IETF Logo Mail Archive

Re: [lamps] struggling with CSRAttrs

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 03 August 2022 20:15 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84D3FC15A737 for <spasm@ietfa.amsl.com>; Wed, 3 Aug 2022 13:15:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.007
X-Spam-Level:
X-Spam-Status: No, score=-4.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVyOB9R0MELs for <spasm@ietfa.amsl.com>; Wed, 3 Aug 2022 13:14:56 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 549AAC159485 for <spasm@ietf.org>; Wed, 3 Aug 2022 13:14:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 7535F389AE; Wed, 3 Aug 2022 16:33:41 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qGPvLTtaHhrw; Wed, 3 Aug 2022 16:33:39 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C8396389AD; Wed, 3 Aug 2022 16:33:39 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1659558819; bh=77MgJDi1lk0lTaQAG2k8VKnuX99u1KfYZDAOv6mqoYs=; h=From:To:Subject:In-Reply-To:References:Date:From; b=Xp5xp4TffsmZ2UkCmpeoy6fm4RuQh7SpTqBDBByTmGYGT5w+0W/2U3/dLu8Td2HKN 2RzRm5wAYmuswnZieU7c79Xhe9Wl/C9Fe4HW8/BXGplIpW2J5EAdBi0BFiOCLccbkl vWy3LhC9gBFywFSay/vvnsxyutWbxQfFvUDiEX43fag+a7jXVQcepBhuC//khUBw5y M62IipatcWuGspnqtZ7DmYvaTEk/jk9POIZAJqV9Om9ClwjSKg6E8Xu7riKEuIH9zC NIq/UlqrQhFXhiS3g/0/L7MPZnEjgonyJOFRWdRgjYsn7tpDuEtJ0/at33BHmjbrIq 97s3w3d+CM+ug==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 90CE7121; Wed, 3 Aug 2022 16:14:53 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: David von Oheimb <David.von.Oheimb@siemens.com>, LAMPS WG <spasm@ietf.org>
In-Reply-To: <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 03 Aug 2022 16:14:53 -0400
Message-ID: <3758.1659557693@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_DA-7l5xH-Htli17G9HCOSOa748>
Subject: Re: [lamps] struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2022 20:15:00 -0000

David von Oheimb <David.von.Oheimb@siemens.com> wrote:
    > Let's keep the original field names.  Also because this underlines the
    > important fact that we do not change the ASN.1 syntax at all, which is
    > critical for bits-on-the-wire compatibility, but we just clarify its
    > use and interpretation.

I'm okay with that.

    > I've just made a pass on lamps-rfc7030-csrattrs.mkd in the GitHub
    > repository.  Its new version contains various suggestions for
    > improvements here and there.  Also updated the subjectAltName example
    > to be of the more usual form of a dNSName and inserted two
    > questions/remarks:

Why did you change the RFC8994/ACP example from a real acp example name to domain.example?
Is there a reason not to include the line numbers from dumpasn1?

In the actual content, it goes from having the critical value shown, to
having:

+        OCTET STRING, encapsulates {
+          SEQUENCE {
+            [2] 'domain.example'
+            }
+          }
+        }

which I don't understand at all.  Is this a different dumpasn1 version?
if not, what are the actual bits on the wire changes?

    >    (TODO: Do we want to allow an empty extnValue (which is of type
    > OCTET    STRING), which would mean that the client is told to include
    > an X.509    extension of the given type and fill in the concrete value
    > itself?)

Yes, I thought we allowed exactly that before, as:

         Attribute:  type = extensionRequest (1.2.840.113549.1.9.14)
                     value = macAddress (1.3.6.1.1.1.1.22)

in RFC7030.

    >    (TODO: Note that this mechanism does not support telling the client
    >    to include in the CSR a specific subject DN, simply because there is
    >    no OID for this.  I think we should better make this clear, or we   
    > have to define such an OID if setting a subject name should be   
    > supported.)

I don't understand.
Telling the client to include a specific subject is exactly the problem we
are dealing with... or are you making a distinction here between subject DN
and subjectAltName?

    > I also corrected the spelling of my (co-author's) name in
    > presentations/ietf114-lamps-csrattrs.{fodp,pdf}.

Sorry about that.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email