IETF Logo Mail Archive

[lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs

David von Oheimb <David.von.Oheimb@siemens.com> Fri, 05 August 2022 09:29 UTC

Return-Path: <david.von.oheimb@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7FEDC15948E for <spasm@ietfa.amsl.com>; Fri, 5 Aug 2022 02:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.392
X-Spam-Level:
X-Spam-Status: No, score=0.392 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SCC_THREE_WORD_MONTY=2.497, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2yeohKMy-H0t for <spasm@ietfa.amsl.com>; Fri, 5 Aug 2022 02:29:49 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70084.outbound.protection.outlook.com [40.107.7.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C638C14CF1C for <spasm@ietf.org>; Fri, 5 Aug 2022 02:29:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=asK5HqgfOYSyMWKYTJsdQFqAlDcf1Zfel50gcjt/3YPng6ObKBY1P48tAOSz6bN6pQBmV8fvnVekg3VSLu5Y1IYX4aBB4UMWcnryTGxoWsz6CXov1I1Jsobh0twpHs+/PS6BbwpC74x8YkEP4lPypfztecJy9FeRk7PwEhohQLPhHBOrIzJ0vUpUzEFYupYSQ8lxiOBDWgB2QjpYGYphrq0m7u5oZVNsNUW8vkUjPQMFQ4XIPLQSYHSQ1zFOmg/ccWlE2Cih4743OnlPHoeNkDZCf1m8K5jV/uz21eqnQkyV72hqIXv0UXxPW/hu0vRpOPzppwxCnu5Sg7vKoePJHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PCjt/Y6FI2R7uY6O9FPGjiymFPHit48MXxQoptMMaEo=; b=R8eDo5JORMDns5fJOAYTJEU2fKK1vpp6XLcFy3X8H3s2eUEqaRHDiyip9gAzSLL0btD+sZyvgiQxe3T9RsxTGGByOpFD3+VJerdF3L0ud2FwMQOr90i5zAogeWRMXhztjVVm6GhCMoiv+qu/72YwMu0NoAlk6kGU0mGFbh/Pg9ZO7kXmi2NqBVMk8uM1I8tcOZYkt/gil8IEzOazq02XtnbffNSUswrOHxxa+q9bDxZocnexyJAJFMSKGuvb7F4Dx5Ni6/l7c3pgcStLsl23M8EmwdzT5sABunBGEH145nqWOD3kqfq5VFtO6aRcZFuFNwfOKnMIG9CkN43uUBpCbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PCjt/Y6FI2R7uY6O9FPGjiymFPHit48MXxQoptMMaEo=; b=YnmmXaC4TaxsfGpap+5WJfedurjFgcH1MeOHXVB91/l0vG3wxSlFRh06UFLmLdp8yM+m7D91quEf/S2InaZ1qw03JxiUqkbqeMQ5YfNyLYLcXRc73CHqQZFbB83ylQSdY4s3YDDqRtvlnr4I6Ut5GM3b0YWkI660Tz6W4uMTXoBgT4+I4owko0fziTvtPmRRdRZ8i26pvTnvQZn8Ig1XHrIk6J/Ve3fIugx1gmlFQNkKv1DBshfPPw30X2UerML8Z7iGsaiqe9oz9ozEqQTq5XC5JkRlkxSlZDhf+W5JDJBd+u2Y+bt57In+mBSvXADurZNZ0/PihOcdpwnMAu7r0g==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20) by PAXPR10MB5357.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:28b::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.14; Fri, 5 Aug 2022 09:29:45 +0000
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81]) by DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81%8]) with mapi id 15.20.5504.016; Fri, 5 Aug 2022 09:29:44 +0000
Content-Type: multipart/alternative; boundary="------------XMIMhKbGbywDj3GeO62o5ekT"
Message-ID: <19f4388a-49e1-d14e-2463-e9f0e181c2ea@siemens.com>
Date: Fri, 05 Aug 2022 11:29:41 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Corey Bonnell <Corey.Bonnell@digicert.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: LAMPS WG <spasm@ietf.org>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com> <3758.1659557693@localhost> <399c3a1e-ee28-cc85-6e6a-cee210e70753@siemens.com> <DM6PR14MB2186188B8CFA66967F52A081929F9@DM6PR14MB2186.namprd14.prod.outlook.com>
From: David von Oheimb <David.von.Oheimb@siemens.com>
In-Reply-To: <DM6PR14MB2186188B8CFA66967F52A081929F9@DM6PR14MB2186.namprd14.prod.outlook.com>
X-ClientProxiedBy: FR0P281CA0141.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:96::12) To DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d2537efb-5e0f-4121-d9c4-08da76c50869
X-MS-TrafficTypeDiagnostic: PAXPR10MB5357:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: vUoI2g107626uhyFpYnqkO0zH3VeP67KaQYhTrScZ30AwC9/q0d9Jc+PpPRn1jDF4xI4AluNwScoGkbGC2GyC2xhywiWlHGBefwI89mAsxz9IC67VxoRxOl0M+4LvdgdoJQmrDsKW+wfZJ8uh1ZtpahEbIqaNcrC1Bd/8l+ebEGHRSUsqbWgk4BEc0wTmj6b6g4qtkcEF1KMG+duxCCCepQnwAiV0k1FAdZ0yFuyXewqfuRJqm3vb7upX65eYW2+Z/i+6sZHAzzflssXISdGuspnhrd0CzMbHnwXKgHriLPHj2JdhUrz43Ty3N+atqMu/ykzV/OHe9xJuQ39GJkHWVHNvSRVBVgM88S1UM/c8gqVTbVhhdtMyeJFM48XFGuvD2RFf8ov97LffffIcx0krpUicLzgraec27CzNwG4qo2nfUisGv8WfiTCexVjXS+yWaB/gy8s3dHMnzJaT7zkrvzEEMp+7xz9RNXv/2UUhPu3xmcjyLG3QWfVLFfk8ZaGNuy1/PofRBXWQ/qAREtEkOg22oDnTbKc6rohSlFrcxsDPaGv2WmOz8n7wyhgptYRunsv60i7SGQ7AUpJAUWhY/qDAUDNysXUmsJfJhQprtySHSx5z/PPdJ65z9iBn0p5uqCLlvYbQR+SgXEh1rgQouCxkNY6wXzPZZ8+t3ykOu9SIPTY0qev3eDM2pczW4fwUwmgh67RAdEolM2dD0ta1c1cP3qXp++Pdva/rc7BLUVEwKYRP3SPMhyTK7I59TeE5GvVveH/LBpafu7q0ytBLbMwwoogQ67hXEWTC3de5vs5dIBbURWvXDtuNKohzbTLtqm3BCaJHf5kGxQRD8cMRcseI13T9FmA4XNwVtqKH8Tt2P/j//FEgOC4DbsfqP5ZIYKOKSdi4MQgo/60E9Fjrw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(39860400002)(376002)(396003)(366004)(136003)(316002)(8936002)(66946007)(110136005)(166002)(66556008)(4326008)(31696002)(66476007)(82960400001)(26005)(8676002)(86362001)(6666004)(53546011)(55236004)(6512007)(41300700001)(33964004)(6506007)(36756003)(186003)(2616005)(38100700002)(83380400001)(478600001)(966005)(6486002)(31686004)(2906002)(5660300002)(30864003)(45980500001)(43740500002)(579004); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: xXJb7oKHMh4Is/3VidC5HDWjeVEZMRjfhsK61Z/IapRyYdn6HDzXCAMq52mPcN5Oc6xcgfpPRajqivcFS5l66JNMlOGFIozDThNT2BdRfHhZ3mP4z5OGbO6fEeA+ATKXE6VXnOBczaYMlhTPuFIjA9GH5BQYNPCanV6jBsQbF2bfX6Ps8cAXzH7SlwhSZP7N0+g17o9txm47y6CD7Ka5HHu+s8eHqB07obRgfLiWqYP2xnOYCMjlwCPI+0VKmgNmNaup9x4/ehd72k8vK4U6jIKfNyOazDIIYOrH2EkoXVPyUSFh1qlOPQkuXlpo7PbCwfPQPCwmcYJu4PMb20K+OErufcBkz4WMu3YUJVQFT08C6u1huCoioVK3QYPUCnkosVRnaFvC4g9h2T3nBrmhNk6uTQwkM+6hfoQsggjkWYYIirj8bGBoXeXLRoXAFrBmaqh2H73WcxsC0scqMasYA6V762zt+Jute3f4iZnvXa2teH58v3a5IT5bmnSuSxQbuTim5zsh233H5E1nLtLcpmXyEuOhSgvB6HHEJ5GTlXq2P+1kjffNeMBK0KaUWwUdBRqIjZHc9XtXsUgGqTMZ6jvNuaeq3bzX0OlPCH8fwJRofxNo5BqYu0isZPN+gem8z7wEc2fRiyjWvBDSzBOZeEH0WBIWCBe4iuf180cnvxe4r8iRV4ZN2U9p48JycC6kILr5ZmMMYfrqekvWR3IrZeZro8T4kwt+xhzVm7kZI7yGyv7QUnObgkY3jc01LXeKll0UiKURX/3MU++ChMTIWO5q4Yc8/h03YBpz4Of1JzkR0AcI0z3VD59EjR2AdrzE19h0fY5TltqC65itH7QJVZx8VPP5Dmcko/EQr4QWy/P5GHfZBKsc6hV3D67WY3xdzWYs9ZZmle883R2wMYwo+WQeHybqn6IhavfA5ObTKAzCzBrSL9l0YMRhqQ13wgGpk+BcvJQ45Xk+T9KAtUQkg+N570cqOYL6644ijp8mKGPbOK1oHp8v7LRPh8eiBddiuXmiu1U3OyVF/84pZXNU+/O8hGy55/MXg/85T/HD3Q9yexBM7o9DQDI47XvYlmKx2vFlcig0rZgAjWt6dXju3+WNu6rdLtDnBM4wfnD2rpqmRCaIN3CXfLyFEt3pkBorNGt7o75YvUcha8U/ieC7RUYNSZF/TlhiYxJr0g5grHIxz+gjUwdWKqNx2UxEqKRJGDCu0ReKCpVHoESJdENltt0N5xPFYlEdNxqvq4t31jrGuaWLwp5saDORvNXhohF9R2Bnhn3Bk9f7ss1/BvV6fC+MidYzcRfVaL7YZ3kAzVtnlaQ3wsdTZv7r7IBL2b63XPNezSGNovkefN/C1TDxt2xae3UwJ138jJkTyW9I+e11D1VaMvIiBtEf2MivEyKNB0qbh57IfHmzxQy3++b4bXllATw4Y4kK8Rsl6fobBK4uVMNP9XK0Bh/P3WaHIXNRzaA+PhmmF6FQvFEHmRxz1Zgjgmh7OeXm1JYL1iGG2llpZP/Q1wVZUjJ4EN1zBU8apcGfDZnckCRaCx6tKBHBv1VNlc2W0N7tT3jOmFYgo8snm4Kb5h7yAmXkWMMPa2ZNqdCPO/5bV946zJvZoq0XJw==
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d2537efb-5e0f-4121-d9c4-08da76c50869
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2022 09:29:44.9229 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 35CSplE3V4Rrwus77fQQVEvXp25TJRX2gHaXDmyXR7Z813zqNRrzeynm95j2UbZyuit6lKFT4X9oCL/l7soxYz9l13EK2sj8l3P0uCwVOSE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR10MB5357
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/PeccEd7DLBPvkqcIkglG91hAg00>
Subject: [lamps] Fixed the RFC 8994 / ACP Subject Alternative Name example - Re: struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 09:29:53 -0000

Hi Corey et al.,

many thanks for helping us getting the ACP SAN example right.

On 04.08.22 15:20, Corey Bonnell wrote:
>
> Hi David,
>
> > (BTW, there is an erroneous self-reference to Section 6.2.2 within 
> itself.)
> > In this section I miss a definition which OID(s) to use for 
> acp-node-name etc.
>
> The errant section number reference should be 6.2.2.1 [1] (one of us 
> should file an errata on this),
>
> [1] https://datatracker.ietf.org/doc/html/rfc8994#section-6.2.2.1
>
Nice that you filed this erratum right away: 
https://www.rfc-editor.org/errata/eid7071


> which defines “id-on-AcpNodeName” as:
>
> id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
>
> …
>
> id-on-AcpNodeName OBJECT IDENTIFIER ::= { id-on 10 }
>
> AcpNodeName ::= IA5String (SIZE (1..MAX))
>
> -- AcpNodeName as specified in this document carries the
>
> -- acp-node-name as specified in the ABNF in Section 6.2.2 
> <https://datatracker.ietf.org/doc/html/rfc8994#section-6.2.2>
>
> Given this definition of the value type, the example will also need to 
> be updated to use IA5String instead of UTF8String.
>
Ah, now I found it in in RFC 8994, too, and corrected the ACP SAN 
example as follows.

               [0] {
                 OBJECT IDENTIFIER '1 3 6 1 5 5 7 8 10'
                 [0] {
                   IA5String
             'fd89b714f3db00000200000064000000+area51.research'
             '@acp.example.com'
                   }
                 }

I've added to our repo a little script and config using OpenSSL for 
producing the extended and corrected example ASN.1 encoding:

openssl req -config csr.cnf -reqexts req_extensions -new \
-key <(openssl ecparam -genkey -name prime256v1) -subj /CN=test -out 
csr.pem
echo -e "\nExample CSR including extensionRequest attribute in text form:\n"
openssl req -in csr.pem -noout -text
openssl req -in csr.pem -outform der -out csr.der
echo -e "\nExample CSR including extensionRequest attribute in ASN.1 DER 
form:\n"
dumpasn1 csr.der

with this csr.cnf:

[req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
subjectAltName = critical, @alt_names

[alt_names]
otherName = 
1.3.6.1.5.5.7.8.10;IA5String:fd89b714f3db00000200000064000000+area51.research@acp.example.com
DNS.0 = domain.example


Side note:
Now I wonder why the rather uncommon and cumbersome otherName choice has 
been taken for ACP.
Looks like implementation support for otherNames is not the best.
Since an IA5String should be used for ACP that looks like an email address,
one might have chosen instead the simpler and well supported GeneralName 
choice 'rfc822name':

    GeneralName ::= CHOICE {
         otherName                       [0]     OtherName,
         rfc822Name                      [1]     IA5String,
         dNSName                         [2]     IA5String,
         x400Address                     [3]     ORAddress,
         directoryName                   [4]     Name,
         ediPartyName                    [5]     EDIPartyName,
         uniformResourceIdentifier       [6]     IA5String,
         iPAddress                       [7]     OCTET STRING,
         registeredID                    [8]     OBJECT IDENTIFIER }


> As a more general note, I highly recommend using Russ’s excellent 
> pyasn1-alt-modules package as a reference for ASN.1 definitions when 
> it’s difficult to find them in RFC prose: 
> https://github.com/russhousley/pyasn1-alt-modules/blob/master/pyasn1_alt_modules/rfc8994.py#L34
>
Really very helpful!
One can simply replace the RFC number to get the declarations also for 
other RFCs.

Cheers,

     David



> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *David von Oheimb
> *Sent:* Thursday, August 4, 2022 8:31 AM
> *To:* Michael Richardson <mcr+ietf@sandelman.ca>
> *Cc:* LAMPS WG <spasm@ietf.org>
> *Subject:* Re: [lamps] struggling with CSRAttrs
>
> On 03.08.22 22:14, Michael Richardson wrote:
>
>     David von Oheimb<David.von.Oheimb@siemens.com>  <mailto:David.von.Oheimb@siemens.com>  wrote:
>
>          > Let's keep the original field names.  Also because this underlines the
>
>          > important fact that we do not change the ASN.1 syntax at all, which is
>
>          > critical for bits-on-the-wire compatibility, but we just clarify its
>
>          > use and interpretation.
>
>     I'm okay with that.
>
> Glad to hear.
>
>          > I've just made a pass on lamps-rfc7030-csrattrs.mkd in the GitHub
>
>          > repository.  Its new version contains various suggestions for
>
>          > improvements here and there.  Also updated the subjectAltName example
>
>          > to be of the more usual form of a dNSName and inserted two
>
>          > questions/remarks:
>
>     Why did you change the RFC8994/ACP example from a real acp example name to domain.example?
>
> I did so because I did not pay attention that this SAN example had 
> special relevance,
> but also because its ASN.1 encoding was flawed:
>
>  31 59:           [0] {
>  33  57:             UTF8String
>        :               'rfc8994+fd739fc23c3440112233445500000000+@acp.ex'
>        :               'ample.com'
>        :             }
>
> and because the dNSName variant is much more common.
>
> So I've just re-added the otherName variant, while correcting its 
> ASN.1 encoding
> and keeping the other SAN that I had added, with a dNSName value:
>
> SEQUENCE {
>           OBJECT IDENTIFIER subjectAltName (2 5 29 17)
>           BOOLEAN TRUE
>           OCTET STRING, encapsulates {
>             SEQUENCE {
>               [0] {
>                 OBJECT IDENTIFIER '??? TODO'
>                 [0] {
>                   UTF8String 'fd89b714f3db00000200000064000000'
> '+area51.research@acp.example.com'
>                   }
>                 }
>               [2] 'domain.example'
>               }
>             }
>           }
>
> Note that the otherName choice is defined (e.g., in 5280) as
>
>     OtherName ::= SEQUENCE {
>          type-id    OBJECT IDENTIFIER,
>          value      [0] EXPLICIT ANY DEFINED BY type-id }
>
> so you need to include an OID in the 'type-id' sub-field that gives 
> the specific SAN sub-type,
> governing the interpretation and type of the 'value' sub-field.
> I could not find any such OID in 
> https://datatracker.ietf.org/doc/html/rfc8994#section-6.2.2
> which says (among others):
>
>         Example:
>
>         Given an ACP address of fd89:b714:f3db:0:200:0:6400:0000, an ACP
>
>         domain name of acp.example.com, and an rsub extension of
>
>         area51.research, then this results in the following:
>
>           acp-node-name      = fd89b714f3db00000200000064000000
>
>                                +area51.research@acp.example.com
>
>           acp-domain-name    = acp.example.com
>
>           routing-subdomain  = area51.research.acp.example.com
>
>         The acp-node-name in Figure 2 is the ABNF definition ("Augmented BNF
>
>         for Syntax Specifications: ABNF" [RFC5234  <https://datatracker.ietf.org/doc/html/rfc5234>]) of the ACP Node Name.  An
>
>         ACP certificate MUST carry this information.  It MUST contain an
>
>         otherName field in the X.509 Subject Alternative Name extension, and
>
>         the otherName MUST contain an AcpNodeName as described in
>
>         Section 6.2.2  <https://datatracker.ietf.org/doc/html/rfc8994#section-6.2.2>.
>
> (BTW, there is an erroneous self-reference to Section 6.2.2 within 
> itself.)
> In this section I miss a definition which OID(s) to use for 
> acp-node-name etc.
>
>     Is there a reason not to include the line numbers from dumpasn1?
>
> Actually there are two reasons:
>
>   * those numbers are byte offsets and lengths, which are not
>     important here and just add clutter
>   * the numbers would be very cumbersome to keep consistent when
>     adapting the example
>
>     In the actual content, it goes from having the critical value shown, to
>
>     having:
>
>     +        OCTET STRING, encapsulates {
>
>     +          SEQUENCE {
>
>     +            [2] 'domain.example'
>
>     +            }
>
>     +          }
>
>     +        }
>
>     which I don't understand at all.  Is this a different dumpasn1 version?
>
> No, the 'critical' bit is before the 'value' field,
> thus it is shown just above the "OCTET STRING, encapsulates {"
>
>     if not, what are the actual bits on the wire changes?
>
> The tag "[0]" that had been placed with the 'critical' bit was wrong:
>
> [0] {
>             BOOLEAN TRUE
>             }
>
> so I corrected this to
>
> BOOLEAN TRUE
>
> See also the emails by Corey and me in this thread of Aug 2nd.
>
>          >    (TODO: Do we want to allow an empty extnValue (which is of type
>
>          > OCTET STRING), which would mean that the client is told to include
>
>          > an X.509 extension of the given type and fill in the concrete value
>
>          > itself?)
>
>     Yes, I thought we allowed exactly that before, as:
>
>               Attribute:  type = extensionRequest (1.2.840.113549.1.9.14)
>
>                           value = macAddress (1.3.6.1.1.1.1.22)
>
>     in RFC7030.
>
> Good point that this effect could already be achieved by such a type 
> of CSR attribute
> that is different from the "new" approach using a CSR attribute of 
> type extensionRequest.
> Yet IMO the new approach is more adequate because there the (request 
> for an) extension
> is in the context of the extensionRequest attribute, rather than "out 
> of place" in some other attr,
> where its OID is harder to understand and to process without this context.
> So I'd suggest stating that any such to-be-filled-in extensions SHOULD 
> be placed inside
> the CSR attribute of type extensionRequest with an empty OCTET STRING 
> as the extnValue.
>
>          >    (TODO: Note that this mechanism does not support telling the client
>
>          >    to include in the CSR a specific subject DN, simply because there is
>
>          >    no OID for this.  I think we should better make this clear, or we
>
>          > have to define such an OID if setting a subject name should be
>
>          > supported.)
>
>     I don't understand.
>
>     Telling the client to include a specific subject is exactly the problem we
>
>     are dealing with... or are you making a distinction here between subject DN
>
>     and subjectAltName?
>
> There is a clear distinction between
>
>   * a cert/CSR subject, which is (essentially) mandatory and is a
>     (Distinguished) Name and
>   * the Subject Alternative Names (SANs) optionally given as X.509
>     extension values.
>
> as can be deduced also from the following declaration from RFC 2986 
> (PKCS#10)
>
>     CertificationRequestInfo ::= SEQUENCE {
>          version       INTEGER { v1(0) } (v1,...),
>          subject       Name,
>          subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
>          attributes    [0] Attributes{{ CRIAttributes }}
>     }
>
> noting that any SANs are (indirectly) part of the 'attributes' field 
> value.
>
> As I wrote on March 9th 
> <https://mailarchive.ietf.org/arch/msg/spasm/KSBlnRVVTcgpEAM8eA_uEssHY2I/> 
> and April 5th 
> <https://mailarchive.ietf.org/arch/msg/spasm/PqCEDBk_Vd59bDDxb7hVDg41PKM/> 
> and likely already before,
> while SANs can be expressed as part of an extensionRequest CSR attribute,
> a regular subject field so far cannot be expressed in a CsrAttrs 
> structure.
> This is because no OID has been defined that could be used, e.g., in 
> the 'type' field of a CSR attribute
> and the CsrAttrs structure does not have any other field where a 
> subject Name could be placed.
>
>     David
>

v2.23.0 | Report a Bug | By Email