Re: [lamps] struggling with CSRAttrs

Michael Richardson <> Wed, 03 August 2022 20:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 84D3FC15A737 for <>; Wed, 3 Aug 2022 13:15:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.007
X-Spam-Status: No, score=-4.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=neutral reason="invalid (public key: not available)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PVyOB9R0MELs for <>; Wed, 3 Aug 2022 13:14:56 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 549AAC159485 for <>; Wed, 3 Aug 2022 13:14:56 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7535F389AE; Wed, 3 Aug 2022 16:33:41 -0400 (EDT)
Received: from ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id qGPvLTtaHhrw; Wed, 3 Aug 2022 16:33:39 -0400 (EDT)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id C8396389AD; Wed, 3 Aug 2022 16:33:39 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1659558819; bh=77MgJDi1lk0lTaQAG2k8VKnuX99u1KfYZDAOv6mqoYs=; h=From:To:Subject:In-Reply-To:References:Date:From; b=Xp5xp4TffsmZ2UkCmpeoy6fm4RuQh7SpTqBDBByTmGYGT5w+0W/2U3/dLu8Td2HKN 2RzRm5wAYmuswnZieU7c79Xhe9Wl/C9Fe4HW8/BXGplIpW2J5EAdBi0BFiOCLccbkl vWy3LhC9gBFywFSay/vvnsxyutWbxQfFvUDiEX43fag+a7jXVQcepBhuC//khUBw5y M62IipatcWuGspnqtZ7DmYvaTEk/jk9POIZAJqV9Om9ClwjSKg6E8Xu7riKEuIH9zC NIq/UlqrQhFXhiS3g/0/L7MPZnEjgonyJOFRWdRgjYsn7tpDuEtJ0/at33BHmjbrIq 97s3w3d+CM+ug==
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 90CE7121; Wed, 3 Aug 2022 16:14:53 -0400 (EDT)
From: Michael Richardson <>
To: David von Oheimb <>, LAMPS WG <>
In-Reply-To: <>
References: <12352.1657505901@localhost> <> <563732.1659120308@dooku> <>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 03 Aug 2022 16:14:53 -0400
Message-ID: <3758.1659557693@localhost>
Archived-At: <>
Subject: Re: [lamps] struggling with CSRAttrs
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Aug 2022 20:15:00 -0000

David von Oheimb <> wrote:
    > Let's keep the original field names.  Also because this underlines the
    > important fact that we do not change the ASN.1 syntax at all, which is
    > critical for bits-on-the-wire compatibility, but we just clarify its
    > use and interpretation.

I'm okay with that.

    > I've just made a pass on lamps-rfc7030-csrattrs.mkd in the GitHub
    > repository.  Its new version contains various suggestions for
    > improvements here and there.  Also updated the subjectAltName example
    > to be of the more usual form of a dNSName and inserted two
    > questions/remarks:

Why did you change the RFC8994/ACP example from a real acp example name to domain.example?
Is there a reason not to include the line numbers from dumpasn1?

In the actual content, it goes from having the critical value shown, to

+        OCTET STRING, encapsulates {
+          SEQUENCE {
+            [2] 'domain.example'
+            }
+          }
+        }

which I don't understand at all.  Is this a different dumpasn1 version?
if not, what are the actual bits on the wire changes?

    >    (TODO: Do we want to allow an empty extnValue (which is of type
    > OCTET    STRING), which would mean that the client is told to include
    > an X.509    extension of the given type and fill in the concrete value
    > itself?)

Yes, I thought we allowed exactly that before, as:

         Attribute:  type = extensionRequest (1.2.840.113549.1.9.14)
                     value = macAddress (

in RFC7030.

    >    (TODO: Note that this mechanism does not support telling the client
    >    to include in the CSR a specific subject DN, simply because there is
    >    no OID for this.  I think we should better make this clear, or we   
    > have to define such an OID if setting a subject name should be   
    > supported.)

I don't understand.
Telling the client to include a specific subject is exactly the problem we
are dealing with... or are you making a distinction here between subject DN
and subjectAltName?

    > I also corrected the spelling of my (co-author's) name in
    > presentations/ietf114-lamps-csrattrs.{fodp,pdf}.

Sorry about that.

Michael Richardson <>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide