IETF Logo Mail Archive

Re: [lamps] EST CSRATTRS specifying the SAN

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 07 July 2021 12:43 UTC

Return-Path: <prvs=6822c8ca97=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B09E3A1206; Wed, 7 Jul 2021 05:43:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.194
X-Spam-Level:
X-Spam-Status: No, score=-4.194 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OdqPdX0SavUL; Wed, 7 Jul 2021 05:43:12 -0700 (PDT)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C36C3A1207; Wed, 7 Jul 2021 05:43:12 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (LLE2K16-HYBRD02.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 167Ch9Zj024691; Wed, 7 Jul 2021 08:43:09 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=QYHLojzKH0pD7hBgIuMHXym75pVG7qwEiodC7JUb7o253iQFhFos47qDqAqpRChhfz86ZSc66ukQUicvjyHqm9dBpEfYK/2Yfz2lhbph10buwc8mc9AgVBhtJsTPhf+qs6OQ4cAL1pahDbyGjvOWL1UkVFR2m4xyuu8d+5Pla9b1W5dUqV2itDcH2picqsyYIdCbqcKn/2L8I0myqOHbIBzN8t+E5tpi2lDkfm9TJuo3tkuf8tMmoly8WZnhl8enDbLzMvdvGNge6/PMxbegl+ciqJ1G8QCHfKfmHXjVIHwmzGXff+QiJM8rg27VMhGAjJcPT0+H2HlzBr6B3eqTEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4dRsIQ4iRlf5pCI/jPEfe+U7rTRNCMreixexZiERRXY=; b=PCKtlFMS2Pm0yLMMuK4+LRHNhg+Cay4hwKfquf+hMoUyZAzb9oQwV7B4W8ZtR5LRfR/+U7tyZ6MyeXraS3L4Q9nTG/THJTHPFX6501zTeBANeH7AaT6Tt1Z6zOjky7Z2pu4/ssIsnqBMXTu5WjCgEAYvqcgKCJYmPri/kUh/5Qn4MF6r1WPqwtOgCD3gW5YA0317Cn0qH/7lwBdptAOyb71HEgOVRbqA5NuaAHgwvNgUO9wbTkc9/w3ek+Pe+0sxRAu6LjRDqKGJX0odHoHPBIqJZNtxkvqrpLVxxoQkd6IjW1oKt+Ls8DBCIpkNqCkLnmnAiiBd4gctseGccl6KeA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: David von Oheimb <nl0@von-Oheimb.de>, Michael Richardson <mcr+ietf@sandelman.ca>, Russ Housley <housley@vigilsec.com>, Sean Turner <sean@sn3rd.com>, Eliot Lear <lear@lear.ch>
CC: SPASM <spasm@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [lamps] EST CSRATTRS specifying the SAN
Thread-Index: AQHXcct6ALS1NGZRwUm1tnOTWybZ4qs0tgmAgAA1ooCAAjVuAIAAE4CA
Date: Wed, 07 Jul 2021 12:43:07 +0000
Message-ID: <A30A91FC-4737-42DC-8699-32CCBA5EA371@ll.mit.edu>
References: <83844291-5785-434E-8956-3FF81ECD761C@cisco.com> <9820.1618358856@localhost> <MW3PR11MB47462121627A10A62E006497DB369@MW3PR11MB4746.namprd11.prod.outlook.com> <26435.1623269725@localhost> <25C432F7-EDEE-4FEA-B871-5D7F9311BBF7@sn3rd.com> <6e29b64d-0bc0-d129-beff-4072a482cfbd@von-Oheimb.de> <2219.1625510251@localhost> <bf91794a-d8d9-6319-627d-e83fa8b2b399@von-Oheimb.de> <667059c8-1e2b-7896-df05-b08f3433a63e@von-Oheimb.de>
In-Reply-To: <667059c8-1e2b-7896-df05-b08f3433a63e@von-Oheimb.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.50.21061301
authentication-results: von-Oheimb.de; dkim=none (message not signed) header.d=none;von-Oheimb.de; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b695f24b-275d-4839-9800-08d94144c57e
x-ms-traffictypediagnostic: DM3P110MB0378:
x-microsoft-antispam-prvs: <DM3P110MB0378E01C3B79F48E3C56DE8A901A9@DM3P110MB0378.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2m4xeDGWRn3/UDZbgC0ZMWSsx+fUZ94MaNv8OzW3i1UE8p4CVcfsZBUuw/XZ2cmhkTFVbbnPbTeLcEMRwt0NQb4xF+8lh6LAt6v13hTyPiHGL9UpVKJeVs6fXdwIZgTGY0ZybVtYSCdvvImnafQnG7nb7fU27AKiFaDs4EtTO4hPpIWJC6+wt3A29NwvNic6HnQh5RP8a8ONRHmEnrkcVU3lz52Kwt4YqkSWUYTVfPtIomVD1Bi583GhJyYC8Jj360+0exgROnW0gcgvz/9YnZZA0fl6Osd4PP8W4XluWNrQaMKTDe67a173YIWkfgiDtUeK2m+YrO4j1JtE4xy5smE3xSj8BG6u3ZtIWEKBMaM/FdR/9XIeb1x7q9Oud8JunFToaO4dYxo7XPgAdSCo3YVxnlPc2EqD2z2tb9uvJADRFQQDGSSFKzesLTSDzkZHDRyL5QRT1XhUzwkoeb8OIlza5u14hH9bmPCa2UI6a9cuq5JEwcpO5V3gIqN2qzhTbnFDw8F3uY2Ai9ocS2zyGiZas3HRMov75OWO0bjYiwM2m+9Iy+zyYoYllWflOw4V0osf4RxQ5rTGw/7LCEPzEw155svN6/6F9m9nX8g6E3W7FyONG8XXuMS6Ghq9nW0Z
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0556.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(396003)(39850400004)(366004)(6486002)(66476007)(86362001)(478600001)(166002)(8936002)(33656002)(4326008)(71200400001)(8676002)(6512007)(5660300002)(2906002)(99936003)(2616005)(4744005)(122000001)(64756008)(66446008)(76116006)(54906003)(186003)(316002)(6506007)(38100700002)(26005)(110136005)(66616009)(66556008)(966005)(75432002)(66946007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: uW979t46ofGksDr+e2sVJ00RYGxhq3FR1qCr6hmCjmnx7GacdZheIS2xyoiMFC5vX2TaH832ZbKcVtcOYBHKNS0NQUlzwmMy95qAaH6hgQVsCuZXK/akkHfUiTSXRl1X9xyZSUhjgtUJrAHDVSGTL7mI3aTz1tOEVJG31mAlmZXzHiL0g1Jw79HbgYGBTou7lifCbQ9hwnUKSNdIehgXhogBQybiNEUVByG6tfH4iCl+f7DwpPW+Q24ou/Z7vgA9zeCEP4HOzp2e1oKPEC7OiJbPh/KwfDByGfQHyENce09xPMTazzf+kZuuIHNVtSCl441k8A9EHhHxE/t1oIc92A5kTrC8o2lF2vBfR8Fs3nfYl9W5Ysmz3/207QgDQmFOROOw2wvAl4QEJz7IMC3FQLMMy2QlO3s6DYNWl6gKVrjzvljQ7lKcnAbOdVtRTH/F4wQV2D1CkvNxCIA4L5co+0Za3o6lIPu2NZbMDU5x4fcweOV8SFLmKPj8rg29Fk0PKjC8uqrnfqH+F/qU37ZOxL5Vfa2K/qju5t5pe2Ci4pLCgSKC3FdkxPsnyp/O0Wd2NPEbaeBr9OjA8q/Tk1Mmu89s9mhcoyvPM8PWJXI9p4P2R9ECiwDIc0iqm6N9KcyT8cib0mArBFPk+dSn4BxFXWdJY/zsfYXJlpToHzJZb14rAg8nuoVSELvLqEIjwD4Y7UI0t/UqTm44q0hTJVWUHw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3708492181_1381793111"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0556.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b695f24b-275d-4839-9800-08d94144c57e
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2021 12:43:07.4996 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0378
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-07_06:2021-07-06, 2021-07-07 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=942 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2107070076
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/pX0EhRHZ5XyQJLOUGcKe-0TtaA8>
Subject: Re: [lamps] EST CSRATTRS specifying the SAN
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 12:43:17 -0000

Yet what can be done is to (ab-)use one or more of those Attribute structures as elements of CsrAttrs to specify concrete values for individual sub-components of the subject DN, 
namely single attributes of RDNs, e.g., 
             SEQUENCE {
               OBJECT IDENTIFIER commonName (2 5 4 3)
               UTF8String "myHostname"
               }
and 
             SEQUENCE {
               OBJECT IDENTIFIER serialNumber (2 5 4 5)
               PrintableString "JABA1234'
               }
Note that in this way one cannot express a particular desired structure of RDNs for the subject DN.

At least the above is implementable.

(BTW, the general structure of DNs being a sequence or RDNs, each of which can contain a set of name attributes, see https://datatracker.ietf.org/doc/html/rfc2253#section-2
is a rather weird thing that is hardly understood and not always implemented correctly/completely, but that's a different story).

Is that “weird thing” even necessary?  I feel like dumping a lot of accumulated crust and crud that proved to be more trouble than it seems worth…

v2.23.0 | Report a Bug | By Email