IETF Logo Mail Archive

Re: [lamps] is the CSRattr ASN.1 broken or not ... Re: New Version Notification for draft-richardson-lamps-rfc7030-csrattrs-02.txt

David von Oheimb <David.von.Oheimb@siemens.com> Wed, 06 April 2022 06:34 UTC

Return-Path: <david.von.oheimb@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85C9F3A11B7 for <spasm@ietfa.amsl.com>; Tue, 5 Apr 2022 23:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZJ3gFllPgmf for <spasm@ietfa.amsl.com>; Tue, 5 Apr 2022 23:33:57 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20612.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::612]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C4CB3A115F for <spasm@ietf.org>; Tue, 5 Apr 2022 23:33:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=giJl06p5Zs3mP6KWrgPFCzToo0xDz7inR1KBTnob/Gj1R+JJDUM73P2ewCiIpZpg860OwKDCCkJhRWYC2ayVnjO5xXHKAYLFVhWUnfB8bsjfMzEIFhSFwGPIfYXXFtwtIkRX7jMkh42FVO9fuhDOqTlBrkesj0dydjXE7HZ7nO0T3obrnw065BensWRj9Pp03TsaspLPvbk9rHTrDyEUcdpoQvearv7AgRj3qB6O01lKw8KwOr79QrSNLwiIR5rPTYAJeHP1uPF0MfVikJ+cvV19CQNwQ1NLHMveYAGlOc5dcFxpQtnMcarj+q6q3t7erKxPATUGUnwJN0ehHehjHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yimsmB97uWu44HYhuCZe/HuEw2/71I6B5wzAJgUCFlo=; b=JbF+o6m8hNJHnqvXJ3hw/MzpMpTSq+UW3vFkMNmwgWKQ+egoBJypKYNK9mUvNubGOlbOv1Kxq1MyxSox9FbU1tnuTcv+yf6zhI3aQw+yjAhUOVQkPGdYA7GKhXyyClpnhtzxZYI8398vevOYWDGZ+pO9TKFgxXxvaJysUf+wcAMPTZIE2aqnASOiiRUR+YyGivtZcbCprXvFpWfm3cEu5+/Nm3LzYbd/ZcBFm+ToV0n9flsfIHwrh9VM+K1lnOfQ5v8ejGq9pl8T+5oHaSzPsSQOfegshbp314CcNCcaHYY+JLp67Lh7FJprIpJK5/Gmti8f2ayY8OWh3uXlRQkb9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.138.21.70) smtp.rcpttodomain=sandelman.ca smtp.mailfrom=siemens.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=siemens.com; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yimsmB97uWu44HYhuCZe/HuEw2/71I6B5wzAJgUCFlo=; b=eKplezkaftax7p6kGt8kVMdNU28FGwKGzHsDebkIiVm+Iw0zSdRSqyn1fSVKAxHnge50MqSsJfVlLJW4aYuJ1gUqnmVN6alREpfoEaetkHXt7x75Qq3dNlBFaFknN8XsG9gRUEe3V9L7fxSQZLe3We2I7mE5jUx992FTT2IYSyvkeSkBJeajK+xUyR96jyOHjhHfv4pxv8vWIKvQJSRKzCn+GbCdWSs5xPFK23a1cPB4oOxdv40Zb2vSpzEnpTGTGk1iXgJPXXoblpE3RtRsCA97D0s+05AhRNtfCf04PzOvFTDjQs5iGFzOEEwE9QQy9TkKKvZVOftuQ6RSlc07Rw==
Received: from DB6PR07CA0014.eurprd07.prod.outlook.com (2603:10a6:6:2d::24) by DB4PR10MB6095.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:38d::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 06:33:51 +0000
Received: from DB5EUR01FT075.eop-EUR01.prod.protection.outlook.com (2603:10a6:6:2d:cafe::7e) by DB6PR07CA0014.outlook.office365.com (2603:10a6:6:2d::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.21 via Frontend Transport; Wed, 6 Apr 2022 06:33:51 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.70) smtp.mailfrom=siemens.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=siemens.com;
Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates 194.138.21.70 as permitted sender) receiver=protection.outlook.com; client-ip=194.138.21.70; helo=hybrid.siemens.com;
Received: from hybrid.siemens.com (194.138.21.70) by DB5EUR01FT075.mail.protection.outlook.com (10.152.5.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.5144.20 via Frontend Transport; Wed, 6 Apr 2022 06:33:51 +0000
Received: from DEMCHDC8A0A.ad011.siemens.net (139.25.226.106) by DEMCHDC9SJA.ad011.siemens.net (194.138.21.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 6 Apr 2022 08:33:33 +0200
Received: from [139.22.40.199] (139.22.40.199) by DEMCHDC8A0A.ad011.siemens.net (139.25.226.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 6 Apr 2022 08:33:33 +0200
Message-ID: <90fa7fd25ca1d44fc1a2935a6d28209600e9cb72.camel@siemens.com>
From: David von Oheimb <David.von.Oheimb@siemens.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Sean Turner <sean@sn3rd.com>, Dan Harkins <dharkins@lounge.org>
CC: LAMPS WG <spasm@ietf.org>, Owen Friel <ofriel@cisco.com>
Date: Wed, 6 Apr 2022 08:33:33 +0200
In-Reply-To: <27441.1649182739@localhost>
References: <164667410940.12091.15394112688281514126@ietfa.amsl.com> <15416.1646681868@localhost> <D095D84D-9633-44BB-AA6F-440B8BC00F68@sn3rd.com> <5cfb6e20b225da072695a4f13088a8065203ca4e.camel@siemens.com> <27441.1649182739@localhost>
Content-Type: multipart/alternative; boundary="=-FLvuBHLiec33HjeNM0Ib"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
X-Originating-IP: [139.22.40.199]
X-ClientProxiedBy: DEMCHDC8A0A.ad011.siemens.net (139.25.226.106) To DEMCHDC8A0A.ad011.siemens.net (139.25.226.106)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ff2c777a-d589-40f7-bf11-08da17976a01
X-MS-TrafficTypeDiagnostic: DB4PR10MB6095:EE_
X-Microsoft-Antispam-PRVS: <DB4PR10MB6095160F77B2599CC7AB8313D2E79@DB4PR10MB6095.EURPRD10.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: qAFUQjTwBqfy+sOIpPiDotdnx44Txf0p3VZnPNZnClWwIWV4Y969XTOrhmoQBhJM+66lCGKGKsW2djEU10iDDu5ud2oYkGTK1gnuywwZpsFaDZNq4F7NrCVMGqqLRbLxCEI8Hyw3ehWYicVUwCkz15kVyVXtua2ThZchtb3nRWB/buKdaW5+YOD5kZaFFVNDQQyWW5/XSUnYcTTqqkT4PKu383heU3rIWwVpLB3DmGjU5Eya/UqdLMheVniYDFHPc1A+avw8eHzCanrPWxVnNbFpGLx3fdVea3dBN6RibTF+MHtjWPAGliuVt3pDurwqbr1tq5ZktxiCKnMTa/eDhGssGuhfhShPoqK7Z2lRWJiCf+kkNgASmFbiWLf+e6fockgNJaBdrwxUhNG5GoflehwYjPoiXtVg+AzeaFBe22CmlCeZjkqLVRNvcQvwlEYmwbpGsuwAz5AjfwdrY+DcX7NScY+z4cE2oeWhj8osITAU1duVrzmwKjkv/OhqkqLXFNvXVZI5SrWnKTpb4sYFZmu2w9f5NVADyNtwL1MkudiUBfK2MdtVnYCaNiXAXULs94aGhlW5KtK5y8HFrM2XhloaA6HXj4ycZ7NUrJP/wkcWnDD1I0oDbWcTR9jbC5Av1V6r2DHY/F+YSKbE5S6JxCVCVKb0Jaub1U4pTopylxabAfW8WxPLDGxxn39m4oBE7F2oBXiu/cGxrkcqd7L4SA==
X-Forefront-Antispam-Report: CIP:194.138.21.70; CTRY:DE; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:hybrid.siemens.com; PTR:hybrid.siemens.com; CAT:NONE; SFS:(13230001)(4636009)(40470700004)(46966006)(36840700001)(70206006)(70586007)(82310400005)(4326008)(8676002)(40460700003)(86362001)(110136005)(316002)(2616005)(6706004)(956004)(26005)(54906003)(16576012)(2906002)(7636003)(83380400001)(8936002)(33964004)(356005)(7596003)(336012)(5660300002)(82960400001)(36860700001)(47076005)(186003)(508600001)(36756003)(16526019)(3940600001); DIR:OUT; SFP:1101;
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 06:33:51.1721 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ff2c777a-d589-40f7-bf11-08da17976a01
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; Ip=[194.138.21.70]; Helo=[hybrid.siemens.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR01FT075.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR10MB6095
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/fVPYQNQdzqoRWiwvmmflTJEF1N4>
Subject: Re: [lamps] is the CSRattr ASN.1 broken or not ... Re: New Version Notification for draft-richardson-lamps-rfc7030-csrattrs-02.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2022 06:34:11 -0000

On Tue, 2022-04-05 at 14:18 -0400, Michael Richardson wrote:
> 
>     >> b) We picked the wrong kind attribute to request macAddress
> from the
>     >> client. I cannot remember if it’s supposed to be naming
> component or
>     >> an actual extension?
> 
>     > Apart from the two possibilities I just gave, I do not see how
> else,
>     > given given the CsrAttrs syntax,
>     > one should have requested a macAddress X.509 extension where the
> value
>     > is to be filled by the client.
> 
> It's a good question.
> I liked the notion that it's an empty content, but then... is an empty
> content ever valid?

I'd say yes, in the following sense: 
It's syntactically valid, and semantically it makes clear that the
server did not provide a value, 
which conveys the requirement that the value shall be filled in by the
client.

Here is a new thought, an alternative way of giving in a clean way both
the option to provide X.509 extensions with values and others without
values:

Have two OIDs for attribute types requiring the inclusion of X.509
extensions,
* one (likely) being extensionRequest (1.2.840.113549.1.9.14) and
* a second one that likely needs to be newly defined.

One of these two OIDs would be followed by a structure of the existing
type Extension (which contains the actual extension value) to be
included in the CSR, 
and the other one would be followed just by an OID stating the type of
an X.509 extension to be included in the CSR, with the client filling in
its value.

Also this solution does not require changes to the CsrAttrs type
declaration given in RFC 7030.

 David

v2.8.7 | Report a Bug | By Email