Re: [lamps] EST CSR attrs discussion
David von Oheimb <nl0@von-Oheimb.de> Thu, 29 July 2021 20:24 UTC
Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EEA43A0924 for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:24:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bsHhm9I-wtch for <spasm@ietfa.amsl.com>; Thu, 29 Jul 2021 13:24:44 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9E703A0920 for <spasm@ietf.org>; Thu, 29 Jul 2021 13:24:36 -0700 (PDT)
Received: from [192.168.178.100] (dynamic-077-004-041-053.77.4.pool.telefonica.de [77.4.41.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 17EDD421A42; Thu, 29 Jul 2021 22:24:33 +0200 (CEST)
To: Dan Harkins <dharkins@lounge.org>, spasm@ietf.org
References: <e87a9fef-9e8c-d470-a6dc-77684cac0005@lounge.org>
From: David von Oheimb <nl0@von-Oheimb.de>
Message-ID: <4ebd1056-6a64-1048-60c1-97b19dccc378@von-Oheimb.de>
Date: Thu, 29 Jul 2021 22:24:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <e87a9fef-9e8c-d470-a6dc-77684cac0005@lounge.org>
Content-Type: multipart/alternative; boundary="------------2E45FFFD9CD75BB5169E3E9C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/j0lbAPNpe7a7oaPmTivStJSdnY4>
Subject: Re: [lamps] EST CSR attrs discussion
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 20:24:46 -0000
Hi Dan, thank you for your response, which helps clarifying the intention of the EST CSRAttrs feature. At least it makes clear that there was no aim to to give the option to provide concrete values for attributes. They may have have been useful/needed, though, to state for instance that the subject DN should include a certain organization name, location, etc. Note that there are CAs around where policies can be defined giving constrains on such fields that must be adhered to by cert requestors. It also confirms my criticism that the whole construct is entirely ad-hoc. That is, the attributes provided do not have a clear meaning. There are just some examples that give some hints how certain OIDs and related values can be interpreted. Since there is no systematic definition, the implementors of the server and client side need to seek agreement beforehand on each attribute potentially used. There are also ambiguities on the values - for instance, it is intuitive that the integer that may follow the rsaEncryption OID should be interpreted as the modulus size in bits, but it could also be seen as the public exponent to use, for instance, or the width of a SHA algorithm to use for RSA signatures, or whatever. Also the mix of OIDs in the extensionRequest sub-sequence is a bit strange, where e.g, the serialNumber OID makes little sense within an X.509 extension. It was likely meant as a specifier of an RDN to include in the subject to be certified, but such a guessing could go wrong, and technically it would fit also in other contexts, for instance an issuer field potentially included in the CSR. Moreover, there is the possibility to give conflicting requirements, such as ecdsaWithSHA384 and SHA256, and there is no specification how to avoid or handle such situations. Still with some goodwill the feature can be used, which boils down to having to hard-code the interpretation consistently in all potential client and the server(s). Yet this is not interoperable. Regards, David On 29.07.21 20:31, Dan Harkins wrote: > > Hi, > > Sorry, I wasn't aware that this issue was being discussed and I wasn't > on the lamps/spasm list. But I'm largely responsible-- i.e. to blame-- > for > the CSR Attrs text in RFC 7030 so perhaps I can try and explain. > > The intent of the CSR Attrs request is for the RA to ask the client > to construct the CSR in some particular way, not to impose values on > particular fields. > > As a for-instance, the RA could ask the client to: > > 1. generate a public key in the NIST p384 curve; > 2. use ECDSA w/SHA384 to sign > 3. include the challengePassword > 4. include an extension with the device's serial number, a subject alt > name, and its favorite drink > > by sending the following base64-encoded blob: > > ME4GCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMCMGCSqGSIb3DQEJDjEWBgNVBAUGA1UdEQYKCZImiZPyLGQBBQYIKoZIzj0EAwM > > > That gets ASN.1 decoded as: > > SEQUENCE (4 elem) > OBJECT IDENTIFIER 1.2.840.113549.1.9.7 challengePassword (PKCS #9) > SEQUENCE (2 elem) > OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public > key type) > SET (1 elem) > OBJECT IDENTIFIER 1.3.132.0.34 secp384r1 (SECG (Certicom) named > elliptic curve) > SEQUENCE (2 elem) > OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 > via CRMF) > SET (3 elem) > OBJECT IDENTIFIER 2.5.4.5 serialNumber (X.520 DN component) > OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension) > OBJECT IDENTIFIER 0.9.2342.19200300.100.1.5 (favorite drink) > OBJECT IDENTIFIER 1.2.840.10045.4.3.3 ecdsaWithSHA384 (ANSI X9.62 > ECDSA algorithm with SHA384) > > And the client produces a CSR with an extension that gives its serial > number, > some alternative name, and whatever drink it prefers. The idea isn't > that the > RA would say, "your serial number is 279372 and you like scotch", it's > "what > is your serial number and favorite drink?". > > If the RA wanted a particular length of RSA key, let's say of 3072 > bits, to > sign with a hash function appropriate for that bit length, and include > the > challengePassword it would ask thusly: > > MCkGCSqGSIb3DQEJBzARBgkqhkiG9w0BAQExBAICDAAGCSqGSIb3DQEBCw== > > which gets decoded as: > > SEQUENCE (3 elem) > OBJECT IDENTIFIER 1.2.840.113549.1.9.7 challengePassword (PKCS #9) > SEQUENCE (2 elem) > OBJECT IDENTIFIER 1.2.840.113549.1.1.1 rsaEncryption (PKCS #1) > SET (1 elem) > INTEGER 3072 > OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption > (PKCS #1) > > The idea is, this is a request to the client on how to generate a > CSR in > the form that the CA expects/wants. One asks what a subject > alternative name > would be, it doesn't impose one on the client. > > That was the intent anyway. And that's how I implemented it in my EST > reference implementation. > > regards, > > Dan. >
- [lamps] EST CSR attrs discussion Dan Harkins
- Re: [lamps] EST CSR attrs discussion David von Oheimb
- Re: [lamps] EST CSR attrs discussion Dan Harkins
- Re: [lamps] EST CSR attrs discussion David von Oheimb
- Re: [lamps] EST CSR attrs discussion Eliot Lear
- Re: [lamps] EST CSR attrs discussion David von Oheimb
- Re: [lamps] EST CSR attrs discussion Michael Richardson
- Re: [lamps] EST CSR attrs discussion Michael Richardson
- [lamps] LAMPS virtual interim for EST CSR Attrs d… Russ Housley
- Re: [lamps] EST CSR attrs discussion David von Oheimb