IETF Logo Mail Archive

Re: [lamps] is the CSRattr ASN.1 broken or not ... Re: New Version Notification for draft-richardson-lamps-rfc7030-csrattrs-02.txt

Russ Housley <housley@vigilsec.com> Tue, 05 April 2022 18:33 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4815C3A0F35 for <spasm@ietfa.amsl.com>; Tue, 5 Apr 2022 11:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76H9SCkM9iwu for <spasm@ietfa.amsl.com>; Tue, 5 Apr 2022 11:33:29 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19BCD3A0F0F for <spasm@ietf.org>; Tue, 5 Apr 2022 11:33:25 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id EE8A5A8952; Tue, 5 Apr 2022 14:33:23 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id DD990A82E8; Tue, 5 Apr 2022 14:33:23 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <6F455C15-2788-4938-8A96-F5DCA05021C3@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_18BB0B5D-6D20-4F0D-961B-EC39DCEC5F86"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Tue, 5 Apr 2022 14:33:23 -0400
In-Reply-To: <39d4e94a2be2b1a22317b9821f331bb8bca06971.camel@siemens.com>
Cc: LAMPS WG <spasm@ietf.org>
To: David von Oheimb <David.von.Oheimb@siemens.com>
References: <164667410940.12091.15394112688281514126@ietfa.amsl.com> <15416.1646681868@localhost> <D095D84D-9633-44BB-AA6F-440B8BC00F68@sn3rd.com> <5cfb6e20b225da072695a4f13088a8065203ca4e.camel@siemens.com> <9649E03B-99A8-420C-8D56-CC0CD0E5F8F8@vigilsec.com> <230008b3fdb35674f01eb37145a9e979d35a74b2.camel@siemens.com> <997A2058-20B5-4B95-AFFA-22FB145D798D@vigilsec.com> <39d4e94a2be2b1a22317b9821f331bb8bca06971.camel@siemens.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_OenynjOq9ZGlyKIZRUllHUZauA>
Subject: Re: [lamps] is the CSRattr ASN.1 broken or not ... Re: New Version Notification for draft-richardson-lamps-rfc7030-csrattrs-02.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2022 18:33:34 -0000


> On Apr 5, 2022, at 12:47 PM, David von Oheimb <David.von.Oheimb@siemens.com> wrote:
> 
> On Tue, 2022-04-05 at 11:57 -0400, Russ Housley wrote:
> 
>> I do not understand why my approach leads to a backward compatibility concern.
> 
> The problem hides in the part
> 
>> the values indicating the particular attributes desired to be included in the resulting certificate's extensions
> 
> and essentially is the same issue I also addressed earlier today:
> 
>>> The question is which kind of values (of type ATTRIBUTE.&Type({IOSet}{@type <mailto:{IOSet}{@type>}) ) should be given
>>> in case the OID  (of type  ATTRIBUTE.&id({IOSet})) is 1.2.840.113549.1.9.14 extensionRequest:
>>> Is each such value supposed to be 
>>> 1. an OID of an X.509 extension, such as 1.3.6.1.1.1.1.22 (macAddress), without a value, or
>>> 2. an actual X.509 extension of the existing type Extension (or Extensions) as defined in RFC 5280 section 4.1,
>>>     for example the OID 1.3.6.1.1.1.1.22 followed by the 'critical' flag and its actual value encoded as an OCTET STRING
>>> 
>>> Note that for syntactic and semantics reasons you cannot have both - either 
>>> 1. the example given in RFC 7030 was correct, then no X.509 extension value can be given by the server, or
>>> 2. the example was wrong, and a value must be given by the server. 
>>>     Yet the OCTET STRING could be the empty string to indicate that the client should fill in the real value.
>>>     [...]
>>> 
>>> The latter option is obviously more expressive, but note that this contradicts the example of RFC 7030, 
>>> and thus chances are high that (most) existing EST implementations chose the first option, which is not compatible with the second.
> 
> I agree with:
> 
>> Only if the same OID is being used in more than one way by different implementations is there a concern.
>> If we can list those, we might be able to just document the preferred approach and note the other things that are seen in the wild.
> 
> Yet as I wrote, I fear there are EST implementations that take the value of each extensionRequest Attribute simply as an OID with no value provided by the server,
> which is not compatible with the goal of being able to express for each extensionRequest Attribute, where needed, an actual X.509 extension with a value provided by the server
> (each being a structure having an OID, the criticality flag, and the encoded value).

I understand this point, but there are cases where the EST server does not need to provide a value.  I'm hoping that wehen we really see what everyone is actually doing, the gap will not be as bad as the imagined possibilities.

Russ

v2.8.7 | Report a Bug | By Email