IETF Logo Mail Archive

Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Fri, 18 September 2020 15:18 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEE743A0D09 for <spasm@ietfa.amsl.com>; Fri, 18 Sep 2020 08:18:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8vG-Q3GCdTg for <spasm@ietfa.amsl.com>; Fri, 18 Sep 2020 08:18:25 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80047.outbound.protection.outlook.com [40.107.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13C323A0CD2 for <spasm@ietf.org>; Fri, 18 Sep 2020 08:18:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LL41vdvhQKsJDWUrti1HTqwYuI8o3k3rJCqur4h+t9iIuKKelYjIOOBNJ4TuunkzqTJ7LygKD3IJkQYmCokVJARpj4bUby6Un7do4Zc1GgOKL5YrN6TFuf0O+TvaPU57fjuaMJI215Yw9nnaskaQIqEotDz+J9m4sq8eZmYd5ueS4cNRE+oMwGxW0SUeGneQ4RzqjLuRdhH8KrVMuH28rBXymxB+xY4oXhAximbSRkLWKHBS0e4juRnMCqLtWiPCH4RVQ6lOKTJs+jEeRdqla66/qcdhDcoCWVGQ8Nko0u1rqyc5H27IC4IYusBEzcDU/CLAzyD+ivw/OibA4lR4OA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g1dxy0w/I+/W4pny6ZS3G58vbr12HmgTej+xFBW+sm8=; b=Q38X0Nze1NGP1WAQT/nWhvAnbOg6gQ9UmyntdbJKPG48yK1K/5/uKri5FJfkwBJNrlcJkqLQvkG4K14QKkJ82psmRxEy+zinHkT5cRWnuNfwDiIwHh7Szb15ZSF1xJvzKh5s3jvITcYeFzqqK5fgJZ1FyBb81l1cE41VFqWTLNza1FOLC1TIwc6sD2+1lEbms7E671bPgZLNuIr23G847i0f07+SRLTrrgP2djzVJqj9IdUmY9VRQWyGWseJSSodQn28hTg4mxb+Wu+8GmqIDe7l/vtBgZUD7sLkQ1IhjCkNTWoXyOPnHFevm5ULuLbReqdTQnye+M9UBO46GfCf9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g1dxy0w/I+/W4pny6ZS3G58vbr12HmgTej+xFBW+sm8=; b=kRzu3xMf4ppMI6MJ8rodLa/O/S1DuFuhjDFUllluCmb8/Pw9maplLPlHJpcG2gQrkUMkJjvzUrKg8OCrUO6fnN/weBxLPm7Fa63A071YbAJnNwFIAE8kf94FgHGtMp03f91U5yAzKJ/I869+Mp4/QCxd9HrA8PiPELHRO5OoQJM=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM4PR1001MB1330.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:200:9a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Fri, 18 Sep 2020 15:18:22 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::815c:e3e3:e2be:5eed]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::815c:e3e3:e2be:5eed%6]) with mapi id 15.20.3391.015; Fri, 18 Sep 2020 15:18:22 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>
Thread-Topic: dtaft-ietf-lamps-cmp-updates and rsaKeyLen
Thread-Index: AQHWi6YYHaZzdnX6XEOInEZKE7MbAalroxmAgAKa10CAAEdXwA==
Date: Fri, 18 Sep 2020 15:18:21 +0000
Message-ID: <AM0PR10MB24187AFF8C47A59ED056C070FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB2418651EF480383C1FBAD448FE440@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <ECF4A046-3690-4B8A-9851-935CDACA89C2@vigilsec.com> <0368A990-F189-40C0-A63E-5A7CF1F0AD1D@vigilsec.com> <AM0PR10MB24183CEEF92140D72BD00EE8FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <AM0PR10MB24183CEEF92140D72BD00EE8FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-09-18T11:09:33Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=101907c8-11cf-4078-8a2d-12c2ff0ec7da; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [165.225.200.172]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 18291dd1-c868-4156-c16e-08d85be614bc
x-ms-traffictypediagnostic: AM4PR1001MB1330:
x-ld-processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM4PR1001MB1330721084C68B9CEC71B75AFE3F0@AM4PR1001MB1330.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oaCgJQskjuj1uTbsUiSmqqXNiMOawnojHZR7UwDJxfuM/8Fbht7yGAj81eys69hxJbBBSh+tOeHw+y/dXjR8ybB5IReSkVYthC6hI6/aPdh/8PjtzQ824nz4y7ZFwk7sT1enfZQLLAVnkrqYGoTW4pudOjk6EvaUE8HDqV99IvzZMXYY+S7UX6kh1LFk1qZUVlZiOsbEnhQdzejlysZkDQ2MaKamA8nZ1KrO+UtcmDO1wk2vHAdzj6qWWyphXiLQa09QuS+345SVpiWMqkYpOsT2bMHVRF4m8PAADxy4RUf9mdldKgATukbNCG+QUjJG/hhjbooYW7lqRUhLOn9S1g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(346002)(396003)(366004)(376002)(6506007)(9686003)(8936002)(7696005)(66556008)(186003)(316002)(76116006)(64756008)(8676002)(2940100002)(66946007)(478600001)(4326008)(66446008)(2906002)(33656002)(54906003)(55016002)(107886003)(26005)(6916009)(55236004)(86362001)(66476007)(5660300002)(83380400001)(66574015)(71200400001)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 4tLHysRnOns7WfT4ERzWvmLNeKiZM5J/Y6il9/5P0rqs+j/Ng4si6QJO9KFqV78VgHV1vVJfQQoBSl/62OHzEzfD7xvqzAqf4NbpzC3xTmpQgDqQ5AJMt8wODj8RmW0CiO5I/l0vjuHfqhzTfhJYnh51WI4sCEeGl2HJLe96jWACPHjOv9zFiP9RGdvdZsbpU8Bsfq7vF7agsJGNcO8JCURZa6yMIONO6sVXZq2KcHC9Fx6BO++uaJBvfGWWQ9SXmjMCkxSaLLW6Ga4OjcNzNFlq5NaBVOrt8IBwBoCcLIUX1GrrFCy+POYdRhwuZJZm2DSxsExYW/614GIPTGPIx7uscdSaawPThP9LC4OeZfJfAjACzt+wRIF96xlcW8MUykZJJOoq54W5QFI0xCsac2PF5p94InIbuh8ZGScW75rHcROQy12sdwa/VADe51N1F5mFoh6JZZTj9AqryRKsfFRxS/AXbFud1muo3gRFsB0GtRGst7f5KQu/7mj19oK3JygJFUgQjMpawltsH68k0LmqceitDSNkQFXpvaHBTj7NqJuEOolTDv7ipquCShFjY8eSweMCGEgdYb3HDIUZtyuDtyFypGE+Xv3kpNsB8BkDSyIBtNQ919+Ds3eMyNl18aL3uwV/fWy3j1ii2G9RkQ==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 18291dd1-c868-4156-c16e-08d85be614bc
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2020 15:18:22.0356 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FJlh9enCuaeWlEnCnjW20C8tNJnCQgPw43wf/+tIe2Jg7QeUBT6YxWRhHkE6Rs7PxQGiNsel21g+Ke1ezkbb3CGr41nvKCaBS3oIBQUx524=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR1001MB1330
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/o7is5UgvVjbCOS3Gyy4PtuCaN6Q>
Subject: Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 15:18:27 -0000

Russ

> -----Ursprüngliche Nachricht-----
> Von: Brockhaus, Hendrik (CT RDA CST SEA-DE)
> 
> Russ
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Russ Housley <housley@vigilsec.com>
> >
> > Hendrik:
> >
> > I had another though about rsaKeyLen.  RFC 4210 uses CertRequest as
> > defined on RFC 4211 in the certificate request, which is:
> >
> >    CertRequest ::= SEQUENCE {
> >       certReqId     INTEGER,        -- ID for matching request and reply
> >       certTemplate  CertTemplate, --Selected fields of cert to be issued
> >       controls      Controls OPTIONAL } -- Attributes affecting issuance
> >
> >    Controls  ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue
> >
> > Would it be cleaner to define a new control for the rsaKeyLen?
> >
> > These controls are already set up as an OID followed by one or more
> > attribute values.  So this seems like a very clean way to provide a
> > minimum RSA key size or a set of elliptic curves.
> 
> I am uncertain if this addressing the use case I had in mind. But may be I did
> not fully understand your suggestion.
> 
> I defined id-it-certReqTemplate to offer the EE means to request detailed
> guideline on the content of a certificate request it whishes to send. The
> response should include the option to specify the concrete algorithm to
> generate a key pair for. Therefor a prefilled certTemplate is exactly what we
> need, plus the key length for RSA keys in rsaKeyLen.
> The EE does not need to specify the key length of the RSA key in the certificate
> request itself when sending it to the PKI.
> 
> May be it helps, if you explain your use case.

After discussing your proposal with David, we came up with this suggestion:

--------------------snip--------------------
CertReqTemplateContent ::= SEQUENCE {
   certTemplate           CertTemplate,
   controls                    Controls OPTIONAL
   }

-- Controls  ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue

id-regCtrl-algId OBJECT IDENTIFIER ::= { id-regCtrl TBD3 }
AlgIdCtrl ::= AlgorithmIdentifier

id-regCtrl-rsaKeyLen OBJECT IDENTIFIER ::= { id-regCtrl TBD4 }
RsaKeyLenCtrl ::= Integer

CertReqTemplateValue contains a prefilled certTemplate to be used for the future certificate request. The SubjectPublicKeyInfo field in the certTemplate MUST NOT be used. In case the PKI management entity wishes to specify supported algorithms, the controls field MUST be used. One AttributeTypeAndValue per supported algorithm MUST be used.
--------------------snip--------------------

Does this go into the direction you had in mind?

Hendrik

v2.23.0 | Report a Bug | By Email