on to do the 'enroll' request; maybe a privacy-sensitive EST client that shops around across multiple EST servers to see which one provides a "CSR attributes" answer that it can understand or that optimally complies with its local policies? But in the provided ACP case that's clearly not going to work and hence we should point out that the client MUST be authenticated for this example to work at all. Regards Esko -----Original Message----- From: Michael Richardson <mcr+ietf@sandelman.ca> Sent: Saturday, January 28, 2023 00:36 To: Esko Dijk <esko.dijk@iotconsultancy.nl> Cc: von Oheimb, David <david.von.oheimb@siemens.com>; spasm@ietf.org Subject: Re: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs I'm trying to clean up old emails, and I didn't realize this one wasn't about ASN.1 goo. Esko Dijk <esko.dijk@iotconsultancy.nl> wrote: > ‘Struggling’ is the right word. I noticed that in version -01 of the > draft the section 5.1 example is using a differently formatted address > than section 5.2, namely: > rfc8994+fd739fc23c3440112233445500000000+@acp.example.com Huh. > why does this look different than typical RFC 8994 example addresses? > (It has two ‘+’ characters, not one. And order of names is reversed?) > Why not use the standard address example from RFC 8994 to make it > easier to understand? Or is there a particular reason for this > formatting. I guess that I didn't notice that when we went from rfc822Name to otherName, that we lose the rfc8994+! My code says: sprintf("rfc%s+%s+%s@%s", SystemVariable.string(:rfc_ACP) || "8994", acp_address.to_hex, SystemVariable.acp_rsub, SystemVariable.acp_domain) So, the first RFC8994+ is superfluous from reading RFC8994 section 6.2.2. When rsub was on the left, it seemed like we should include the + even if rsub was empty. Now that it's on the right of the @, it seems that probably we shouldn't do that if they are nil. I will fix the example. > For such examples with a very specific node ID (like > ‘fd739fc23c3440112233445500000000’) in the CSR attributes it may be > good to point out that the BRSKI client (or, EST client) needs to be > authenticated to the server at the time of requesting the CSR > attributes. > In general RFC 7030 says the client SHOULD NOT require > authentication to request the attributes To request them, yeah hmmm. What the use case? > but it looks like BRSKI is > then deviating from this recommendation and REQUIRES authentication. If > not authenticated, the server can’t send the right node ID to the > Pledge, right? If that’s correct then it is worth pointing out in text > with the example because otherwise for people using RFC 7030 as a > reference it gets quite confusing. Yes, exactly. The get /csrattrs commits the Registrar to allocating a specific AcpNodeName. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] strugling with CSRAttrs David von Oheimb
- Re: [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- [lamps] Fixed the RFC 8994 / ACP Subject Alternat… David von Oheimb
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… von Oheimb, David
- [lamps] IANA Considerations text for OID allocati… Michael Richardson
- Re: [lamps] IANA Considerations text for OID allo… Russ Housley
- Re: [lamps] IANA Considerations text for OID allo… Michael Richardson
- Re: [lamps] [EXTERNAL] Re: IANA Considerations te… Mike Ounsworth
- Re: [lamps] IANA Considerations text for OID allo… Tim Hollebeek
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell