IETF Logo Mail Archive

Re: [lamps] struggling with CSRAttrs

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 30 September 2022 21:19 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 055FDC14CF08 for <spasm@ietfa.amsl.com>; Fri, 30 Sep 2022 14:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y7W6KxmmAr2k for <spasm@ietfa.amsl.com>; Fri, 30 Sep 2022 14:19:08 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE704C14F6E5 for <spasm@ietf.org>; Fri, 30 Sep 2022 14:19:08 -0700 (PDT)
Received: from dooku.sandelman.ca (host-87-4-189-54.retail.telecomitalia.it [87.4.189.54]) by relay.sandelman.ca (Postfix) with ESMTPS id E08751F455; Fri, 30 Sep 2022 21:19:05 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 429BE1A0753; Fri, 30 Sep 2022 23:19:04 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: David von Oheimb <David.von.Oheimb@siemens.com>, LAMPS WG <spasm@ietf.org>
In-reply-to: <399c3a1e-ee28-cc85-6e6a-cee210e70753@siemens.com>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com> <3758.1659557693@localhost> <399c3a1e-ee28-cc85-6e6a-cee210e70753@siemens.com>
Comments: In-reply-to David von Oheimb <David.von.Oheimb@siemens.com> message dated "Thu, 04 Aug 2022 14:31:20 +0200."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 30 Sep 2022 23:19:04 +0200
Message-ID: <926494.1664572744@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/aLM_mx8_hBnKLgB6k1y9NMSDBIk>
Subject: Re: [lamps] struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 21:19:13 -0000

{sorry for the time warp mail}

David von Oheimb <David.von.Oheimb@siemens.com> wrote:
    mcr> Is there a reason not to include the line numbers from dumpasn1?

    > Actually there are two reasons:

    >  * those numbers are byte offsets and lengths, which are not important
    > here and just add clutter

okay, but they might help someone who was trying to understand the example.

    > * the numbers would be very cumbersome to
    > keep consistent when adapting the example

This isn't hard to manage if we store DER files into the repo, and generate
the dumpasn1 in the Makefile.

   > See also the emails by Corey and me in this thread of Aug 2nd.

Yes, I'm now clued in to what's going on.

    >> >    (TODO: Do we want to allow an empty extnValue (which is of type >
    >> OCTET STRING), which would mean that the client is told to include >
    >> an X.509 extension of the given type and fill in the concrete value >
    >> itself?)
    >>
    >> Yes, I thought we allowed exactly that before, as:
    >>
    >> Attribute: type = extensionRequest (1.2.840.113549.1.9.14) value =
    >> macAddress (1.3.6.1.1.1.1.22)
    >>
    >> in RFC7030.

    > Good point that this effect could already be achieved by such a type of
    > CSR attribute that is different from the "new" approach using a CSR
    > attribute of type extensionRequest.  Yet IMO the new approach is more
    > adequate because there the (request for an) extension is in the context
    > of the extensionRequest attribute, rather than "out of place" in some
    > other attr, where its OID is harder to understand and to process
    > without this context.  So I'd suggest stating that any such
    > to-be-filled-in extensions SHOULD be placed inside the CSR attribute of
    > type extensionRequest with an empty OCTET STRING as the extnValue.

I have captured this as:
  https://github.com/mcr/lamps-rfc7030-csrattrs/issues/8

    >>
    >> >    (TODO: Note that this mechanism does not support telling the
    >> client >    to include in the CSR a specific subject DN, simply
    >> because there is >    no OID for this.  I think we should better make
    >> this clear, or we > have to define such an OID if setting a subject
    >> name should be > supported.)
    >>
    >> I don't understand.  Telling the client to include a specific subject
    >> is exactly the problem we are dealing with... or are you making a
    >> distinction here between subject DN and subjectAltName?
    >>
    > There is a clear distinction between

    >  * a cert/CSR subject, which is (essentially) mandatory and is a
    > (Distinguished) Name and
    > * the Subject Alternative Names (SANs)
    > optionally given as X.509 extension values.

Oh, yes, I get this now.
I noticed though that one of the options for GeneralName is a DN.
I wonder if that would be meaningful, with the first DN going into the SubjectName.

However.  https://www.ietf.org/archive/id/draft-ietf-uta-rfc6125bis-07.html#appendix-A-2.2
says that we should not be using SN anymore, that it can be blank, but
of course, we can't do that in CA certificates, because the DN becomes the IN

    > As I wrote on March 9th
    > <https://mailarchive.ietf.org/arch/msg/spasm/KSBlnRVVTcgpEAM8eA_uEssHY2I/>
    > and April 5th
    > <https://mailarchive.ietf.org/arch/msg/spasm/PqCEDBk_Vd59bDDxb7hVDg41PKM/>
    > and likely already before, while SANs can be expressed as part of an
    > extensionRequest CSR attribute, a regular subject field so far cannot
    > be expressed in a CsrAttrs structure.  This is because no OID has been
    > defined that could be used, e.g., in the 'type' field of a CSR
    > attribute and the CsrAttrs structure does not have any other field
    > where a subject Name could be placed.

I guess the question is: is this something we need to fix.
Tracking in: https://github.com/mcr/lamps-rfc7030-csrattrs/issues/9

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [



--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email