[lamps] Feedback on figure 3 in draft-brockhaus-lamps-lightweight-cmp-profile-01
Justin Cranford <Justin.Cranford@entrustdatacard.com> Tue, 03 December 2019 23:54 UTC
Return-Path: <prvs=233ef1ebb=Justin.Cranford@entrustdatacard.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AE6512006F for <spasm@ietfa.amsl.com>; Tue, 3 Dec 2019 15:54:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, PDS_BTC_ID=0.499, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=entrustdatacardcorp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3EMj46rJEb4 for <spasm@ietfa.amsl.com>; Tue, 3 Dec 2019 15:54:36 -0800 (PST)
Received: from mx1.entrustdatacard.com (mx1.entrustdatacard.com [204.124.80.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18211120018 for <spasm@ietf.org>; Tue, 3 Dec 2019 15:54:35 -0800 (PST)
IronPort-SDR: gHjPruNUvk57F3iAi8YOSgMeqZVIiBaWi0CZHZawamnYlZ7kR/Np0xKLL0bV+ziWqoOtdmrmfv EdnyE7MamyIA==
X-IronPort-AV: E=Sophos;i="5.69,275,1571720400"; d="scan'208";a="62997803"
Received: from pmspex02.corporate.datacard.com (HELO owa.entrustdatacard.com) ([192.168.211.30]) by pmspesa03inside.corporate.datacard.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 03 Dec 2019 17:54:36 -0600
Received: from pmspex01.corporate.datacard.com (192.168.211.29) by pmspex02.corporate.datacard.com (192.168.211.30) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 3 Dec 2019 17:54:35 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (172.28.1.8) by pmspex01.corporate.datacard.com (192.168.211.29) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 3 Dec 2019 17:54:34 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=of7GlC7yETrDCXt++Ou9ao933Dp3dROiKLkp6VBDibdS2iORokayHM6gJ9mGy8TTKGq7JFHlbDrPrbqBTeg7JO7tToh5QvltEsFr7D60ivo5rSTqFbO8HJ8OXflrDuFfu8mnwWL7y/dqON/2FtGlyVc+V6AouGv8APbRbkB8AmQ3P7c3LbIWQInTdzYQuhf61AnK9JNjyuF3iF+psypk4W0KmJA0DxSBRX/rgyaNc8rZ6eU66gpVr8NK2BnUbEpVLaIOfwbO0cO86gxKfV8hFcn2OAWu+91+04b1qo3fqnpyhRJKdZt2dYVC73oCC468KiLLRKDfr5lRh3lBT8tebw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wNz1QfiDfldAzIUlGuL/L1FLT+XnqlZYACfDMyWmM4I=; b=OqrkytEMnzJCm+pCY4OrUL5yzlmDlOBjEewgfYZs2UL/0InyDYqlqFkn7A5J27Opuj+k1EDfKwE2h0KnKDVIoUd4JDOtihC2mTonc9cXSOAZ/ahVwVH/BRThUK/rR4of9/4A5WzVO5xkw96uZJHP2o2E211x8205qAXBVJAVT5VxWz73QKvqGeCtvDsfQZXLaOWwIPtJbMKJaAEmGxBGEf9fflvglDC/4pcm6obiUjLu6egy8wTH305yXcRnSWZxG6Q5DJkyaDb6X9J7Fi8UzloQJQD2G4TqQoI3hLuqynLnXskofvlkteGdxv18DkJmhpEiQASJzA/B9gS0OCc7cg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrustdatacard.com; dmarc=pass action=none header.from=entrustdatacard.com; dkim=pass header.d=entrustdatacard.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrustdatacardcorp.onmicrosoft.com; s=selector1-entrustdatacardcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wNz1QfiDfldAzIUlGuL/L1FLT+XnqlZYACfDMyWmM4I=; b=YUZpjw+I+7ZcEQ45T9LHv5CDG0kDI1XraolOmpbkqvPsdLSIB4Tcj3980imx0c1ol16EOjpBYGkytFqrpWYnhSrZeceYCCi6EdiVZrHlolPi7Qdfk6PilkebAXLUkyeQaUFFUUzKq2m1vSYizPkGm4aicoUpFnQe7FtX2QGX+hE=
Received: from CY4PR1101MB2246.namprd11.prod.outlook.com (10.174.52.144) by CY4PR1101MB2150.namprd11.prod.outlook.com (10.172.76.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.20; Tue, 3 Dec 2019 23:54:31 +0000
Received: from CY4PR1101MB2246.namprd11.prod.outlook.com ([fe80::197a:5e09:de68:555]) by CY4PR1101MB2246.namprd11.prod.outlook.com ([fe80::197a:5e09:de68:555%5]) with mapi id 15.20.2495.014; Tue, 3 Dec 2019 23:54:31 +0000
From: Justin Cranford <Justin.Cranford@entrustdatacard.com>
To: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: Feedback on figure 3 in draft-brockhaus-lamps-lightweight-cmp-profile-01
Thread-Index: AdWqNJPpfHT9y+XHSjCsxT/8ALDI9Q==
Date: Tue, 03 Dec 2019 23:54:31 +0000
Message-ID: <CY4PR1101MB22464DDDC3184DD83716FD31FE420@CY4PR1101MB2246.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Justin.Cranford@entrustdatacard.com;
x-originating-ip: [216.191.252.67]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c345817b-3fd4-458a-263a-08d7784c244e
x-ms-traffictypediagnostic: CY4PR1101MB2150:
x-microsoft-antispam-prvs: <CY4PR1101MB2150EA926669D0F030575EAAFE420@CY4PR1101MB2150.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02408926C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(346002)(136003)(396003)(366004)(199004)(189003)(316002)(6116002)(966005)(14454004)(5660300002)(86362001)(478600001)(3846002)(186003)(6916009)(55016002)(5640700003)(9686003)(66556008)(66476007)(76116006)(6436002)(74316002)(64756008)(66946007)(71200400001)(8936002)(7696005)(33656002)(6506007)(8676002)(71190400001)(2501003)(26005)(1730700003)(6306002)(66446008)(2906002)(81156014)(81166006)(52536014)(7736002)(305945005)(14444005)(256004)(102836004)(99286004)(2351001)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR1101MB2150; H:CY4PR1101MB2246.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pJFhOsCLQszpJkGwgim1WrX0ZfZ2OGqYF5642Y+fmPNZb46WNQDFLQVIhg439ANNDDFz+Y0mJJQodvjemky1kZa67D11F4brVU0Sc4TwU/EMRBlYdddXQKN7GGr601PBktAuVBuEDT0ZSCSHqWPhyL66o0d0bE07JF7VMI8nngyA7qIBB93cRi3Kx8/z3yUUKz+oKn+MWDu2tFE55uDUQOODHAw+REfp+7H36ZBLp0OEWW0eUAeKqlc3hFOiqlktHsQLXdlBYSCOsyZEeUUhJrIDhzCPP3aUIva7ihAXw52LTo7PHM4GcqZ73aXOoHNpQLijOsnBNh/r9SYQEgBief8jrJA9Ll9OJRbjUnKAQAqZaeKTwILeGA7vmmvRIsgML4AzNkr+EBkCn563N9cAKud1istSb5ZIpwuDKWsWWRubPFQS4DsphaPEXjYkemgtY4jEJNkmssDTjnb2efMHX8H76Lmxcsa0mww9WzUrVRU=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c345817b-3fd4-458a-263a-08d7784c244e
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2019 23:54:31.6764 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /B+uzeV4sm8ZN/Z33KnY/v3rbE1D7hj3P0/2nUqqq8PNWztl4koVx5mbKGBR7iWG4E50FPO6ShxpOg8/JlFqKJm/Uzh9Pu5A+oPJdrIaVuk8J+t2CacX/d4XhiAz1TO/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2150
X-OriginatorOrg: entrustdatacard.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Pr5n_g6zpvgrglnYlUxH04-P-bA>
Subject: [lamps] Feedback on figure 3 in draft-brockhaus-lamps-lightweight-cmp-profile-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 23:57:19 -0000
Hello, Figure 3 shows the proposed message format for securely returning a remote generated privateKey to a lightweight CMP client. - https://tools.ietf.org/html/draft-brockhaus-lamps-lightweight-cmp-profile-01#page-31 Feedback summary: 1. CMS SignedData should be the outer layer. 2. CMS ContentInfo should be used to wrap both of the CMS EnvelopedData and CMS SignedData layers. 3. CMS Data may be useful to wrap the privateKey payload. Feedback details: 1. CMS SignedData should be the outer layer. a) When a lightweight IOT client receives a response, it should do the lightweight SignedData verification first. b) In other words, if a lightweight client does heavyweight EnvelopedData decryption first, and SignedData verification fails second, the client just wasted a lot of processing power, battery life, and time. c) CMS SignedData can be used to provide extra data needed by the client to decrypt EnvelopedData. Consider if client and server both use EC key pairs. Example: EnvelopedData contains KeyAgreeRecipentInfo using static-static ECDH algorithm. Client needs the server EC public key to compute EnvelopedData KEK. Server options for the originator KeyIdentifier in KARI include IssuerAndSerialNumber, SubjectKeyIdentifier, or OriginatorPublicKey. If server chooses IssuerAndSerialNumber, the client must find the server's EC public cert. That somewhere can be the SignedData certificates set if-and-only-if SignedData is outside EnvelopedData. 2. CMS ContentInfo should be used to identify the CMS EnvelopedData and CMS SignedData layers. a) The lightweight client's CMS parser can to do more strict verification of the response structure without incurring significant overhead. 3. CMS Data can be used to wrap the privateKey. a) This is optional, but it might be useful to wrap the payloads. b) If you choose to add a CMS Data layer, also wrap it with CMS ContentInfo like in point #2. References: I based my feedback on SCEP pkiMessage format from Gutmann SCEP draft 14. SCEP is a lightweight enrollment protocol with similar goals to lightweight CMP profile draft. Gutmann SCEP draft 14 does a good job of explaining the structure of its secure pkiMessage format with different layers of ContentInfo, SignedData, EnvelopedData, and Data. - https://tools.ietf.org/html/draft-gutmann-scep-14#page-13 (June 9 2019) Gutmann inherited this message format from Nourse SCEP draft 23. However, Gutmann does a much better job showing and explaining the structure, so use the Gutmann reference. - https://tools.ietf.org/html/draft-nourse-scep-23#section-3 (September 2011) Here is a compact summary of the SCEP pkiMessage format. SCEP uses it for requests and responses. - SCEP's pkiMessage = ContentInfo[SignedData[ContentInfo[EnvelopedData[ContentInfo[Data[payload]]]]]] Summary: Ignore SCEP payload formats since they are not applicable. Optionally use the same CMS Data layer. Definitely put SignedData first, and consider adding ContentInfo wrappers for all CMS layers. Thank you, Justin Cranford Prin Software Developer Entrust Datacard
- [lamps] Feedback on figure 3 in draft-brockhaus-l… Justin Cranford
- Re: [lamps] Feedback on figure 3 in draft-brockha… Brockhaus, Hendrik