IETF Logo Mail Archive

Re: [lamps] draft-ietf-lamps-rfc4210bis was: Re: WG Last Call: draft-ietf-lamps-x509-policy-graph-01

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Fri, 15 December 2023 07:59 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C2BAC14F617 for <spasm@ietfa.amsl.com>; Thu, 14 Dec 2023 23:59:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fAtdZN9WkR2n for <spasm@ietfa.amsl.com>; Thu, 14 Dec 2023 23:59:54 -0800 (PST)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com (mail-db5eur02on2082.outbound.protection.outlook.com [40.107.249.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BE1EC14F5F2 for <spasm@ietf.org>; Thu, 14 Dec 2023 23:59:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aMmPdAdA+cn8xeYYwLkZiZ1B5wzoiXXnJDluXJfayaeT5GdkNwFYExAfU/hdkm1VGCPK3wNQBw/cT/mSlHthOXZ2i9/NJpzW77fU8/JxEL7GYMrD2vE/6pQ0u6urY0SkvXYQ8h8zhKX0o0od+0CMGaMOQ7O0VbglZSE0n5bcvsJgat0+o1v7jSd0DxD2NVO4NIUDGUG0Hfsm/9C01m85kIpiws5HEaRL9WW0G3bE9pRLkRyPmYS50ktK75BiGd4ZfsJGrecuQutCQgySK9kXLz8A/A9bKVXEg7xrPmUbKas3jHOB0j1+xO0HYXi5y6Cvig3ah1LAWqPfjlvgsfA2HQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Jn3Llqi2s8iV8c5xrG+UsrVnsvxzN0eDaJYUz8hkh9A=; b=IXhGwWzumg1xFJLQPcZTeV9/tQ2BnQd4GjCxiiZrZqY8OOAIIZGaoDKPsNXF4bqvthzeviBcS0GemOXdjapBBQIwuh0Op0S2TIq7Qr/gUDrWkjIjVCU3V3AF2PngHu0/KMfc9eSssx3HACN4NCJ4DhR+yAOl0mC8yJ4kATLlRYEVmRq1xFBYez0JyXC4b9qfj6NivF6uDTq8mgnrJIJodKRJj8mbUEiL0UokEZuGwSJkp2ES3RExBW+FZRN8JqbbF+1k5XcAAX5wRExgRKvDMHnvlwRo/NDQ4lGVTuO6V273Top1Zv7WjH8XpkssvFj7TUUBHJnuZtnFyoO8lPPKcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jn3Llqi2s8iV8c5xrG+UsrVnsvxzN0eDaJYUz8hkh9A=; b=kErcrUOnIPaJawr0rlG2CQaKO/N9fcDSco9Uq5lMvmV1cbGrA4u+i9J+FA7mUC2plRTmxryaETpeW6iua7hB7icfDVmihb1ErDDpQDVMLUsyOWwiImms0e1YmCQhfo5cGgGq6y8dMRfn0ZJsvHM9hD5w7MR1WUrfBGxlUM2wXKGl0orNRg0sKyymzqA/dG23Og/Tjny9cxGkSsiGSOXCctpzC4YVJdp5oQCGsgqKbPwzYuE1rA/WGWWLpbHypd+/CnrHDKUFTnZKMETcYM7DMUaZuC3kaCG3rJfQx7BFIl4aDHGw5CNJxMAWSFUMN3jnqxt3NGYAkXQ/CnrWbIDoOw==
Received: from DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2ee::5) by DB9PR10MB7219.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:461::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.28; Fri, 15 Dec 2023 07:59:51 +0000
Received: from DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM ([fe80::5d5e:4a77:9a61:89d2]) by DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM ([fe80::5d5e:4a77:9a61:89d2%7]) with mapi id 15.20.7091.028; Fri, 15 Dec 2023 07:59:51 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Michael StJohns <msj@nthpermutation.com>, Russ Housley <housley@vigilsec.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: AW: [lamps] draft-ietf-lamps-rfc4210bis was: Re: WG Last Call: draft-ietf-lamps-x509-policy-graph-01
Thread-Index: AQHaKuoqWKBxthK6Iku2/A9KzmT/mLCjrUOwgAWHaACAAM2ZAA==
Date: Fri, 15 Dec 2023 07:59:51 +0000
Message-ID: <DB9PR10MB5715F2DC533307EC8C4F738FFE93A@DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM>
References: <99DEDEBF-35D7-4EE5-BABF-63A9F6D02C29@vigilsec.com> <3EEC4C31-31E2-462C-BB82-010F17E996A0@vigilsec.com> <3931a166-c465-4861-8101-50ebadb99a21@nthpermutation.com> <4CEF723E-614F-446A-8D80-EC63AF07C8F5@vigilsec.com> <d66f65e1-0119-46a0-8764-29fc65f63e75@nthpermutation.com> <801C3122-0410-426E-BFB8-F269CA1DA9D9@vigilsec.com> <73092f78-ba01-4709-9e39-7658e300e788@nthpermutation.com> <FBBC550B-257A-4189-84AA-E6493EC008F2@vigilsec.com> <3ae04ff9-7ad5-40fb-8552-832a3a43847b@nthpermutation.com> <F070F503-DE63-4E86-A2AA-BB77CC618F90@vigilsec.com> <53b35103-eff1-43f4-9a11-d7ed9b9771c2@nthpermutation.com> <DB9PR10MB571578EC6E7A86F55ACA66C5FE8FA@DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM> <922a1e0b-2e3c-41c3-b5ad-a26464988ede@nthpermutation.com>
In-Reply-To: <922a1e0b-2e3c-41c3-b5ad-a26464988ede@nthpermutation.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=d3d42175-6001-44a9-b754-8800794828a9; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-12-15T07:55:19Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9PR10MB5715:EE_|DB9PR10MB7219:EE_
x-ms-office365-filtering-correlation-id: 49ef6646-9331-4f20-d1c3-08dbfd43d128
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +AVpWLeQE7RYwTQOLTTWAzuD7Ys9a4aZcNL9UqQcer1KRa9BBeI7kmDEzMetyfwJx87eBdAai2BdXdQShUbPucaLF7IgFWawdw+DEzuYV9YqJGagBq3uJAZyOry75peheCuvBqlukIZFmrV9X4viAxH5YevtAIdmWRJzZGZlbUkbrJ8qkYLX4Sjo2Fb3H3iePXfW21LYQORIqD2zAC0+vWXRmtyOWBYrrPPBAYX3SExMHSYsBODZi1FHOQfiSdReAOoCy1WWjUGUm7rJQ9jPP88/MsES7GR6vFLD1mUMhoYWoSMXbIw1DLbMow7DDeBmXsV9sLwW05CsD8ZM66NEKediUWXWPlJHuMMG/puxiIh7gP+IFEmUXpmtqKzn2Q5IJWHQFLql5eHOvR+IXdl5DgCimARx6GX3J9efmvxCiWQI5j6OumJY0GMIw704qPSlNYlbMEthd+w+FofLl3hr5XKl18wFC0eSLKDlHYVimolVz5+dRwCGqjjm0/0uO0T8sVCC/sSwjn+zvKhV7cn4x3jHHNU4wdtcJUSYJYk3W2g8WWG6ox24YY8s9miQA1xvxtiHRRhHdEt+szU86i8Ril1lSG+RgG4MPOnnZjGvDwE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(346002)(376002)(39860400002)(396003)(136003)(366004)(230922051799003)(1800799012)(186009)(451199024)(64100799003)(53546011)(7696005)(6506007)(38070700009)(71200400001)(9686003)(478600001)(26005)(55016003)(8676002)(33656002)(316002)(76116006)(66946007)(66556008)(66476007)(66446008)(64756008)(83380400001)(110136005)(4326008)(52536014)(8936002)(5660300002)(122000001)(38100700002)(2906002)(166002)(66899024)(966005)(82960400001)(41300700001)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Da/gfiuUa9IFjGVClKKx3wfdhpRMtsJvWKetuAxkaNsXPD8qlZDrsK3DOmIer1TsQZ9WV3sPB/0oas96HwOm+KkGjLfqJjUWZrC8j7M9hdpTwWAbdcN9ATCNg2qe7XKBhXTyuxOe7yyE/GUFNCT77H6XKt/z+paSonnYA3C2RUGY73d/JMfxAwd4pGKdzdbLGj6kck4Rh1/4MD9jdC2p5DIwZSxQB+PK94kGI5gzHMiXMXcYuC8Sc4tHckdLxplZbUhQqcdJQoCM5PdXtBj0Hgs150vRGMsTPQJm3xjMiNtCoG2IesdqNU+PHakt9e9f/z0SX+rosc7jbd+Cl6WymS3M1QyBOO8Sb3VzSSKbXdK5MGgzmVv2l4nNQwtKqhA9AyVq1/BShy9n3CqtJXSGWpM4Y86yQc/a5dD/RlSWTws8r9/pT5JzmieoZUAb5bk269TYdRL6OfMEJTXJuzqWPbgFATSQrsbBvRrUizKElADvH4xMBJxOHavsNULcBw+g3sNJo04Ox1v+J8GfPvhRWkBQ9pkWPtE6HZmkLs9Cs0n4oGzbCd8cPSNjeTc3u6T2H5GJyAALnnqB02IqA+6/2BvH+ZJeKEXB80UwHVhjUQeOm34Ezppyel+zG9lW1o4BUhDu4RSMn9nZm8/5WyCeo/bk5celyc8rPfHfmREZW/cubvlWJUcini1FmwXZKnd+Yete4kAo5cI8LbrFoqYjxWb44x/fl4OY3FO72QCU/q1FEnP4T57hlvV2FnrLRKmx9fA2UO//PzGqtrvBZzCtceEQlw45b5ePZK2uyda9lwii0govFQ+XHi6bVC30CFrQP9HVdydpVBfZE90rYmcRbfZb5VZyRQ1srCJTMeF/7Ec31X9YKRQKHyE2/0XnhGAbNPyzQrFQ1P9MSHbXnX9xpHcRjTZD5K6wfb9C3OZXg7Pe2iT0Bs8MpRx2/T0FlAG/7ePacSWawRlEnwWqWrzxdLgpuTvKEh++djyLxHbD/LsBjWMCGzBc0u/5y83AsIOAO2jvdt77U5gdCq7H6zrwVEdqa8mCwoLAEjmG6Rs+SPPSlw4fvGmt/9/Y7JebK7nZa+iO8l6AVqOedJluSzUYbwS8PuAH3K2a0tMBacR/P7D1mYSfLd6Hr1ViRFRpKcqyr7JUoX4QtR/KhECnzaabP57wBM5pEMwilFIhbpmd1a8zYg7l2PCT/zvu/i8hh7fLrim309DSBowBk1KL9KxXqdHWe9zllUCWN/VQXrOvEXN2blZrviFpZcYbNc6c3fESuu1A/REzDkCWEpGH/SYfn2JO1Xm7BlbUTD8K4vCCcszENOU5usMd5w1KCk1mFxejhbHTZcpnhjhTqn2yFnO9DT8pEhH/agL1NfUGDDudhLrvtY1AlteLQZFm/VbeILBxqZnukCH0jXnlmtRmn/YQkoGFFNGqR91PzyOSovZdvmDL+OGNwBBhUokcP3PeTccpi6LCG4TDWDCadWb/0ptxaP4/t3aJNmYxXaoNc+TDGOzKlLexsLtykk2wHkrRpw4eJXvHkjjz1mFB4oTWs2judtnJ4aiVyGGKL1oZhWaOZ0zYcrSvBPn6TvTmUb5x5YrP3fDZhmogtSLBVWGpsXU8aA==
Content-Type: multipart/alternative; boundary="_000_DB9PR10MB5715F2DC533307EC8C4F738FFE93ADB9PR10MB5715EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 49ef6646-9331-4f20-d1c3-08dbfd43d128
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2023 07:59:51.6420 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nhIyVFIR2GNrGzzHfvnO1Obywxvw3BNC2VeRxG4itSaOJjBl7rzcTuxiyL68Tq3/nroPuPDuawdS2KYBYu3daJyQv5oCYFy+98iC3Qg7hRM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR10MB7219
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/RaPq8cRJE2uMeM5sBFr3IW1vkXI>
Subject: Re: [lamps] draft-ietf-lamps-rfc4210bis was: Re: WG Last Call: draft-ietf-lamps-x509-policy-graph-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2023 07:59:58 -0000

Mike

Thank you for your comments.
The two drafts shall move along together. Until RFC 9480 was release there was nothing to do from the author's side. Therefor the draft expired. But I am preparing an update with some minor editorial changes from RFC 9480.

I see you points regarding the ASN.1 module names and OIDs. I need to think about it and come back to your suggestions. Thank you.
As I am not an ASN.1 module expert, I appreciate any proposals.

Hendrik

Von: Michael StJohns <msj@nthpermutation.com>
Gesendet: Donnerstag, 14. Dezember 2023 20:39
An: Brockhaus, Hendrik (T CST SEA-DE) <hendrik.brockhaus@siemens.com>; Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
Betreff: Re: AW: [lamps] draft-ietf-lamps-rfc4210bis was: Re: WG Last Call: draft-ietf-lamps-x509-policy-graph-01

On 12/11/2023 2:21 AM, Brockhaus, Hendrik wrote:
Mike

Thank you for pointing this out. I was also thinking about how to best express this.
My understanding is that 4210bis obsoletes 4210 and 9480 and updates 5912. In parallel 6712bis obsoletes 6712 and 9480.
I am preparing updated versions of both -bis drafts on https://github.com/lamps-wg/cmp-updates/ reflecting the released documents RFC9480 - RFC9483.
I am currently following the discussion on cms-kemri regarding the KDF input as is may also affect the specification of KEM-based message protection in 4210bis Section 5.1.3.4.

As always, any feedback or proposal are welcome.

Hi -

--> The 6712bis draft is expired since February.  If these are a pair, they'll need to move along together.  If they both move then I think your approach works.

--> The OID/NAME for the updated 5912 module bothers me.  RFC4210 has PKIXCMP - with a module of id-mod-cmp2000 (16) under 1.3.6.1.4.1.5.5.7.0.   RFC5912 has  PKIXCMP-2009 with id-mod-cmp2000-02 (16).   RFC9480 has PKIXCMP with id-mod-cmp2021-88 (99) and PKIXCMP-2021 with id-mod-cmp2021-02(100).

4210bis  has PKIXCMP-2023 and id-mod-cmp2023-02(TBD2).  Not sure what the -02 gives you here - or is that meant to indicate 2002 standard?  If so - maybe PKIXCMP-2023-02 as well.

This seems a bit scattershot and makes it a bit difficult to figure out which ASN1 module supersedes another one.  Would versioning the OID make more sense?  (e.g. same module number plus two components for major/minor versions).  So 1.3.6.1.4.1.5.5.7.0.16.2023.1 for PKIXCMP-2023? (Or PKIXCMP-2023-02?).

--> Is there a standard practice in the PKIX world for module and module tag names and OIDs for replacement modules?  Does IANA have such a thing?

--> RFC9480 has the notation that PKIX still considers -88 modules to be the gold standard.  Is this still the case?  From A.1 of RFC9480:
Although a 2002 ASN.1 module is provided, this 1988 ASN.1 module remains the normative module, as per the policy of the PKIX Working Group.

--> Next - for the changes to the body of the module, are there any upstream modules where such a change could be problematic or limiting?  E.g. importing an enum that's been extended?  (Do we have a tool for scanning for imports and doing the cross verification?

--> Lastly, it would probably make sense to include within the body of the module (in ASN1 comment blocks) the OID of the module this one is replacing and  the specific changes or updates that were made between the two.  e.g. for the most part the extracted module ought to be stand-alone.

Later, Mike

Hendrik

Von: Spasm <spasm-bounces@ietf.org><mailto:spasm-bounces@ietf.org> Im Auftrag von Michael StJohns
Gesendet: Samstag, 9. Dezember 2023 22:53
An: Russ Housley <housley@vigilsec.com><mailto:housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org><mailto:spasm@ietf.org>
Betreff: [lamps] draft-ietf-lamps-rfc4210bis was: Re: WG Last Call: draft-ietf-lamps-x509-policy-graph-01

Thanks for the changes in the write up.  Comment below.


On 12/9/2023 4:19 PM, Russ Housley wrote:

Mike:



On 12/8/2023 2:56 PM, Russ Housley wrote:

I didn't actually notice that one at the time - now RFC 9480. But what a mess.   I see that there is a RFC4210bis  document in progress (https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc4210bis/) and not one for 4211 - is that the one you meant?  I also see that the 4210bis document is missing an Obsoletes RFC9480 tag, except it can't have one because RFC9480 updates multiple documents... I'm not seeing this as a shining example of what to do....  the only saving grace is that the referenced document here  is only cutting and pasting  a single upstream document.



Yes, I meant RFC 4210.



RFC 4210 is updated by RFC 6712, RFC 9480, and RFC9481.  rfc4210bis should obsolete RFC 4210 and RFC 9480.



Except that RFC9480 doesn't just update RFC 4210. It also updates RFC 5912 and RFC 6712. If you obsolete 9480, what does that mean for the changes marked within that document that apply to 5912 and 6712? Generally "Obsolete" in RFC speak means "completely replaced", but the 4210bis document doesn't completely replace RFC9480.

Can a document be "Updated By" a second document that's marked as Obsolete?

As I said - this looks like a mess.

Mike

v2.23.0 | Report a Bug | By Email