IETF Logo Mail Archive

Re: [lamps] New Liaison Statement, "Liaison statement to IETF on RFC 5280 attribute length limitations"

Rob Stradling <rob@sectigo.com> Wed, 12 January 2022 17:43 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F71D3A1658 for <spasm@ietfa.amsl.com>; Wed, 12 Jan 2022 09:43:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sectigo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXFzHZ8ZJLnq for <spasm@ietfa.amsl.com>; Wed, 12 Jan 2022 09:43:01 -0800 (PST)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2052.outbound.protection.outlook.com [40.107.244.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA0913A1657 for <spasm@ietf.org>; Wed, 12 Jan 2022 09:43:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f4M1lkcIH4eesIdQv46gxECMcRp51O6tUN3lGhnUNnUbA8egb6tyC3ipAk3s31o1bOOAuqEtO/uJcv0e5sVXeZR93QtQKhU67Ny7TTQrJMW4+AyVwPM7JUUJtFAgkobGShzjBuJ5I2q0q7MZAYitpxdJZTJJTsvfVjN35mKdvfJzy/PLYE/RfsH/klj3CkfUcd99wVX1i5TY6JVkeMkawOt3lj8v2c1cvUP1K9eKoZUbhBCJvqQgQaQWuxjClwq5TXqXyKbdUaNte4WGtj+EaVdzdaPxR1pNL/+V/UzHas0lblBwQOU654+EsJOXE5Wtl1JnZR/K2u3jE7HZTSwXIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WievIUsmw9h/EexjvqVcVijhw1b91x3aVTF9QfdY+N8=; b=ZKeQcQ3YQyFOwbDKIrQra9/OEW+vFDL7n2XATPTbbye8/vvrVgerxPGq+KQa8gT6wXubAPi6vtF6TYZ3eBfUYagl+b8jhhdr9vBjp0PSxnvPhy9QXUCH4DljnamxqokKTDAaaygAa9mmmlLLasLgIN/HycxesAOwWZWFJLteChtOPDsGEVrbDJkWqh0eMbMiA4M0tPmKhNNl2xThoMuFN5spK2Y3K7B4qV5N8o8bAI1JHiv5c/A89DOwdpsCwM3m41WO++M/EbkbSQGL1wivuJksNfF7yKO8grelZZAvdxMXdd+J11AgM9fOKL5qZNSd2V1tvYGVm5CslslZGGVxjA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sectigo.com; dmarc=pass action=none header.from=sectigo.com; dkim=pass header.d=sectigo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sectigo.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WievIUsmw9h/EexjvqVcVijhw1b91x3aVTF9QfdY+N8=; b=jMQ2Sq0OZxk8mIeaIFGWsKeqtK1hd2R+R8ayNrgOwUS+iFPoa1vCE7SIK+X6FmjFKkwq2nk+EhKtJaCCXisUv98gXVEo62B+cVzuuQt1LbvzRDy4+tueOfHX+7iwu5pEuGfF7/JE/GZmGi54iC9cd9fYpsGlUcRG78ByG+AkpYc=
Received: from MW4PR17MB4729.namprd17.prod.outlook.com (2603:10b6:303:106::18) by SA1PR17MB5603.namprd17.prod.outlook.com (2603:10b6:806:1ce::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.10; Wed, 12 Jan 2022 17:42:56 +0000
Received: from MW4PR17MB4729.namprd17.prod.outlook.com ([fe80::1c52:3871:73:34a8]) by MW4PR17MB4729.namprd17.prod.outlook.com ([fe80::1c52:3871:73:34a8%4]) with mapi id 15.20.4888.011; Wed, 12 Jan 2022 17:42:56 +0000
From: Rob Stradling <rob@sectigo.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>, Stefan Santesson <stefan@aaa-sec.com>
CC: Roman Danyliw <rdd@cert.org>, Russ Housley <housley@vigilsec.com>, Limited Additional Mechanisms for PKIX and SMIME Discussion List <spasm@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Tim Hollebeek <tim.hollebeek@digicert.com>
Thread-Topic: [lamps] New Liaison Statement, "Liaison statement to IETF on RFC 5280 attribute length limitations"
Thread-Index: AQHYBz1vVlmzatyV9EiazMmzhPZMuqxedfSAgAAJogCAAJZXgIAAR5sAgAAt+ACAABHUAIAAAfF6
Date: Wed, 12 Jan 2022 17:42:56 +0000
Message-ID: <MW4PR17MB4729558CC0302F4D9D917343AA529@MW4PR17MB4729.namprd17.prod.outlook.com>
References: <164194125924.20287.2467064234655000140@ietfa.amsl.com> <3c2fe3af-6b13-d841-0922-ac5657776cd6@aaa-sec.com> <CAErg=HFgi6mU7GKZ7JdK=fgCiLXSD4gG+omG1eWuUSrHNHWGew@mail.gmail.com> <816dd057-d3cc-f3a2-c523-a5f96b1a9474@aaa-sec.com> <CAErg=HHxfE_FWC8pjUWZCMEynbkf6AJhPTjrcJDm1fRDQYxmQQ@mail.gmail.com> <5e99182e-fa72-ff5b-0a81-c91b8add588e@aaa-sec.com> <CAErg=HFo2TgVxD=i3ONJXYCnuZzJwsLkqmW8RjkRrtKZMCH3SQ@mail.gmail.com>
In-Reply-To: <CAErg=HFo2TgVxD=i3ONJXYCnuZzJwsLkqmW8RjkRrtKZMCH3SQ@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: 8b7e672e-220f-c58b-84cf-0af59886c4f3
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=sectigo.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: afc001d3-a0ca-4b05-43a5-08d9d5f2f7a7
x-ms-traffictypediagnostic: SA1PR17MB5603:EE_
x-microsoft-antispam-prvs: <SA1PR17MB5603D98BDC59AABB37D16EA6AA529@SA1PR17MB5603.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BuVxdcrAXunbql9ESomXivHBpwy4Muoz5BxIBPuvBpE0s0zZ/kZ6Dc21ufG346F/9ZXRL2imxf1xZKeWzUTsLGlfxnJhZBgCyhiaWhpVQT7Y0U0rbEe/YxgP5JfA8mNPS5tcxZVa2R3v6946/BzkhmmWY1kkwFc5HGLEt8y9IcVlAJvmZwJ990OcKjueG5U2hFAe2plt+MSg8Z5NnjC+Ap0wZXkPqp60lHFnOzPmESngBeyReDTisj3O6jGeTk5nn9rYi6geSajXq1G04pkaR5mpMDIhW6y3DBe0Ad12vKNATVCzoz8ATfL62RIZOXbsw5aoFLULm3uPAAkqtOeyzi/+vwpYPfuJLlS+uQQQI8Gg48F8ScCQbfGJ0pNqtuwtAMZSOTmuNpfd4gsmiupU+Ge6xcvh7PEVrTLqmoqPy812GPMj2fPNeiagxDAWhwIGJ348ezNf9W9+5fntBoyfvm7By0+zb1UkZ8Hoh6GsdKZDaFw893a11F5eylvUh8ZWYS9OKgM8swYdCd98CPsCS7vXhK4IZFQ6sljT8TfKYJdv3UybglKB9oytWkEavFZo32Il7qomcFrt/ROcNMSp2DPVSqgGuHn4EZCmH9Lj3PqxmDnGEirizOaLgS9ZSvG4xXcMK2EHWsWlT7GnxWF2JMqdmdOyfEhslPaaOesMwaidWJlJoeaZaDPZVWtb3fGyacS7tXnFbtPVmmRfOjWISLfK1JlNalgnpLcd3bUMSswAmeKVpXJdI/Lnvo83LKOc4M50Kgb4i49INEbZkoKRmQg9mu1/Q8oDgrlOii+5ghw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW4PR17MB4729.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(86362001)(66574015)(66946007)(110136005)(2906002)(91956017)(83380400001)(8676002)(66556008)(55236004)(122000001)(4326008)(64756008)(9686003)(5660300002)(19627405001)(38100700002)(66476007)(66446008)(76116006)(316002)(166002)(54906003)(52536014)(38070700005)(33656002)(19627235002)(26005)(7696005)(71200400001)(966005)(6506007)(186003)(508600001)(53546011)(8936002)(55016003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Z0JVprIwOEWF+q5AijaSgmhd/ZTcSkp4IRgOLLILNXaJWEFLkhBWS3KXw9umHRqLoF7oH+rRYYdq463caJqYABfosuVTCjWQ7HBPr6cyWgBljskZ/e93WMomRkzchEz5vHDoSfz1jgbhLiyB7twMJgoSl/B5w8bQ97gp3nc+lXShLvllElL3dHj1azQ8RUzT1MprZX9HXNxjHA7sj4oAph7upd0UupvrOdq/qkZ1AJUNn4JlJpIBl8M942pMhxktcLPNIfQnmcTHnyfywKbul7NE0U+rCFmHJYSFWgQbrYxQCF1q3WoVlBZwTb9ahQd17QhOGfJDKGRmjs36uNu8KOxC//PjZ0l2L/ZpI7Y+zuzuW3zyCJI5rlh/dEXV43DxMtrNNHD/YR5lDQQv92ubTLtebJaS9F0FFLFESAr68VA1R8JRedX1sPnJFb+xIglX7V+vcNu0uziG4deNi2BlRbAz4nozzIxgl1IArldrreO06RG4I+78IjwVL8Z1VenoHEEm5YWHU0qiSxBy0cgaSVL6G5JfNsUuxckF2YRgxxBpIGn45QB8cx2YBOq41kIB8kd6m45+YgRI02F2nb7+3NhxiX9tCn6bNuIGLuxvZ7YLL0T+UTySfNnmzjgYgOeFi78MkbhwUzHVeDa4G+MXKqUz2IJFwGK6O6g/CPg67q9miLGZoTD7tVrPx1katbDpy9ksmKBQCzIrPvSo9UHtF4tSaK6JqWEucHbmwSOJU3sillPTyVbyjz2WZbF89wXMIexR+Dzywvy3qP6fdhr25sh9nB0hXA/8yTzDYvCklcoExJou48dyjUpC0Egq45sQ0Nqp8XhvdZ8eqIUgjC6UUVrVjF3KvKjWJZLGt/AqTTNwS3tegXSCdy8QfQSK7yCzkH7Y2zg9M0NOot94lcFivTBsnZDvMctxRnDzDYi25l+Dnu+Ee7skO7TMw2YCviR2G3iCOns9Lp4dM4bB6aIL9YacZA3amqYlJbf56+7rW0cmSirt8qPrnVW3jG8DhV+G5iTd3qHO3zLmeo9eSFBoDbG3Sy4xnj+DCBuMLCE47lr9/j1yF0XyWBBAS4Gy+MoTnoVNHImKmPjwpHmnW8Z5tWx47E6/VFUNrQ7QwXIwkWCoT3ubISJhrhJtwpleMx4L6rkeXAUyqlah8Go82rM/lYxi6Ia5dIEbUVoKqiZRa8YMSUGeuSfJNHKVxPkRKrz7vFZRu/4byZopekSjxO4BBSH44Fp67Ut0ARoFTHP/IJfHVbl7DcbxZ3qNc6FATIqWTKL5gibIWj5jriw2gQ6Su0X3DUyQFI2mwNxy31Hy8tXUJzWmlYGiYaQ0bTFqr5tMGTEurZv/m59Csp1LACAXk6nPgx2EFd3XWDxWsYmXQ4tuFoAlOvqgOhBToowtsY1MrCuWP6l2c0lJQYrXMe9e5GrDmmTR6ZcUjDopGLr1tez9eYtHq2Q5Ivol/VcbqGmLfaNEqzgdDELfBf6Gsv1gbxdXMUVW7aLM3uM24E8+26K1cTFdaazlWpdSqxBmiQF84+tO1P1sB0hRNR+MbXSrl3A/hnrHVOHApPKRakJm/BuZ1/PKr7m1PBMtY2Foy2LzrikZF4N9HwLSdjSiRb3LlA==
Content-Type: multipart/alternative; boundary="_000_MW4PR17MB4729558CC0302F4D9D917343AA529MW4PR17MB4729namp_"
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR17MB4729.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: afc001d3-a0ca-4b05-43a5-08d9d5f2f7a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2022 17:42:56.1809 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VrjVmEeoNih0qY5AilFxKZ2aXJlqEAxh5JNQGW+LXhCC8Mf0la9AtcizzlLb8f21fRfW9o999WYqc7RZDOREdg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR17MB5603
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/WZyXcCCr-0j7ONNcc8xyZxh0PJc>
Subject: Re: [lamps] New Liaison Statement, "Liaison statement to IETF on RFC 5280 attribute length limitations"
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jan 2022 17:43:06 -0000

Ryan wrote:
> RFC 5280 should be seen as exactly what it specifies it is: a narrower profile of X.509 suitable for Internet applications.

+1, and retaining the traditional "upper bounds" in RFC5280 can legitimately be seen as part of that narrower profiling.

ISTM that if ETSI don't want to be restricted by RFC5280's narrower profile, then ETSI should consider profiling X.509 directly and not referencing RFC5280 at all.

IETF believes in Rough Consensus and Running Code.  Breaking backwards compatibility would be likely to break Running Code, and I dare say it would do serious damage to Rough Consensus too.

> This would be no different than if the BasicConstraints PDU was redefined from being SEQUENCE { BOOLEAN, INTEGER } to being SEQUENCE { SEQUENCE, BOOLEAN, INTEGER }. We would, undoubtedly, agree that is a backwards-incompatible change, and the solution for such a need would be simply a BasicConstraintsV2 structure with that syntax, and, corresponding, a new id-ce-basicConstraintsV2 object identifier to identify that extension.

Funnily enough, this already happened.  šŸ™‚

https://datatracker.ietf.org/doc/html/draft-ietf-pkix-ipki-part1-01#section-4.2.6 defined a draft version of Basic Constraints that was altered before RFC2459 defined what we use today.

I'm not sure if there's an official repository of PKIX certificate extension OIDs that have been deprecated due to backwards-incompatible changes, so in the absence of that I give you this...

> curl -s https://lapo.it/asn1js/oids.js | grep basicConstraints
"2.5.29.10": { "d": "basicConstraints", "c": "X.509 extension.  Deprecated, use 2 5 29 19 instead", "w": true },
"2.5.29.13": { "d": "basicConstraints", "c": "X.509 extension.  Deprecated, use 2 5 29 19 instead", "w": true },
"2.5.29.19": { "d": "basicConstraints", "c": "X.509 extension" },

________________________________
From: Spasm <spasm-bounces@ietf.org> on behalf of Ryan Sleevi <ryan-ietf@sleevi.com>
Sent: 12 January 2022 17:00
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: Roman Danyliw <rdd@cert.org>; Ryan Sleevi <ryan-ietf@sleevi.com>; Russ Housley <housley@vigilsec.com>; Limited Additional Mechanisms for PKIX and SMIME Discussion List <spasm@ietf.org>; Benjamin Kaduk <kaduk@mit.edu>; Tim Hollebeek <tim.hollebeek@digicert.com>
Subject: Re: [lamps] New Liaison Statement, "Liaison statement to IETF on RFC 5280 attribute length limitations"


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.



On Wed, Jan 12, 2022 at 10:56 AM Stefan Santesson <stefan@aaa-sec.com<mailto:stefan@aaa-sec.com>> wrote:

Ryan,

Very interesting discussion, but unfortunately off-topic.

Hi Stefan,

Could you clarify what's off-topic? I think this is very core to the discussion regarding compatibility, as highlighted by Russ and Peter, so perhaps I'm explaining these things poorly, since it sounds like there's still some resulting confusion or disagreement.

The issue at hand is - Should RFC 5280 deviate from X.520 with regard to max size limits on X.520 defined attributes.

If so, then please specify:

1) Why that is a good idea, and

Yes. That ship has sailed, software has shipped, and we deal with it going forward. The issue is that X.509 made a backwards incompatible change, whether intentionally or ill-conceived.

2) How a certificate verifying application would know if the X.520 definition of the attribute or the RFC 5280 definition of the same attribute should be enforced?

Simple. An application that uses the ASN.1 modules from RFC 5280, or, alternatively, RFC 5912, will not be able to decode such certificates. RFC 5280 should be seen as exactly what it specifies it is: a narrower profile of X.509 suitable for Internet applications.

Constraints are part of the type definition, as covered by X.682. They affect the encoder and decoder, and thus, are key to understanding interoperability. The issue is that X.520 redefined the types, without redefining the type identifier, and thus, compatibility problems are introduced for anything using the existing type specifier.

The request is for RFC 5280 to update the types to match X.520, thus introducing the same redefinition issue. This would be no different than if the BasicConstraints PDU was redefined from being SEQUENCE { BOOLEAN, INTEGER } to being SEQUENCE { SEQUENCE, BOOLEAN, INTEGER }. We would, undoubtedly, agree that is a backwards-incompatible change, and the solution for such a need would be simply a BasicConstraintsV2 structure with that syntax, and, corresponding, a new id-ce-basicConstraintsV2 object identifier to identify that extension.  My discussion of how ETSI can relieve any perceived incompatibilities is precisely to use what has been the recommendation of X.509 for quite some time: if you are defining a new type (as a different constraint inherently is), then identify it with a new type identifier. It's just that simple.

v2.23.0 | Report a Bug | By Email