Re: [lamps] LAMPS sample keys and certificates
Ryan Sleevi <ryan-ietf@sleevi.com> Mon, 18 November 2019 23:32 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5F9B120B48 for <spasm@ietfa.amsl.com>; Mon, 18 Nov 2019 15:32:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.406
X-Spam-Level:
X-Spam-Status: No, score=-1.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.244, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qu2w5od6mUko for <spasm@ietfa.amsl.com>; Mon, 18 Nov 2019 15:32:36 -0800 (PST)
Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D24212018B for <spasm@ietf.org>; Mon, 18 Nov 2019 15:32:36 -0800 (PST)
Received: by mail-ed1-f49.google.com with SMTP id t11so9412395eds.13 for <spasm@ietf.org>; Mon, 18 Nov 2019 15:32:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ob02lV9W9vmL6OwdFi8vtkYkfe0ufS/aglXmb+rIG7E=; b=Aov197xwZ9EEeZDQkoJjn+bSbiX0udvJ8fADuSvfisYPbe8DXC59+gqSIvwpNyUpmR xDbQzQNaKJZriffSeKWbQAWQeN5W3IDNZbf8htrUjTGOw5j3MyYEGjyBGI6DLdOuxtwl uB6QajYKvqE/4NbqFtHqQyGGdhJjzSSztZdeA5mWHgOAPkyh6tg2K7qh3XB2gZfBI4W8 FMhjTRfuIOMvL+ZfQhfuDBtikJI9tYwJ0LNWz1GgeXjH/HyJ4WQ08jBNNVz+bGvz0yjS 6MKkYKPr/9wL4GckuTb76NxH8RbxdBHt3dan7OCBnu6c/U15bDi4b90y+vth5PHAw3Vn RWVQ==
X-Gm-Message-State: APjAAAUgG0E9+dPNzlXkf4HvMLM8OWI8iQHzbIjFm1QQbPcydxtntAJQ KVAVPUu7BBfXa0kCOVgudGORsYVb
X-Google-Smtp-Source: APXvYqyfMN9jTqZWDnUIE+TQC65DnmsKnFEMoahJ164oJ5t8rTuiyZ5XPXV6ze/sMpovfu68ex9IKQ==
X-Received: by 2002:a17:906:1c59:: with SMTP id l25mr29882357ejg.98.1574119954207; Mon, 18 Nov 2019 15:32:34 -0800 (PST)
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com. [209.85.221.48]) by smtp.gmail.com with ESMTPSA id 91sm1067035eda.1.2019.11.18.15.32.33 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 18 Nov 2019 15:32:34 -0800 (PST)
Received: by mail-wr1-f48.google.com with SMTP id l7so21594284wrp.6 for <spasm@ietf.org>; Mon, 18 Nov 2019 15:32:33 -0800 (PST)
X-Received: by 2002:a5d:61c6:: with SMTP id q6mr2478501wrv.13.1574119953746; Mon, 18 Nov 2019 15:32:33 -0800 (PST)
MIME-Version: 1.0
References: <878sodm0j3.fsf@fifthhorseman.net>
In-Reply-To: <878sodm0j3.fsf@fifthhorseman.net>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Mon, 18 Nov 2019 18:32:22 -0500
X-Gmail-Original-Message-ID: <CAErg=HFkRcdx+Eo7OMn=sesq-kE36O4gjnv4FeSWRMXTAfU=hg@mail.gmail.com>
Message-ID: <CAErg=HFkRcdx+Eo7OMn=sesq-kE36O4gjnv4FeSWRMXTAfU=hg@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ad511a0597a75c35"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/dIwzTTAHApyKdoqnY6Xo4CjDTCk>
Subject: Re: [lamps] LAMPS sample keys and certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 23:32:41 -0000
On Mon, Nov 18, 2019 at 5:52 PM Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > Hi all-- > > I've just published: > > https://www.ietf.org/id/draft-dkg-lamps-samples-00.html > > This draft contains sample X.509v3 certificates, and corresponding > secret keys for a sample CA, and for two e-mail users, Alice and Bob. > It provides the certificates and keys in PEM-encoded form and (for Alice > and Bob) in PKCS#12 bundles, so they should be relatively easy to > import. > > My hope is that they are useful for generating and interpreting sample > S/MIME (CMS) messages, and part of a larger plan to generate test > vectors that will be useful in demonstrating protected header behavior > on existing clients. > > I'd appreciate any feedback or suggestions on the draft and the sample > keys and certificates and PKCS#12 files. > > I'm currently building the draft from the git repo at > https://gitlab.com/dkg/lamps-samples -- editorial patches, issues, etc > are welcome at the gitlab interface, though i would prefer if any > substantive issues are also addressed to the list here. > > --dkg > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm Overall, I’m wildly supportive of examples and test vectors that help build interop, whether in I-D form or otherwise. PKITS, for all its flaws, has been profoundly useful in this space. One of the challenges with such approaches is ensuring deterministic outputs as well as negative cases. I noticed your approach, using certtool, makes it a bit difficult on both of those dimensions. That is, the encoding may change due to the version or certtool, and that it’s (rightfully) increasingly hard to have good tools do bad things. In the spirit of how many in the TLS-WG have found tools like BoGo ( https://github.com/google/boringssl/blob/master/ssl/test/PORTING.md ) helpful in building consensus and interop, and at the risk of suggesting a blue bikeshed, have you considered adopting something similar in tooling? Over in Chrome, one of the tools we use for both positive and negative testing, with deterministic output, is https://github.com/google/der-ascii . I realize the complexities of CMS and BER make this a more nuanced situation, but I highlight as a possible foundation to build deterministic “good” inputs, as well as “mangled-but-well-formed” and “garbage-but-reflective-of-real-world” scenarios. Just $.02 of feedback, since I suspect the cost to switch, if it does turn out to be useful, will grow as more examples are added. <https://www.ietf.org/mailman/listinfo/spasm>
- [lamps] LAMPS sample keys and certificates Daniel Kahn Gillmor
- Re: [lamps] LAMPS sample keys and certificates Ryan Sleevi
- Re: [lamps] LAMPS sample keys and certificates Carl Wallace
- Re: [lamps] LAMPS sample keys and certificates Salz, Rich
- Re: [lamps] LAMPS sample keys and certificates Daniel Kahn Gillmor
- Re: [lamps] LAMPS sample keys and certificates Sean Turner
- Re: [lamps] LAMPS sample keys and certificates Daniel Kahn Gillmor
- Re: [lamps] LAMPS sample keys and certificates Russ Housley
- Re: [lamps] LAMPS sample keys and certificates Russ Housley
- Re: [lamps] LAMPS sample keys and certificates Daniel Kahn Gillmor
- Re: [lamps] LAMPS sample keys and certificates Russ Housley
- Re: [lamps] LAMPS sample keys and certificates Daniel Kahn Gillmor
- Re: [lamps] LAMPS sample keys and certificates Russ Housley
- Re: [lamps] LAMPS sample keys and certificates Daniel Kahn Gillmor
- Re: [lamps] LAMPS sample keys and certificates Russ Housley