IETF Logo Mail Archive

Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen

Russ Housley <housley@vigilsec.com> Fri, 18 September 2020 16:38 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 423CD3A1179 for <spasm@ietfa.amsl.com>; Fri, 18 Sep 2020 09:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m9uwfepjggGv for <spasm@ietfa.amsl.com>; Fri, 18 Sep 2020 09:38:09 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D1493A1178 for <spasm@ietf.org>; Fri, 18 Sep 2020 09:38:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id EFB56300ABD for <spasm@ietf.org>; Fri, 18 Sep 2020 12:38:06 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id yQzWAg-gBS5Z for <spasm@ietf.org>; Fri, 18 Sep 2020 12:38:05 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 4BB5E300AA2; Fri, 18 Sep 2020 12:38:05 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <AM0PR10MB24187AFF8C47A59ED056C070FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
Date: Fri, 18 Sep 2020 12:38:06 -0400
Cc: "spasm@ietf.org" <spasm@ietf.org>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C98DCB2F-6C91-40F0-B2D2-CBA7F1D10A1A@vigilsec.com>
References: <AM0PR10MB2418651EF480383C1FBAD448FE440@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <ECF4A046-3690-4B8A-9851-935CDACA89C2@vigilsec.com> <0368A990-F189-40C0-A63E-5A7CF1F0AD1D@vigilsec.com> <AM0PR10MB24183CEEF92140D72BD00EE8FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB24187AFF8C47A59ED056C070FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
X-Mailer: Apple Mail (2.3445.104.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/jpoVhioWNv09nMhR0zbBzubPYDw>
Subject: Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 16:38:11 -0000

Hendrik:

>> I am uncertain if this addressing the use case I had in mind. But may be I did
>> not fully understand your suggestion.
>> 
>> I defined id-it-certReqTemplate to offer the EE means to request detailed
>> guideline on the content of a certificate request it whishes to send. The
>> response should include the option to specify the concrete algorithm to
>> generate a key pair for. Therefor a prefilled certTemplate is exactly what we
>> need, plus the key length for RSA keys in rsaKeyLen.
>> The EE does not need to specify the key length of the RSA key in the certificate
>> request itself when sending it to the PKI.
>> 
>> May be it helps, if you explain your use case.
> 
> After discussing your proposal with David, we came up with this suggestion:
> 
> --------------------snip--------------------
> CertReqTemplateContent ::= SEQUENCE {
>   certTemplate           CertTemplate,
>   controls                    Controls OPTIONAL
>   }
> 
> -- Controls  ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue
> 
> id-regCtrl-algId OBJECT IDENTIFIER ::= { id-regCtrl TBD3 }
> AlgIdCtrl ::= AlgorithmIdentifier
> 
> id-regCtrl-rsaKeyLen OBJECT IDENTIFIER ::= { id-regCtrl TBD4 }
> RsaKeyLenCtrl ::= Integer
> 
> CertReqTemplateValue contains a prefilled certTemplate to be used for the future certificate request. The SubjectPublicKeyInfo field in the certTemplate MUST NOT be used. In case the PKI management entity wishes to specify supported algorithms, the controls field MUST be used. One AttributeTypeAndValue per supported algorithm MUST be used.
> --------------------snip--------------------
> 
> Does this go into the direction you had in mind?

Yes, and it puts the control in place fo DSA keys, DH keys, and others that might come along that might need parameters at this stage in the processing.

Russ

v2.23.0 | Report a Bug | By Email