IETF Logo Mail Archive

Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-updates

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Mon, 26 April 2021 06:52 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB43E3A0E4D for <spasm@ietfa.amsl.com>; Sun, 25 Apr 2021 23:52:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlkNZk2rsCi4 for <spasm@ietfa.amsl.com>; Sun, 25 Apr 2021 23:52:36 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80075.outbound.protection.outlook.com [40.107.8.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 195FF3A0E4C for <spasm@ietf.org>; Sun, 25 Apr 2021 23:52:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Of5ic7WxLgA6BY5vpF28KJZ8miNOrKeLrKy2KotQw8Q+tkibuQPIAoONH6MYoacX9YBuZgGq3MYMtl+GjavH/wTfyzYCbyXgzAbkKcsA6lJdqpqAhyqBNuXxGEJK+aKJRuDSME/h2hDVEi9EQpV5IUWiXk68sX9DsJyOaCBZNNjk2USIfKKVTaR9qIRB5k66HguiCQEy8ZZ/JFnQDW2mbvq5ekkF6iEcdOJmsghp7RPEcPwIiRZdNUQn5UEc8Qd0pJZV7IUNZo/mR9RfivR/1YNFmgMPn2r/oZkryIlCXxjmfqeQ+lWdKyNkzyCAT0SitCVSHL6XQCHDdkQG3366oA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LVsJiBxs+cHxA8DHRPbSOJG3rGozlKM6UH/gmkEfEHs=; b=ROxmrv3+VaKMfAW/KvT3CUs54jQGKSQNnHY1CFWB9oLXpw608lOo2nGGryQs8RTLM3VxZfOKnxKZv8B23iysAFNKpgNbVgDI+Ufxky1UKQzc/tQoClr8B69bqcU8reyQzcOaIenjz72XAv0+MPV3NgXMXtC17o1JWUQsl7ChD8+zyouePnXybxo74gBC5Tj6OsnH6juzheEdZ2pTgPp0e6CC3oFQudfAnu+KMNUO11JLnYu4s+U21PjO/Sh5QXe+hL/oYeJVXy3Zu1HJ/nUTywyDjzlo1BIjlNI0xmyGolo8kTM69g/hThp56ijUM/XqtgVL89/1w32EnhSlaA4eVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LVsJiBxs+cHxA8DHRPbSOJG3rGozlKM6UH/gmkEfEHs=; b=C5AMA+ZfIu64YIHFN+uCi8heXb5fTVfzf5yboVoO5e/Fb1GDmlo6YwWxigWTfM2OIbnpL7EKZ834ovuRUcZV/hqQTyMDXOJOCGmNf1LtMRN5FLYSwPU8hI0t+iJU8kZE1R8U3RZBrm1yehQdF4zI+u+EgRlbpLg6aHEP23jI1cg=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM0PR10MB2980.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:15c::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21; Mon, 26 Apr 2021 06:52:33 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::8563:833c:2122:ae5c]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::8563:833c:2122:ae5c%7]) with mapi id 15.20.4065.027; Mon, 26 Apr 2021 06:52:33 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: ASN.1 Module in draft-ietf-lamps-cmp-updates
Thread-Index: AQHXOGtOazTtXb84dEuVdUfSKgcwJKrGUqQw
Date: Mon, 26 Apr 2021 06:52:33 +0000
Message-ID: <AM0PR10MB24184DBE20BFD57CF29D90C8FE429@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <A2268B02-A30E-4C6F-9C76-6BD726CA9C83@vigilsec.com>
In-Reply-To: <A2268B02-A30E-4C6F-9C76-6BD726CA9C83@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-04-26T06:52:31Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=b7550510-9e03-48e2-855f-d22a2aa7d45c; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [147.161.169.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 06c09806-0750-423b-c4b5-08d9087fde55
x-ms-traffictypediagnostic: AM0PR10MB2980:
x-microsoft-antispam-prvs: <AM0PR10MB298010A80473CF26E1D3093EFE429@AM0PR10MB2980.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nwGGzfkgpmf2cbXxfP4EKeefHbXYfnGHt6f6+Ywtu/v7TFySBKaSKxmgWxpdv2+GGkHgm5l+1HXk7bzX+frZhIsaiaEsVL3bkjqp4mG/H2eTrkezf2fy+Q/AYJp1VPqTra8caCueGfo74ClDWUGp1vAGAndXGEB4FmblCj7PtYRI4Vbegx8ydZbrUiuTuPvkhVzrRbzYsu0NmOs/kWDrpyNvM1nO4bI8EzNnqtLfehOjNsFhqXLp9CsDKaXkTZmKTMAbHcbnVNbkAKnDy7ffeTJFu6V2IkY75AeoNAFOxmZXHznIrbyQvjhD2bRfHu4GATYodbn4/1eVTOuhfnsCKiCbe24Ls8N6gP03nAJWdGMMB9xuvIvHPFCX4xHVNIgKQVpz/or6fPWbxM6mkoDNByEglvA11PDUVRzBR4bI9BQWgP8709rn11xr+MzVmT4ciB3/J6eLypWjH6tya6Kh74GF8FNpGFuC1/tbzt2+IObMpET5JX/ivsqWCkAanHjrPrXbUea/DYR1CP0hvQQ1qwZQ+VHe0aQOPXnWACNB+n43Gnrrj9mYz1toNSQFi0aBxXHbYRBBbqpMAvr1/c/+TPevqgTwqnhZO6vbbf16hY0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(136003)(39860400002)(376002)(346002)(66476007)(66556008)(64756008)(66446008)(8676002)(8936002)(66946007)(76116006)(15650500001)(71200400001)(38100700002)(4326008)(6916009)(52536014)(122000001)(33656002)(83380400001)(6506007)(7696005)(478600001)(186003)(316002)(2906002)(5660300002)(55016002)(9686003)(26005)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ULX+rqjQ8ncP8Z+I/RpioxpHvipOIC6PjhtphCDUe6xT6ZGkrt4c50qb8CFsBhDK66LtWtbg0GtJBn82Z7chfhfpliBztAmggcsQGAMezLVSy39e/StCCCugULhYTDZqMVYPBNsjqDdw3ep9avUFSnzWPHADMEgQemLgtx04QHKXOujQF05TrbqMVBpJfxPq7Zoly4BLUBj0yjcBmZ5h/8w3LiOrYHBXzkCJLYBJieeocxr75tQE4S0nBDc2LcEhUZDCTuGY92Thhd2eVr1l/DaNnz877sYX8kJFAhwTUsMbibAxQxPrblYZwbeCR59htCu0oSqAmgvcOI8KQ+t9tVQf+M/lqCIt9of6UIzNB30pLMQUQAoL5SwYBgYWgWK/g+GjafHhg55CUnqEq5UXhmHcnYWSKpJL5sIUPmjU02y4IkOx7BtSofEn2O+kOhd056TpuSqhyHCSn6dCSFsiIzP+AmSknp9bUAVv2oQN1EtzKe7iNOuStZHnfvxKqTv0IJoHmwOspAtZFrIGcA7nUV5BgPPTH6H0UjvosIp+FwvEqhv2TuQWsfg1686apjH6+Bq1FXUMU9O2eXGFdmHt8o/rofPjeobhQAELrhFpB2heomGN4OMlzAMUmWq+xEF5HGO65B74ODFvu8xGVDA1lrTjRZ6b+ZQuclVPVby0bJ0acRVCm+SB8OZqPWJSBPn9STu439U9uzp9jkohJQQWvm5UH7zHbvmRPMb8czNlG7SOgHYDE7+9LUsq/CY/Umv43M7pCgd8kH4jSdSVrapcu80/KW2v7QQ00QP0JCB/rEC/46kJkf8b4kGvl0lbViVdlSzaEib767xL1vald2uwNqxywUmK6sbRSzXaBVY0/27zKo2ltrsfuhKg8uTyeQqfz3TWWv9YvBn3OYNG5GFwK1kzg3pjfPZamlP5IiHuOwUh0clq93UNT+P83aQS7AjIKF6de42xcdqiclSdV7OrKEvPvpZC+LZ/qcc9hg8InzQUL79Pocs3W+uoJ+kf5EMRgt0lzmBQ84Hezlq0H868vWqN2ZgAfslhBGaQceuJg0g3SfQydYq1SZCq7BuXmczrqAG7Ph6xnAQDE57zqFPLqkT0j7iOJlK6QYFv1JHL9LiQb2lb2yToLo42GX+W20wf9Fqm3NxEBDaP0xRqRACEuCt9tzWX3JTRCXGoabQxdqo62ymM4ueOTXuHSG0pJexU80C915XAM7/A1Erc5YvbTgUpbdbix1Belu2tJJDg6ot/snAE4PrIqhNjy3lGaifhXK0bUwFrg0vvV1ZZ1ovEklzHBBzn1Z6jEdkOFHe2O1h8Ml4RgXuo5/z0GSUWfT8/
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 06c09806-0750-423b-c4b5-08d9087fde55
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2021 06:52:33.2917 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qZNo3n3rpImVOIxfVCbLtoDdy/HDK1fgKkq3SlIisJ1a4uDXHhnYEAQr2APzMln2PthvFJwPziiMxM2H9ZRUdnH0jtf6CnYU0no1A+wkfTE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2980
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/qbQoInZNOwOP-3NeXaBycH7gfWM>
Subject: Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-updates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2021 06:52:41 -0000

Russ

Thank you for your review and feedback.
David and I plan to provide a new version of CMP Updates by the end of this week to address the changes from IETF 110. We will also cover the below issues then.

> Von: Russ Housley <housley@vigilsec.com>
> Gesendet: Freitag, 23. April 2021 20:06
> 
> Hendrik:
> 
> I do not understand how the AlgIdCtrl works.  Can you provide more text in the
> document?  Is it about the subject public key?  Is it about the signature algorithm
> to be used by the CA?

The purpose of AlgIdCtrl is to provide the algorithm specification the end entity should use for generating its new key pair.
We discussed the concept of the new controls in thread "dtaft-ietf-lamps-cmp-updates and rsaKeyLen".

The current text is:
5.3.19.16.  Certificate Request Template
   This MAY be used by the client to get a template containing
   requirements for certificate request attributes and extensions and
   optionally a specification for the key pair to generate for a future
   certificate request operation.

I could change this to:
5.3.19.16.  Certificate Request Template
   This MAY be used by the client to get a template containing
   requirements for certificate request attributes and extensions.
   The controls id-regCtrl-algId and id-regCtrl-rsaKeyLen MAY contain 
   details on the algorithms whose subject public key values the CA is
   willing to certify.

Is this clearer?
More details on the usage will be provided in the Lightweight CMP Profile document.

> 
> 
> I had a few minutes to look at Appendix A.2.  It needs work.  I have not yet
> gotten to the point that the module will compile, but these things need to be
> corrected.  There may be more that I find as I continue to work through the
> module.
> 
> 
> 1. I suggest that the module name be change to "PKIXCMP-2021".  This seems
> apropriate since a new version of the protocol is defined.

OK, I will change this.

> 
> 2. There is a missing comma:
> 
>    RootCaKeyUpdateContent ::= SEQUENCE {
>       newWithNew       CMPCertificate,
>      ...

Thanks
I will also change this in the 1988 ASN.1 Module in Appendix A1.

> 
> 3. This does not work with the definition of AlgorithmIdentifier from RFC 5912:
> 
>    id-regCtrl-algId OBJECT IDENTIFIER ::= { id-regCtrl TBD3 }
>    AlgIdCtrl ::= AlgorithmIdentifier

I will change this to 
id-regCtrl-algId OBJECT IDENTIFIER ::= { id-regCtrl TBD3 }
AlgIdCtrl ::= AlgorithmIdentifier{{...}}

This does not need to be changed in the 1988 ASN.1 Module in Appendix A1, right?

> 
> 4. Incorrect Syntax: s/Integer/INTEGER/
> 
>    id-regCtrl-rsaKeyLen OBJECT IDENTIFIER ::= { id-regCtrl TBD4 }
>    RsaKeyLenCtrl ::= Integer

Thanks
I will also change this in the 1988 ASN.1 Module in Appendix A1.

> 
> 5. You do not mean to end these comment with the second "--".  Maybe use "-"
> for the indented one:
> 
>    --   id-it-revPassphrase    OBJECT IDENTIFIER ::= {id-it 12}
>    --      RevPassphraseValue      ::= EncryptedKey
>    --      -- Changed from Encrypted Value to EncryptedKey as a CHOICE
>    --      -- of EncryptedValue and EnvelopedData due to the changes
>    --      -- made in CMP Updates [thisRFC]
>    --      -- Using the choice EncryptedValue is bit-compatible to
>    --      -- the syntax without this change
> 
>    --   id-it-caCerts OBJECT IDENTIFIER ::= { id-it 17}
>    --      CaCertsValue ::= SEQUENCE OF CMPCertificate
>    --      -- id-it-caCerts added in CMP Updates [thisRFC]
> 
>    --   id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= { id-it 18}
>    --      RootCaKeyUpdateValue ::= RootCaKeyUpdateContent
>    --      -- id-it-rootCaKeyUpdate added in CMP Updates [thisRFC]
> 
>    --   id-it-certReqTemplate OBJECT IDENTIFIER ::= { id-it 19}
>    --      CertReqTemplateValue ::= CertReqTemplateContent
>    --      -- id-it-certReqTemplate added in CMP Updates [thisRFC]

Right, I was not aware, that the second '--' will end the comment. I will change it accordingly.
I will also change this in the 1988 ASN.1 Module in Appendix A1.

Hendrik

v2.23.0 | Report a Bug | By Email