Re: [lamps] EST CSR attrs discussion
David von Oheimb <nl0@von-Oheimb.de> Sat, 31 July 2021 11:53 UTC
Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51DF53A2366 for <spasm@ietfa.amsl.com>; Sat, 31 Jul 2021 04:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xixqloW7HtI1 for <spasm@ietfa.amsl.com>; Sat, 31 Jul 2021 04:53:16 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F2AA3A2365 for <spasm@ietf.org>; Sat, 31 Jul 2021 04:53:15 -0700 (PDT)
Received: from [192.168.178.115] (dynamic-077-002-022-051.77.2.pool.telefonica.de [77.2.22.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id B6502421B53; Sat, 31 Jul 2021 13:53:12 +0200 (CEST)
From: David von Oheimb <nl0@von-Oheimb.de>
To: Dan Harkins <dharkins@lounge.org>
Cc: spasm@ietf.org
References: <e87a9fef-9e8c-d470-a6dc-77684cac0005@lounge.org> <4ebd1056-6a64-1048-60c1-97b19dccc378@von-Oheimb.de> <77676dac-5e82-f917-88f2-53b1f0329bb1@lounge.org> <f62bb2aa-bbbb-d7c1-0f36-5984aadf50e6@von-Oheimb.de>
Message-ID: <09fd7f13-5e73-b637-9851-5395c7f6e053@von-Oheimb.de>
Date: Sat, 31 Jul 2021 13:53:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <f62bb2aa-bbbb-d7c1-0f36-5984aadf50e6@von-Oheimb.de>
Content-Type: multipart/alternative; boundary="------------52518D974C96643F2044B2FE"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/dMMZZtd-nJdTvs23NBvE-30oHgs>
Subject: Re: [lamps] EST CSR attrs discussion
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2021 11:53:22 -0000
P.S. I've just checked: Also PKCS#10 (RFC 2986 and 5967) fails to specify how to avoid or handle conflicting attributes. Yet this can be done easily (like done, e.g., for X.509v3 extensions in RFC 5280): there must not be more than one instance of a particular attribute. Regarding the example of potentially conflicting requirements I gave as part of my below criticism of RFC 7030 section 4.5.2 <https://datatracker.ietf.org/doc/html/rfc7030#section-4.5.2>, those kinds of conflicts cannot happen for the solution I sketched yesterday because it provides only one place to specify a public-key algorithm or a signature algorithm, which prevents contradicting values. David On 30.07.21 08:01, David von Oheimb wrote: > Hi Dan, > > On 29.07.21 22:47, Dan Harkins wrote: >> CSR Attrs isn't the tool for you obviously. > > yes, and unfortunately also others have their difficulties with it, as > the e-mail discussion that we recently had here shows. > Part of the trouble is the verbatim but in-consequent re-use of the > rather incomprehensible ASN.1 declaration from RFC 2986: > > Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { > type ATTRIBUTE.&id({IOSet}), > values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) } > > In RFC 7030 you gave a very good and useful design idea: > > The structure of the CSR Attributes Response SHOULD, to the greatest > extent possible, reflect the structure of the CSR it is requesting. > > but for some reason this was not really followed there. > >> If you want to impose some naming structure on particular fields of >> the CSR on the entity constructing a CSR then >> you'll have to define your own tool with an unambiguous systematic >> definition, >> making sure it fits other contexts and doesn't allow conflicting >> requirements. > > Indeed, and as I wrote early this month, this would have been possible > to do in a rather straightforward way. > To be more concrete: you could have taken the relevant portions of > > CertificationRequestInfo ::= SEQUENCE { > version INTEGER { v1(0) } (v1,...), > subject Name, > subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, > attributes [0] Attributes{{ CRIAttributes }} > } > > CertificationRequest ::= SEQUENCE { > certificationRequestInfo CertificationRequestInfo, > signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }}, > signature BIT STRING > } > > for instance as follows: > > CsrAttrSpec ::= SEQUENCE { > subject Name OPTIONAL, > subjectPKAlg [0] PKInfoAlgorithms OPTIONAL, > attributes Attributes{{ CRIAttributes }}, > signatureAlg AlgorithmIdentifier{{ SignatureAlgorithms }} OPTIONAL > } > > and then specified that concrete values of given attributes can be > left out (or replaced by empty strings) > in order to indicate that the client is supposed to fill them in. > This would have provided a straightforward and unambiguous way of > specifying CSR contents, optionally including values, > and indirectly would have provided a way of avoiding/handling > conflicts in the same way as (hopefully) done for PKCS#10. > >> I'm excited to see it! > > See above. > > The only place that I am aware of where the above idea has been > followed is the reuse of the CRMF cert request template structure > for specifying CSR attributes in CMP: > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#section-4.3.3 > > David > > >> >> On 7/29/21 1:24 PM, David von Oheimb wrote: >>> Hi Dan, >>> >>> thank you for your response, which helps clarifying the intention of >>> the EST CSRAttrs feature. >>> >>> At least it makes clear that there was no aim to give the option to >>> provide concrete values for attributes. >>> They may have have been useful/needed, though, to state for instance >>> that the subject DN should include a certain organization name, >>> location, etc. >>> Note that there are CAs around where policies can be defined giving >>> constrains on such fields that must be adhered to by cert requestors. >>> >>> It also confirms my criticism that the whole construct is entirely >>> ad-hoc. That is, the attributes provided do not have a clear meaning. >>> There are just some examples that give some hints how certain OIDs >>> and related values can be interpreted. >>> Since there is no systematic definition, the implementors of the >>> server and client side need to seek agreement beforehand on each >>> attribute potentially used. >>> There are also ambiguities on the values - for instance, it is >>> intuitive that the integer that may follow the rsaEncryption OID >>> should be interpreted as the modulus size in bits, but it could also >>> be seen as the public exponent to use, for instance, or the width of >>> a SHA algorithm to use for RSA signatures, or whatever. >>> Also the mix of OIDs in the extensionRequest sub-sequence is a bit >>> strange, where e.g, the serialNumber OID makes little sense within >>> an X.509 extension. >>> It was likely meant as a specifier of an RDN to include in the >>> subject to be certified, but such a guessing could go wrong, and >>> technically it would fit also in other contexts, for instance an >>> issuer field potentially included in the CSR. >>> Moreover, there is the possibility to give conflicting requirements, >>> such as ecdsaWithSHA384 and SHA256, and there is no specification >>> how to avoid or handle such situations. >>> Still with some goodwill the feature can be used, which boils down >>> to having to hard-code the interpretation consistently in all >>> potential clients and the server(s). Yet this is not interoperable. >>> >>> Regards, >>> David >>> >>> >>> >>> On 29.07.21 20:31, Dan Harkins wrote: >>>> >>>> Hi, >>>> >>>> Sorry, I wasn't aware that this issue was being discussed and I >>>> wasn't >>>> on the lamps/spasm list. But I'm largely responsible-- i.e. to >>>> blame-- for >>>> the CSR Attrs text in RFC 7030 so perhaps I can try and explain. >>>> >>>> The intent of the CSR Attrs request is for the RA to ask the client >>>> to construct the CSR in some particular way, not to impose values on >>>> particular fields. >>>> >>>> As a for-instance, the RA could ask the client to: >>>> >>>> 1. generate a public key in the NIST p384 curve; >>>> 2. use ECDSA w/SHA384 to sign >>>> 3. include the challengePassword >>>> 4. include an extension with the device's serial number, a >>>> subject alt >>>> name, and its favorite drink >>>> >>>> by sending the following base64-encoded blob: >>>> >>>> ME4GCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMCMGCSqGSIb3DQEJDjEWBgNVBAUGA1UdEQYKCZImiZPyLGQBBQYIKoZIzj0EAwM >>>> >>>> >>>> That gets ASN.1 decoded as: >>>> >>>> SEQUENCE (4 elem) >>>> OBJECT IDENTIFIER 1.2.840.113549.1.9.7 challengePassword (PKCS #9) >>>> SEQUENCE (2 elem) >>>> OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 >>>> public key type) >>>> SET (1 elem) >>>> OBJECT IDENTIFIER 1.3.132.0.34 secp384r1 (SECG (Certicom) >>>> named elliptic curve) >>>> SEQUENCE (2 elem) >>>> OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS >>>> #9 via CRMF) >>>> SET (3 elem) >>>> OBJECT IDENTIFIER 2.5.4.5 serialNumber (X.520 DN component) >>>> OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension) >>>> OBJECT IDENTIFIER 0.9.2342.19200300.100.1.5 (favorite drink) >>>> OBJECT IDENTIFIER 1.2.840.10045.4.3.3 ecdsaWithSHA384 (ANSI X9.62 >>>> ECDSA algorithm with SHA384) >>>> >>>> And the client produces a CSR with an extension that gives its >>>> serial number, >>>> some alternative name, and whatever drink it prefers. The idea >>>> isn't that the >>>> RA would say, "your serial number is 279372 and you like scotch", >>>> it's "what >>>> is your serial number and favorite drink?". >>>> >>>> If the RA wanted a particular length of RSA key, let's say of >>>> 3072 bits, to >>>> sign with a hash function appropriate for that bit length, and >>>> include the >>>> challengePassword it would ask thusly: >>>> >>>> MCkGCSqGSIb3DQEJBzARBgkqhkiG9w0BAQExBAICDAAGCSqGSIb3DQEBCw== >>>> >>>> which gets decoded as: >>>> >>>> SEQUENCE (3 elem) >>>> OBJECT IDENTIFIER 1.2.840.113549.1.9.7 challengePassword (PKCS #9) >>>> SEQUENCE (2 elem) >>>> OBJECT IDENTIFIER 1.2.840.113549.1.1.1 rsaEncryption (PKCS #1) >>>> SET (1 elem) >>>> INTEGER 3072 >>>> OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption >>>> (PKCS #1) >>>> >>>> The idea is, this is a request to the client on how to generate a >>>> CSR in >>>> the form that the CA expects/wants. One asks what a subject >>>> alternative name >>>> would be, it doesn't impose one on the client. >>>> >>>> That was the intent anyway. And that's how I implemented it in my >>>> EST >>>> reference implementation. >>>> >>>> regards, >>>> >>>> Dan.
- [lamps] EST CSR attrs discussion Dan Harkins
- Re: [lamps] EST CSR attrs discussion David von Oheimb
- Re: [lamps] EST CSR attrs discussion Dan Harkins
- Re: [lamps] EST CSR attrs discussion David von Oheimb
- Re: [lamps] EST CSR attrs discussion Eliot Lear
- Re: [lamps] EST CSR attrs discussion David von Oheimb
- Re: [lamps] EST CSR attrs discussion Michael Richardson
- Re: [lamps] EST CSR attrs discussion Michael Richardson
- [lamps] LAMPS virtual interim for EST CSR Attrs d… Russ Housley
- Re: [lamps] EST CSR attrs discussion David von Oheimb