Re: [lamps] struggling with CSRAttrs
David von Oheimb <David.von.Oheimb@siemens.com> Tue, 02 August 2022 15:05 UTC
Return-Path: <david.von.oheimb@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E91DDC14CF14 for <spasm@ietfa.amsl.com>; Tue, 2 Aug 2022 08:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.61
X-Spam-Level:
X-Spam-Status: No, score=-4.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SCC_THREE_WORD_MONTY=2.497, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nY0lzbLAp28r for <spasm@ietfa.amsl.com>; Tue, 2 Aug 2022 08:05:53 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30050.outbound.protection.outlook.com [40.107.3.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2B50C157B5E for <spasm@ietf.org>; Tue, 2 Aug 2022 08:05:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PdBEMFtXzr3i8U6AvspChh3uDj32BMlYjFzv+gcRl/eTWGil53vArwbFHuOLIqF9t645Yy9m+W1emyWRCB+HSPe3ggLdOykNh2VoL/3y0MdwzaE4DUelklvFIP1VMV7XnadP8iAqN60fb4KGV7z9vboj7Z1dJ4wG/06zxM1yvj6RV9/ZghIYqi2HZj37YV3F7o0CP3wI4dQQ/9NoLppU5Z50MAT22KRJo5NSV8ckLDFsJmbrfHaJQ3cuVpZIOw4o0bHmhMDXozToXyCks4dMPDratKWLNb98t29MoySM0Y0WFeVVjrRTpu7h8yj+cfayPDxowSO1rvUdKSpC19JizA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NQc5Sr5tlJdqIL34ARtyh9q1YUBmOtfoxLFO7l8nFSY=; b=RWotShnK1xnpRHqPv48nPbOMWX9GkTlup/lO/Bnvy52ohoTYzno9XLa9wwZpXrb6Cz/ZqhmFbgcTcUGhP1yFDTVLp9z2PXX8yAP2A3CdDf5wWe7zmJq+EaMmMltIS4tpDJ26wln2+EdiKqBYoMhL29jXY1yQtp+ycVCfug9RH4TSzN/76s2eYUUI7uKimeYfc++zs+FvtDV01ft0KayPVT+Naf5/s22Qu8BkQbsoBrofz7I8zvkbgA38JaZZGjfb6PwOwj2ycyoN/yC3qCfM/mO2rVi+WRsHRW2hg5rQkXB03AG/JI68+y2XGy+FVuY40MzI5S8ctqrFwPSd36zbUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NQc5Sr5tlJdqIL34ARtyh9q1YUBmOtfoxLFO7l8nFSY=; b=tB2garAlO79RGDuB2wgG31gZSPfcSa2FtKc2ffdUSfHj6jG9DKMkzs5+rH2Aj/2M26NADUy28VuQEoIkoVvyWFa6RkMN4IthLaQ6T+DVB0vILYwo6We5h6P+ss7OV88bJjCz9JmumVhjuFj72+Jim0Hd6mkKJnr0p/V29vIaxFyGawnw1lqip7axEYpEcFpc+0ZKCdwehG2FCQn+SAnL24zBoJ5VefrIlXMKv2onYpKWqGM0QU3T2DSYHIS64iILaqf1WNDejLIY5PMfuv7fuJfMsII7pq60tU1uK5pDCYTQDvFCWVXveumnxDvyXyB0SqTYBmJ3nL8Y8TU+CTcIxg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20) by VE1PR10MB2893.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:803:111::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.11; Tue, 2 Aug 2022 15:05:36 +0000
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81]) by DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81%8]) with mapi id 15.20.5482.015; Tue, 2 Aug 2022 15:05:36 +0000
Content-Type: multipart/alternative; boundary="------------ja6CwWCVcQiAzMVaYXD4X0Tx"
Message-ID: <fbde15e7-dbeb-eb40-3cfa-2282c9560677@siemens.com>
Date: Tue, 02 Aug 2022 17:05:29 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Corey Bonnell <Corey.Bonnell@digicert.com>, Russ Housley <housley@vigilsec.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, LAMPS WG <spasm@ietf.org>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com> <56a8af3a-63f2-5f19-62d9-59469ab678bf@siemens.com> <DM6PR14MB218658CA89AB81F66D1FF551929D9@DM6PR14MB2186.namprd14.prod.outlook.com>
From: David von Oheimb <David.von.Oheimb@siemens.com>
In-Reply-To: <DM6PR14MB218658CA89AB81F66D1FF551929D9@DM6PR14MB2186.namprd14.prod.outlook.com>
X-ClientProxiedBy: CH0PR03CA0450.namprd03.prod.outlook.com (2603:10b6:610:10e::28) To DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4f77fa4b-9700-4f81-44ea-08da74987455
X-MS-TrafficTypeDiagnostic: VE1PR10MB2893:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 06jGZArIhuKjWnO4L39C0ZhveFUQS8b+D1B5LtvmYQOpxJo9H6HTRPT/RDUYaURlakKCvefh/Ruchov8ZdN0YTUVmNjXl5Ie9TeNR8tq9hJzISpjmjXZr18LH+lHl8lpT3rmUZL8IVKAuTFrpkmcLgDqSeLiecwdkrBYnE8biar74rmeEbBG3j0BZuzLulLOPM59FyEcIP/rsPSEIz6PHSqkkvpfLPkYv7Ms63qE6yVwHhuCc7rmA8ToQlhEnYPGGlZnjUgwc++TObsNkWfEnkMpXa1IWEFLZQxgYjBvjNlaimsfDBAMhzjlMQrcZpI3dxiU6mNbtebx3A6YJGzs+4OhiUC9BBlbJyZ3/om2wrxWFZ4JFKy2lI5eB32nGIh3+raRgSa8DR1goJy0U0FtvGXso7yvR7bojc0A4+/RPM21YYsXsr7rxmqk4kre9gfF7wccl4pmrO+0ZVSk5OJv5MYaj69XLESBxebAvxg0S9yNkUKN+EZuv5TgJPrpn4/PEMuOx5+9ZjyvPFfYxjARZDOBQG6ZOxKejs+oeu5FM10hGRZlopIHMLxSjysu2jEk0gqog+T3GX7ntWG6/iWWcDIUzkxafufPMCEpeYOIu4lcOkrdK4Os+ZgkA9dAtoqdyeiCEXQrMPCNG4+OoaVK8Jyb85/qQoKcOav98E5SWc+8lwW1STSrhuXdMOpppRbPbhyyD8ppEg2K8AlCn2F750uQC87lBu92tmLAbSCyCShENwRvvh1hDSv7UTi04Y2YcE7xB4Fj5QC9zEm9RPKfltpeEsDzZuI6PVcmol4bP1VpQZrfIhyIOQH+2pkA6R+uie7OXwKNY11LKulwzef+McbLV6Ony+Rok27vxNw+w2mNg4ocAszdpx5J35OzlcAyYGN2jJQXTGDTb5vall/ySA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(136003)(346002)(366004)(396003)(39860400002)(6666004)(30864003)(478600001)(41300700001)(5660300002)(166002)(110136005)(82960400001)(2906002)(54906003)(316002)(6486002)(966005)(8936002)(6506007)(38100700002)(2616005)(66556008)(66476007)(31696002)(86362001)(66946007)(55236004)(53546011)(33964004)(186003)(36756003)(31686004)(8676002)(26005)(6512007)(4326008)(83380400001)(45980500001)(43740500002)(579004)(559001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 5zkHiIGRl7qKGgBHYKxAm/QTu+RHsDNN3QNJH+ZnTlqOM3w/DqT2ovKIzwLp8r489tDyEBAave3Hn/RWcDarqOEycPY6RMXaZoHNelAd+0+Qnem9OyAklcySu/c+N2w6aWuiofYZWd3kE98EXtIdXDIX/QUinNPP8XnoG4D5Gmal8F/eN49YHMR/0b4stcKaJcTvPMRELe6LlH4Cv6eO/zepLysTPQtboWYV5tJrJCFq341WtZgofyVXuGrWQsLVSo1QFmDTBqmfgLtJGVZfbJ0LmqO44vMifnnIY+nSVOXF2n13oHIxgyVSkwa6qsg1XhSff7OlDkGxE+jwkv68XSRGvKIOA7RxY1ReWuYAWdRID2x9Ttz15BLBRgwlLfmLX7bQmGtMzxUaLYQZz99gwdpzYVsWwrnKlAyvERat7+l4kpIPJI1UgmDAWCv453RutckltIp/8aOQhmlkbkoEH3bU7KV37mhgEMkZX60hz/rqCyK3MbSj2crWSxjYdeJBMd6RkTMQQmo9JtMwVtMozNPQ75zRPHN7oPs8WMw7d44Rhyf6e3yWnCeTkujH868nFvTUMXFPZ0XIXu1Jv2G5wpPNTIRb/xmVTc+mkxqWRYeZHBg2gHekeh4fL1Wm2kb782x55LRZ+bxyesmu5sp8KFJ00CgFPw0rwHQw2LNw2nrK+zkyqE36aK/lXmQJIfy5UVq0UdONau6WZFk3Qt8uTyM8xQkzJ9s0XMHl145lSWJoNED62Paud+Wss8PEDRMWzhI6yFeF2r4pa7y2cIoi1w7LJsZLgEmMznLr2wGg6c3RFAOeHZPFjgxXJLz7nBhhpqjJ05rTCxdysa+0Rh9TwsnsDqRH1fUYnVVjRKhDsNNs0oFClBQeXXO4QfgK2uw1KHtnWqzwbjZWyZhruR/Bc6ZyzKGQUFnqHQ3tf+eR+xcRhU0tQiiwtXH+geYtcS06lPx9vGo84oeePBMY+ovwEvp8ELMJR/b5LsaddKjbVPk2D2v6Opm7GwuBp1Zcrum/TMdcz5K2iDCJUaoeWD7DeKx5x9yFsVuB1jFFq6tYZChO+H9San7EzZTRekTTPHy/4Huwzxpu5PZJs2fZH3VxBNSMQlJiMDCqRdknH0IPIrCWnyCx7sI794Lgdz7oW7MzJ/hqpJWAZ9QEGT5eyCRN8BdKqakuw+Hryg3A7J26xfTc8LOx2G5ItoLRGTiqz8WI06NgmISDroZNuY/xvvu+RGeAjL0PrJennkT5bRy+YPs2qU8yY4RZu6gBEEUEh2ZDmFWu9bGaEr56jvi+QT4opZQrMgqjf4ReRLE5NoUMOkfdzcx7SqD8XmU01+stj2gXfz62QZHkO43jegBHNWGqn/7t7jzlgHbk8zWMa+VGRGY1+yj9c+rAaz3OhciDtZoA1c5oaInGv9gJuOE18QEt6mRf3Yb+taKW4ZnVhcpCwZQ0DU4ZeYva1LY6zsWWGhkgEdXwOt+szA714C8JfvnAJl2giyN2nwQJ7YVc7Ks961eSM418cgJIC8Olb6q5o+Zv0G0IuOZmnnIyDxZ895tYxMnkgdiC9eZwToPh0wcTF01llKwJOMhN/Ssx8Q/jW0doJn79F8+fUFnpylu5ooF5tW6TZrp5qMufZB0yzGgillA=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f77fa4b-9700-4f81-44ea-08da74987455
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Aug 2022 15:05:36.4129 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: h2XGzMSEP2QIWS8y8poxgPPsJ2ZM//Bl4cfA6WYL/IB0Lb5H/BcIgawsa5GrxX7i0ktUEUqepOhNq9ALei5Kx12EtNMnOIdmZTm8CH25zc4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR10MB2893
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/tBvUtczCH3B1QMyv8_6mvtuX7DQ>
Subject: Re: [lamps] struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 15:05:58 -0000
Russ, Corey, On 02.08.22 15:24, Russ Housley wrote: > >> I believe we should clarify that >> >> * There MUST be/at most one/attribute describing X.509 extensions, >> i.e., one bearing the OID extensionRequest >> (1.2.840.113549.1.9.14) as its type. >> * The set in such an X.509 extension value MUST contain exactly one >> element. >> * The value of such an attribute MUST be of type Extensions, i.e., >> a sequence of Extension. >> > Those all make sense to me. thanks for your confirmation. > Recall that the syntax for Extension is: > > Extension ::= SEQUENCE { > extnID OBJECT IDENTIFIER, > critical BOOLEAN DEFAULT FALSE, > extnValue OCTET STRING > -- contains the DER encoding of an ASN.1 value > -- corresponding to the extension type identified > -- by extnID > } > > I suggest an additional bullet: > > * An extnID object identifier MUST appear at most once in > the extensionRequest attribute. Good point, added. Even if for instance multiple SANs need to be given, this can be accommodated easily, e.g., 551 72: SEQUENCE { 553 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) 558 65: OCTET STRING, encapsulates { 560 63: SEQUENCE { 562 12: [2] 'www.good.org' 576 12: [2] 'any.good.com' 590 13: [1] 'good@good.org' 605 12: [1] 'any@good.com' 619 4: [7] C0 A8 00 01 : } : } : } On 02.08.22 15:10, Corey Bonnell wrote: > > One comment on the encoding of the subjectAltName, copied below: > > SEQUENCE { > OBJECT IDENTIFIER subjectAltName (2 5 29 17) > [0] { > BOOLEAN TRUE > } > OCTET STRING, encapsulates { > SEQUENCE { > [2] 'domain.example' > } > } > } > [...] > > Given this ASN.1 definition, I believe the correct encoding of the > subjectAltName would be: > > SEQUENCE { > OBJECT IDENTIFIER subjectAltName (2 5 29 17) > BOOLEAN TRUE > OCTET STRING, encapsulates { > SEQUENCE { > [2] 'domain.example' > } > } > } > Right, thanks. I had already questioned Michael's original example in this regard: > /The "[0] {" (and the closing "}") is likely superfluous/wrong here./ > but did not check thoroughly so far. Fixed the example in the repo accordingly. Cheers, David > *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *David von Oheimb > *Sent:* Tuesday, August 2, 2022 6:45 AM > *To:* Michael Richardson <mcr+ietf@sandelman.ca> > *Cc:* LAMPS WG <spasm@ietf.org> > *Subject:* Re: [lamps] struggling with CSRAttrs > > Here are further things to clarify, which I happened to come across > yesterday > when tweaking the OpenSSL implementation > <https://github.com/openssl/openssl/pull/18931> of X.509 extensions in > PKCS#10 CSRs (and certs). > > It is common practice for PKCS#10 objects to contain just one X.509 > extension attribute with a single set element, > although this appears not explicitly required by RFC 2986 > <https://www.rfc-editor.org/rfc/rfc2986> (at least I did not find this > there), > and the value of this attribute is a sequence of actual extensions: > > Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension > > defined in RFC 5280 section 4.1 > <https://datatracker.ietf.org/doc/html/rfc5280#section-4.1>, which > also makes clear that X.509 certs can bear only one such list: > > TBSCertificate ::= SEQUENCE { > version [0] EXPLICIT Version DEFAULT v1, > ... > extensions [3] EXPLICIT Extensions OPTIONAL > -- If present, version MUST be v3 > } > > As mentioned on July 19 (see other email below), the CsrAttrs syntax > gives quite some needless > > freedom how to represent multiple X.509 extensions (and potentially > other types of attributes). > > I believe we should clarify that > > * There MUST be /at most one/ attribute describing X.509 extensions, > i.e., one bearing the OID extensionRequest (1.2.840.113549.1.9.14) > as its type. > * The set in such an X.509 extension value MUST contain exactly one > element. > * The value of such an attribute MUST be of type Extensions, i.e., a > sequence of Extension. > > In this light, I've just updated the example to reflect the type > *SEQUENCE OF* Extension > and extended it with two (non-critical) extensions to make it more > general/educative: > > SEQUENCE { > SEQUENCE { > OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14) > SET { > SEQUENCE { > SEQUENCE { > OBJECT IDENTIFIER basicConstraints (2 5 29 19) > OCTET STRING, encapsulates { > SEQUENCE {} > } > } > SEQUENCE { > OBJECT IDENTIFIER extKeyUsage (2 5 29 37) > OCTET STRING, encapsulates { > SEQUENCE { > OBJECT IDENTIFIER serverAuth (1 3 6 1 5 5 7 3 1) > } > } > } > SEQUENCE { > OBJECT IDENTIFIER subjectAltName (2 5 29 17) > [0] { > BOOLEAN TRUE > } > OCTET STRING, encapsulates { > SEQUENCE { > [2] 'domain.example' > } > } > } > } > } > } > } > > Moreover, we might specify what an empty list of X.509 extensions means, > such as to express that no X.509 extensions should/must be used in the > CSR. > > David > > On 31.07.22 19:40, David von Oheimb wrote: > > Hi Michael et al. > > On 29.07.22 20:45, Michael Richardson wrote: > > Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { > > extType ATTRIBUTE.&id({IOSet}), > > extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) > > } > > Well, this definition is semantically identical to the original one. > > So better not rename the two fields of the Attribute structure, i.e., we > > should stick with 'type' and 'values', > > in particular since there may be attributes that are not X.509 > > extensions. > > I found it clearer, but if you object to this rename, then I'll go with your preference. > > Let's keep the original field names. > Also because this underlines the important fact that we do not > change the ASN.1 syntax at all, > which is critical for bits-on-the-wire compatibility, but we just > clarify its use and interpretation. > > I've just made a pass on lamps-rfc7030-csrattrs.mkd in the GitHub > repository. > Its new version contains various suggestions for improvements here > and there. > Also updated the subjectAltName example to be of the more usual > form of a dNSName > and inserted two questions/remarks: > > (TODO: Do we want to allow an empty extnValue (which is of type > OCTET > STRING), which would mean that the client is told to include an > X.509 > extension of the given type and fill in the concrete value itself?) > > (TODO: Note that this mechanism does not support telling the client > to include in the CSR a specific subject DN, simply because > there is > no OID for this. I think we should better make this clear, or we > have to define such an OID if setting a subject name should be > supported.) > > I also corrected the spelling of my (co-author's) name in > presentations/ietf114-lamps-csrattrs.{fodp,pdf}. > > David > > > On Tue, 2022-07-19 at 20:58 +0200, David von Oheimb wrote: > > Hi Michael, Sean, et al., > > on Sun, 2022-07-10 at 22:18 -0400, Michael Richardson wrote: > > Sean, sorry to be asking this with less than 24h to ID cut-off. > > I didn't want to post an updated ID until I had example code > that produced > > what I *thought* you are suggesting. Moving a SEQ/SET around > isn't that > > hard... only now I've confused myself. > > We had: > > CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID > > AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, > > attribute Attribute } > > Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { > > extType ATTRIBUTE.&id({IOSet}), > > extAttr SET SIZE(1..MAX) OF > ATTRIBUTE.&Type({IOSet}{@type}) > > } > > Well, this definition is semantically identical to the original one. > So better not rename the two fields of the Attribute structure, > i.e., we should stick with 'type' and 'values', > in particular since there may be attributes that are not X.509 > extensions. > > > According to > https://datatracker.ietf.org/doc/html/draft-richardson-lamps-rfc7030-csrattrs > <https://datatracker.ietf.org/doc/html/draft-richardson-lamps-rfc7030-csrattrs> > the only thing that is "changed" is the clarification that the > attributes may contain entire X.509 extensions. > > So BTW I believe we can and should claim that this is bit-on-the > wire compatible with RFC 7030. > > with the understanding that extAttr could be a SET of Extensions. > > Better also state that in this case the type/extType field MUST > bear the value extensionRequest (1.2.840.113549.1.9.14). > > Each Extension is given by: > > Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension > > The Extensions structure is only needed within certificates (where > there is just one extensions field). > All needed here is the Extension structure - there are already > more than enough of those sequences and sets around;-) > > Extension ::= SEQUENCE { > > extnID OBJECT IDENTIFIER, > > critical BOOLEAN DEFAULT FALSE, > > extnValue OCTET STRING > > -- contains the DER encoding of an ASN.1 value > > -- corresponding to the extension type > identified > > -- by extnID > > } > > 1) I'm not sure why I need a SET of a Sequence, unless your > intent was that > > extAttr could be an *Extension* ?? I'm gonna go with yes > here, but I > > didn't code that yet. > > In my view, the set-valued > > extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type > <mailto:%7bIOSet%7d%7b@type>}) > > (or better, as in the original definition in 7030): > > values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type > <mailto:%7bIOSet%7d%7b@type>}) > > is not really needed because multiple attributes can be given > anyway using multiple attributes, and each of them may then have a > different type. > If multiple values are given as a set within a single attribute, > all its elements must have the same type. > So in practice I suppose that for all attributes the SETs given > within each of them usually will have just one value element. > > 2) I think that extnID would be things like subjectAltName, > > i.e. OID: 2.5.29.17 > > Right. > > But, if so, what is extType for this? > > The (ext)type is needed to provide the information, using > "extensionRequest", that an X.509 extension is being given in this > attribute. > > ASN1 that I have right now, where I've put subjectAltName in > twice: > > obiwan-[projects/pandora/fountain](2.6.6) mcr 10396 %dumpasn1 > tmp/csr_bulb1.der > > 0 84: SEQUENCE { > > 2 82: SEQUENCE { > > 4 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) > <--- WHAT GOE, uS HERE? > > Replace this by extensionRequest (1.2.840.113549.1.9.14) > > 9 75: SET { > > 11 73: SEQUENCE { <--- SEQUENCE here might be undesired. > > SEQUENCE here is fine, as demanded by the Extension structure. > > 13 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) > > 18 3: [0] { > > The "[0] {" (and the closing "}") is likely superfluous/wrong here. > > 20 1: BOOLEAN TRUE > > : } > > 23 61: SEQUENCE { > > 25 59: [0] { > > 27 57: UTF8String > > : > 'rfc8994+fd739fc23c3440112233445500000000+@acp.ex > <mailto:rfc8994+fd739fc23c3440112233445500000000+@acp.ex>' > > : 'ample.com' > > : } > > : } > > This encoding of a SAN appears strange to me - which flavor of > GeneralName are you aiming at? > > : } > > : } > > : } > > : } > > - David >
- [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] strugling with CSRAttrs David von Oheimb
- Re: [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- [lamps] Fixed the RFC 8994 / ACP Subject Alternat… David von Oheimb
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… von Oheimb, David
- [lamps] IANA Considerations text for OID allocati… Michael Richardson
- Re: [lamps] IANA Considerations text for OID allo… Russ Housley
- Re: [lamps] IANA Considerations text for OID allo… Michael Richardson
- Re: [lamps] [EXTERNAL] Re: IANA Considerations te… Mike Ounsworth
- Re: [lamps] IANA Considerations text for OID allo… Tim Hollebeek
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell