Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 06 August 2021 01:10 UTC
Return-Path: <prvs=7852eedb6a=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C1CC3A152D for <spasm@ietfa.amsl.com>; Thu, 5 Aug 2021 18:10:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id firT2ylkq9TE for <spasm@ietfa.amsl.com>; Thu, 5 Aug 2021 18:10:54 -0700 (PDT)
Received: from llmx3.ll.mit.edu (llmx3.ll.mit.edu [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28F563A1528 for <spasm@ietf.org>; Thu, 5 Aug 2021 18:10:53 -0700 (PDT)
Received: from LLE2K16-HYBRD01.mitll.ad.local (LLE2K16-HYBRD01.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 1761Ao7j030531; Thu, 5 Aug 2021 21:10:50 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=wBcK48nP1E5V3cG0gtlDvoWalTn4VtjGAtiW7XW/quZkL704qvOHIZ+ChJWvE/T1kK3PWmoqZccxbtz5dbKMh5eIcO+e9EFDAkXH7v4HsupAkc762f/jU1ogrKgHXaD1vwNfM74RjWLMn+nkr9OARWqXy28gDXOFkFVEMVeHmkBDEV9rsvQT5HMf+DNfYRVTHmiRfQMmctW50TLC9eZzKcMftVgPUqcM8NGnY25BG0P9dnOoA3+y5ARbcaiQxUeMM1MOXgVqiyoG8Rj3H2x3mxOpfBzm+z6qI5lAwvfTjyHXZRdZRagFIGKiJMBL+4zNwHNO+owuH0+vQiCLD+UOPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QBPEwZaWJUHEMcI8On+SLxoLzEauaCunNBcsVaH1U+c=; b=dLtXJpJNoVs3sBCs1VKcIGAnwXcheSE5lN5sSUlqModIS3XQt7BlNDcN7L8ejh/3NJDdEmiKfDEj0siWZlMwmezDiPYn8uxdDc415cyV2mUHbgDPlmHYsPuFC8VhtPU9NF4delaDmSO54xy+DxQKXJpzqy8MeidbN0lKZY92DhjLreWURbClYcZFqNbcD25rEUZ3pJfXZGqdrsXQWcppDCd5V+XrNj/wThkj+x83Au1t3ny/D0672I+Pm0aOTbZ82WSSQhm0V8mwN5VNK+UiHSloFNUT4mtPzPECs/1zGXUNBiro87OvOn91pOpiOW+oE5+NuLYGc6+R4nv486U5aQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, LAMPS WG <spasm@ietf.org>
Thread-Topic: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
Thread-Index: AQHXhNAH7j97rn/mLk+L5HJAqzqW96tbnMqAgADw7ICAAU3ZAIABR6MAgAA0LoCAAbQVgIAAu9UAgACTwgCAABGTAIABILMAgACQVACAAZLhAP//wo6A
Date: Fri, 06 Aug 2021 01:10:46 +0000
Message-ID: <C6B70B01-0C4E-4A97-9853-CC872E776770@ll.mit.edu>
References: <87czr0ww0d.fsf@fifthhorseman.net> <FF939B28-528B-47F9-9C0C-6585D1B02FBE@vigilsec.com> <87mtq3ukk0.fsf@fifthhorseman.net> <CAErg=HHQMZ1jk+bVxA=MzVvW+9ucie7bu-N6O8Asnp0V8Rf9Bg@mail.gmail.com> <30546.1627850836@localhost> <CAErg=HHKL-E5yT0UnPKcLfMQU41iDg7GGgjsSXs3eRg8daJRkg@mail.gmail.com> <87wnp347iu.fsf@fifthhorseman.net> <1388.1627996026@localhost> <87pmuu42hf.fsf@fifthhorseman.net> <87mtpy3zkl.fsf@fifthhorseman.net> <CAErg=HFvQ=5jN+BoDL-W33iYxHoPULov4TEzqYf9nONbtnANJQ@mail.gmail.com> <87a6lw4syd.fsf@fifthhorseman.net> <87lf5f2y73.fsf@fifthhorseman.net>
In-Reply-To: <87lf5f2y73.fsf@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.50.21061301
authentication-results: fifthhorseman.net; dkim=none (message not signed) header.d=none;fifthhorseman.net; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21f863a2-3433-4252-47b2-08d9587705af
x-ms-traffictypediagnostic: CY1P110MB0821:
x-microsoft-antispam-prvs: <CY1P110MB0821A490D57C0573F27E022390F39@CY1P110MB0821.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4Xq1+Ol2x4kJU97n1mSvTt8Fq7tsWisRlr/2GhOkBHLaf72VHJSzlu3pRQJ4ykCJFscqppiovWeSL6GMjdz9b+RrP4eYCcfiebJHpxonnYh1XGK0VpucJuUhzvRttbUDXVO/utjP4mUr+KL23UV29a7nu6M8/piWl76qvhHaBYmgnKUG1rGhVbUgwOT0weqCPrQgRkSg0kT7W3uyfVRvJgz/6AKG87YpfIkDLgjAi6hn7k9z+wi+lcN+UNqLz3dOY2VBpwvbgCy67lmlr7aL3wL+tcqjkioQQjbfAe6plI5k6bNE2KnBuLRqi+oB18AThiD9CYd2o3HFtmYPRv5Qqyn67G1xj39OfsBLnIZqe5s7NSQLpejUoAXkz2PUxlaKbYzlyUIRwzS50PySvAn1GcSj1wNVsvB283Oe3Wt5sc+GatDS0XnPPbFKbc6XFviX+P5qS6aKcFpWIoDBaC4ELWq931ANDhoIyEOXm6xLTqUrH8kxpZrytNuYbdn4Px+yu9Ko8rTavNw31ACnFtC1KBXI9K+eVCSJ+pQfJ33zyvSokxEPhhFFtWrRaFRRrEziCio4AX+tJsx174XQNteHOqZO0GxQb7I3djbFpURq6KDSz2wei/okdK8+WBd9HVoKWz6si5IY87tm9o4GcaYhlHpns7hhlejrQtEFPz63utWE97MHhc22BU+zXmY5ibs1YZO0YXnTt/8qyeAoJopgxtrhN93nL96PxZ4Vxe8hdGava4mp1Hr+phy32EhHQNyv1Uo0M2zx1lNG7OZn5NTqLd+mWa8wz5ePbAADhZVb+SsmTGFYAWeAgax6h2G5duYv
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0677.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(6486002)(8676002)(33656002)(6506007)(8936002)(76116006)(26005)(186003)(99936003)(2616005)(2906002)(66946007)(66476007)(6512007)(66616009)(83380400001)(86362001)(66446008)(64756008)(71200400001)(66556008)(498600001)(5660300002)(75432002)(110136005)(38070700005)(122000001)(38100700002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: AcWEDuf/OMapdPVkgBh2VRL0/5Gj+yJdMQyejc4o4gqOTIPaQhG6SCHuYJLpI9JIToLOOEouDTWFYSrb1KJr+HVUPmUpOP0Bwd5Sw2RW1MeYqmgc9kC/PSY4gZIAMaDST9VK75dtsilMTKbvtYLnvyZ6aPKJdSlZ+fo4T/cjOIbhiR90wptn6twJ1zfu2dmYY0NaWm5EpWrV5XtfbfLfFItmDAgphgyB6TvmCncD9Ia/9MJGYd8Dsvn8gaXpZJ0MdeUxLWbz731zrMSA5ZhYB45bLwgY0Rn03c4dxKOves6WrKr/LfkJFTPC2iTPYhycj4G8X6dLVTX98Nytqc3mKwFYp6z5kyUFup1u1faIFcKw38sG3MZqsPypvz8ceeN8Gdapgqr9UUOpUlPWgC5HRr2D6pEWZ2doct1T6QKYq6t/11HeXBkZk34B1WIXK0B4qumy9hJPKpY6HlE3yjEsbEhWyu7NfR5WLTn9A9JRuba8QPO3sVmIR3bor+AngHZGam+F4mwNk+saNE2//wWBsT15fokkMz9RByfVUDqcvwZkN8OTzaroHmOkzRx+JTZSqJbLGDkXMeNIaEHEAfWiFxf8gtcsu/MnUXNjDDUUeepK5ZI3DlO1hvhT3Np0u/aL4eeoRux74WZigybxGV1gh5RJ1d1j56PnUBYAA/wuCCGVBQdxvsLgeQObRNX3mdpEaf/rQztkHqXMwlovkdw2tITUQlrGFeBX3B/TDXhR9StOji8FiE72Azh7Uuu7tskT6gVuMSBHRCuAjFwUsV/wAWhIrwdP7RKuhb1yRjAbOpM+yBtXZ9DeolTk8NQ/RMQLQpOPhrcO9Jj2+mpBEsezhqpq6VNwC0CsYJ1ovtgvusxr/PCESn+UYJPeWWwD1+lMoG3hr9GVY6gHuErVKTPNtPF1cok7tp/yn+k6fUt6F46JwruMDWCQuEeiyH0tlfMPZcqGEvzTgXXVeBUJWEm68i2gDeZjx6K3fhbYOlF7BUAiC0dFKwpEThBkIBx+3RzJ2TZAyApD0hlXEtULRnlV1OXuShgeqZMm4DhCQGSv52a7Nc4RfArys7ipRIj3SCZsGcOvZiMUuxdiY+eGFYuQR/Ob3v0btJr+NZC9WVHHMrYXEdgOGlT1Y6iK8nA8mZ7/XumSK/tWYABbn9psInooUYXIz4AxiFO7enEjtlHw6jml4M++aWCKTvc2JZR0M+uS0awxw1wofnMuSZZzOyNf7sZOWv4DHmu3jUvlurHrcC/yGFk2BYr6lU15poW/QatT
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3711042645_1132719165"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0677.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 21f863a2-3433-4252-47b2-08d9587705af
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2021 01:10:46.7132 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0821
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-08-05_11:2021-08-05, 2021-08-05 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2108060005
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/kvF7j4EYyp5icQgRrJLA6AGrwpc>
Subject: Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2021 01:10:59 -0000
I wonder if Keychain Access would accept SHA256 MAC. Because it would be nicer if we could stick with SHA2, not encumbering the stack with SHA1 code (and some implementations might have a requirement to exclude "unblessed" algorithms). TNX -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare On 8/5/21, 21:05, "Spasm on behalf of Daniel Kahn Gillmor" <spasm-bounces@ietf.org on behalf of dkg@fifthhorseman.net> wrote: I've just published draft-ietf-lamps-samples-05 after figuring out what i needed to do to make Keychain Access accept the PKCS#12 objects. The necessary change was to make the PKCS#12 MAC (https://www.rfc-editor.org/rfc/rfc7292.html#appendix-A) use SHA1 instead of SHA512. I have no idea why Keychain Access would fail when the MAC is SHA512 instead. I have not yet experimented with other digests with Keychain Access. Before I figured out that this specifically was the issue, i modified the certficate generation code in GnuTLS to account for all the divergences i could account for that were *not* due to indefinite encoding. This included these two differences: On Wed 2021-08-04 20:48:42 -0400, Daniel Kahn Gillmor wrote: > a) The order of the certificates and encrypted pkcs8 blobs might > matter. > > b) The absence of the friendlyName on bob.p12[bag[1]] might matter. And all the rest here: c) the PKCS-8 keys in the original bob.p12 contain a PKCS#8 Provable Seed attribute (1.3.6.1.4.1.2312.18.8.1) to indicate their origin, but the laundered form does not retain those attributes. d) the original bob.p12 file has a separate bag with just the certification authority cert in it, whereas bob.laundered.p12 has the CA's cert prepended to both EE bags. e) embedded PKCS-8 encryption uses different choices for password-based key derivation (both use: - laundered: 16 octet salt, 600000 iterations - bin: 8 octet salt, 5126 iterations f) cert bags use different encryption choices: - laundered: PKCS12-RC2-40-SHA1 (1.2.840.113549.1.12.1.6), 16-octet salt and 6000000 iterations - bin: PKCS12-3DES-SHA1 (1.2.840.113549.1.12.1.3), 8-octet salt and 5301 iterations g) overall MAC parameters: - laundered: 16-octet salt and 600000 iterations; - bin: 8-octet salt and 10240 iterations There is a tremendous amount of multidimensional flexibility in the PKCS#12 spec, so i thought it might be worthwhile to publicly note all the different axes of permutation that i considered before landing on the quirk specific to this particular implementation. Anyway, i think this particular issue has been resolved for the draft. I'll follow up in a separate thread about what i think remains for the WG here. --dkg
- [lamps] draft-ietf-lamps-samples: PKCS12 expertis… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Salz, Rich
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Deb Cooley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Tomas Gustavsson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… David Woodhouse
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- [lamps] On the need for standardization of softwa… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Stephen Farrell
- Re: [lamps] On the need for standardization of so… Tomas Gustavsson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Eliot Lear
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Salz, Rich
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Bernie Hoeneisen
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- [lamps] Transferring cryptographic information in… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… David Woodhouse
- Re: [lamps] On the need for standardization of so… David Woodhouse
- Re: [lamps] On the need for standardization of so… Stephen Farrell
- Re: [lamps] On the need for standardization of so… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] Transferring cryptographic informatio… Michael Richardson
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Jonathan Hammell
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] On the need for standardization of so… Deb Cooley
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Deb Cooley
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- [lamps] advertising multiple S/MIME encryption-ca… Daniel Kahn Gillmor