Re: [lamps] struggling with CSRAttrs
David von Oheimb <David.von.Oheimb@siemens.com> Tue, 02 August 2022 15:05 UTC
Return-Path: <david.von.oheimb@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E91DDC14CF14 for <spasm@ietfa.amsl.com>; Tue, 2 Aug 2022 08:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.61
X-Spam-Level:
X-Spam-Status: No, score=-4.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SCC_THREE_WORD_MONTY=2.497, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nY0lzbLAp28r for <spasm@ietfa.amsl.com>; Tue, 2 Aug 2022 08:05:53 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30050.outbound.protection.outlook.com [40.107.3.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2B50C157B5E for <spasm@ietf.org>; Tue, 2 Aug 2022 08:05:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PdBEMFtXzr3i8U6AvspChh3uDj32BMlYjFzv+gcRl/eTWGil53vArwbFHuOLIqF9t645Yy9m+W1emyWRCB+HSPe3ggLdOykNh2VoL/3y0MdwzaE4DUelklvFIP1VMV7XnadP8iAqN60fb4KGV7z9vboj7Z1dJ4wG/06zxM1yvj6RV9/ZghIYqi2HZj37YV3F7o0CP3wI4dQQ/9NoLppU5Z50MAT22KRJo5NSV8ckLDFsJmbrfHaJQ3cuVpZIOw4o0bHmhMDXozToXyCks4dMPDratKWLNb98t29MoySM0Y0WFeVVjrRTpu7h8yj+cfayPDxowSO1rvUdKSpC19JizA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NQc5Sr5tlJdqIL34ARtyh9q1YUBmOtfoxLFO7l8nFSY=; b=RWotShnK1xnpRHqPv48nPbOMWX9GkTlup/lO/Bnvy52ohoTYzno9XLa9wwZpXrb6Cz/ZqhmFbgcTcUGhP1yFDTVLp9z2PXX8yAP2A3CdDf5wWe7zmJq+EaMmMltIS4tpDJ26wln2+EdiKqBYoMhL29jXY1yQtp+ycVCfug9RH4TSzN/76s2eYUUI7uKimeYfc++zs+FvtDV01ft0KayPVT+Naf5/s22Qu8BkQbsoBrofz7I8zvkbgA38JaZZGjfb6PwOwj2ycyoN/yC3qCfM/mO2rVi+WRsHRW2hg5rQkXB03AG/JI68+y2XGy+FVuY40MzI5S8ctqrFwPSd36zbUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NQc5Sr5tlJdqIL34ARtyh9q1YUBmOtfoxLFO7l8nFSY=; b=tB2garAlO79RGDuB2wgG31gZSPfcSa2FtKc2ffdUSfHj6jG9DKMkzs5+rH2Aj/2M26NADUy28VuQEoIkoVvyWFa6RkMN4IthLaQ6T+DVB0vILYwo6We5h6P+ss7OV88bJjCz9JmumVhjuFj72+Jim0Hd6mkKJnr0p/V29vIaxFyGawnw1lqip7axEYpEcFpc+0ZKCdwehG2FCQn+SAnL24zBoJ5VefrIlXMKv2onYpKWqGM0QU3T2DSYHIS64iILaqf1WNDejLIY5PMfuv7fuJfMsII7pq60tU1uK5pDCYTQDvFCWVXveumnxDvyXyB0SqTYBmJ3nL8Y8TU+CTcIxg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20) by VE1PR10MB2893.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:803:111::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.11; Tue, 2 Aug 2022 15:05:36 +0000
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81]) by DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81%8]) with mapi id 15.20.5482.015; Tue, 2 Aug 2022 15:05:36 +0000
Content-Type: multipart/alternative; boundary="------------ja6CwWCVcQiAzMVaYXD4X0Tx"
Message-ID: <fbde15e7-dbeb-eb40-3cfa-2282c9560677@siemens.com>
Date: Tue, 02 Aug 2022 17:05:29 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Corey Bonnell <Corey.Bonnell@digicert.com>, Russ Housley <housley@vigilsec.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, LAMPS WG <spasm@ietf.org>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com> <56a8af3a-63f2-5f19-62d9-59469ab678bf@siemens.com> <DM6PR14MB218658CA89AB81F66D1FF551929D9@DM6PR14MB2186.namprd14.prod.outlook.com>
From: David von Oheimb <David.von.Oheimb@siemens.com>
In-Reply-To: <DM6PR14MB218658CA89AB81F66D1FF551929D9@DM6PR14MB2186.namprd14.prod.outlook.com>
X-ClientProxiedBy: CH0PR03CA0450.namprd03.prod.outlook.com (2603:10b6:610:10e::28) To DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4f77fa4b-9700-4f81-44ea-08da74987455
X-MS-TrafficTypeDiagnostic: VE1PR10MB2893:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 06jGZArIhuKjWnO4L39C0ZhveFUQS8b+D1B5LtvmYQOpxJo9H6HTRPT/RDUYaURlakKCvefh/Ruchov8ZdN0YTUVmNjXl5Ie9TeNR8tq9hJzISpjmjXZr18LH+lHl8lpT3rmUZL8IVKAuTFrpkmcLgDqSeLiecwdkrBYnE8biar74rmeEbBG3j0BZuzLulLOPM59FyEcIP/rsPSEIz6PHSqkkvpfLPkYv7Ms63qE6yVwHhuCc7rmA8ToQlhEnYPGGlZnjUgwc++TObsNkWfEnkMpXa1IWEFLZQxgYjBvjNlaimsfDBAMhzjlMQrcZpI3dxiU6mNbtebx3A6YJGzs+4OhiUC9BBlbJyZ3/om2wrxWFZ4JFKy2lI5eB32nGIh3+raRgSa8DR1goJy0U0FtvGXso7yvR7bojc0A4+/RPM21YYsXsr7rxmqk4kre9gfF7wccl4pmrO+0ZVSk5OJv5MYaj69XLESBxebAvxg0S9yNkUKN+EZuv5TgJPrpn4/PEMuOx5+9ZjyvPFfYxjARZDOBQG6ZOxKejs+oeu5FM10hGRZlopIHMLxSjysu2jEk0gqog+T3GX7ntWG6/iWWcDIUzkxafufPMCEpeYOIu4lcOkrdK4Os+ZgkA9dAtoqdyeiCEXQrMPCNG4+OoaVK8Jyb85/qQoKcOav98E5SWc+8lwW1STSrhuXdMOpppRbPbhyyD8ppEg2K8AlCn2F750uQC87lBu92tmLAbSCyCShENwRvvh1hDSv7UTi04Y2YcE7xB4Fj5QC9zEm9RPKfltpeEsDzZuI6PVcmol4bP1VpQZrfIhyIOQH+2pkA6R+uie7OXwKNY11LKulwzef+McbLV6Ony+Rok27vxNw+w2mNg4ocAszdpx5J35OzlcAyYGN2jJQXTGDTb5vall/ySA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(136003)(346002)(366004)(396003)(39860400002)(6666004)(30864003)(478600001)(41300700001)(5660300002)(166002)(110136005)(82960400001)(2906002)(54906003)(316002)(6486002)(966005)(8936002)(6506007)(38100700002)(2616005)(66556008)(66476007)(31696002)(86362001)(66946007)(55236004)(53546011)(33964004)(186003)(36756003)(31686004)(8676002)(26005)(6512007)(4326008)(83380400001)(45980500001)(43740500002)(579004)(559001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 5zkHiIGRl7qKGgBHYKxAm/QTu+RHsDNN3QNJH+ZnTlqOM3w/DqT2ovKIzwLp8r489tDyEBAave3Hn/RWcDarqOEycPY6RMXaZoHNelAd+0+Qnem9OyAklcySu/c+N2w6aWuiofYZWd3kE98EXtIdXDIX/QUinNPP8XnoG4D5Gmal8F/eN49YHMR/0b4stcKaJcTvPMRELe6LlH4Cv6eO/zepLysTPQtboWYV5tJrJCFq341WtZgofyVXuGrWQsLVSo1QFmDTBqmfgLtJGVZfbJ0LmqO44vMifnnIY+nSVOXF2n13oHIxgyVSkwa6qsg1XhSff7OlDkGxE+jwkv68XSRGvKIOA7RxY1ReWuYAWdRID2x9Ttz15BLBRgwlLfmLX7bQmGtMzxUaLYQZz99gwdpzYVsWwrnKlAyvERat7+l4kpIPJI1UgmDAWCv453RutckltIp/8aOQhmlkbkoEH3bU7KV37mhgEMkZX60hz/rqCyK3MbSj2crWSxjYdeJBMd6RkTMQQmo9JtMwVtMozNPQ75zRPHN7oPs8WMw7d44Rhyf6e3yWnCeTkujH868nFvTUMXFPZ0XIXu1Jv2G5wpPNTIRb/xmVTc+mkxqWRYeZHBg2gHekeh4fL1Wm2kb782x55LRZ+bxyesmu5sp8KFJ00CgFPw0rwHQw2LNw2nrK+zkyqE36aK/lXmQJIfy5UVq0UdONau6WZFk3Qt8uTyM8xQkzJ9s0XMHl145lSWJoNED62Paud+Wss8PEDRMWzhI6yFeF2r4pa7y2cIoi1w7LJsZLgEmMznLr2wGg6c3RFAOeHZPFjgxXJLz7nBhhpqjJ05rTCxdysa+0Rh9TwsnsDqRH1fUYnVVjRKhDsNNs0oFClBQeXXO4QfgK2uw1KHtnWqzwbjZWyZhruR/Bc6ZyzKGQUFnqHQ3tf+eR+xcRhU0tQiiwtXH+geYtcS06lPx9vGo84oeePBMY+ovwEvp8ELMJR/b5LsaddKjbVPk2D2v6Opm7GwuBp1Zcrum/TMdcz5K2iDCJUaoeWD7DeKx5x9yFsVuB1jFFq6tYZChO+H9San7EzZTRekTTPHy/4Huwzxpu5PZJs2fZH3VxBNSMQlJiMDCqRdknH0IPIrCWnyCx7sI794Lgdz7oW7MzJ/hqpJWAZ9QEGT5eyCRN8BdKqakuw+Hryg3A7J26xfTc8LOx2G5ItoLRGTiqz8WI06NgmISDroZNuY/xvvu+RGeAjL0PrJennkT5bRy+YPs2qU8yY4RZu6gBEEUEh2ZDmFWu9bGaEr56jvi+QT4opZQrMgqjf4ReRLE5NoUMOkfdzcx7SqD8XmU01+stj2gXfz62QZHkO43jegBHNWGqn/7t7jzlgHbk8zWMa+VGRGY1+yj9c+rAaz3OhciDtZoA1c5oaInGv9gJuOE18QEt6mRf3Yb+taKW4ZnVhcpCwZQ0DU4ZeYva1LY6zsWWGhkgEdXwOt+szA714C8JfvnAJl2giyN2nwQJ7YVc7Ks961eSM418cgJIC8Olb6q5o+Zv0G0IuOZmnnIyDxZ895tYxMnkgdiC9eZwToPh0wcTF01llKwJOMhN/Ssx8Q/jW0doJn79F8+fUFnpylu5ooF5tW6TZrp5qMufZB0yzGgillA=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f77fa4b-9700-4f81-44ea-08da74987455
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Aug 2022 15:05:36.4129 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: h2XGzMSEP2QIWS8y8poxgPPsJ2ZM//Bl4cfA6WYL/IB0Lb5H/BcIgawsa5GrxX7i0ktUEUqepOhNq9ALei5Kx12EtNMnOIdmZTm8CH25zc4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR10MB2893
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/tBvUtczCH3B1QMyv8_6mvtuX7DQ>
Subject: Re: [lamps] struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 15:05:58 -0000
Russ, Corey,
On 02.08.22 15:24, Russ Housley wrote:
>
>> I believe we should clarify that
>>
>> * There MUST be/at most one/attribute describing X.509 extensions,
>> i.e., one bearing the OID extensionRequest
>> (1.2.840.113549.1.9.14) as its type.
>> * The set in such an X.509 extension value MUST contain exactly one
>> element.
>> * The value of such an attribute MUST be of type Extensions, i.e.,
>> a sequence of Extension.
>>
> Those all make sense to me.
thanks for your confirmation.
> Recall that the syntax for Extension is:
>
> Extension ::= SEQUENCE {
> extnID OBJECT IDENTIFIER,
> critical BOOLEAN DEFAULT FALSE,
> extnValue OCTET STRING
> -- contains the DER encoding of an ASN.1 value
> -- corresponding to the extension type identified
> -- by extnID
> }
>
> I suggest an additional bullet:
>
> * An extnID object identifier MUST appear at most once in
> the extensionRequest attribute.
Good point, added.
Even if for instance multiple SANs need to be given, this can be
accommodated easily, e.g.,
551 72: SEQUENCE {
553 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
558 65: OCTET STRING, encapsulates {
560 63: SEQUENCE {
562 12: [2] 'www.good.org'
576 12: [2] 'any.good.com'
590 13: [1] 'good@good.org'
605 12: [1] 'any@good.com'
619 4: [7] C0 A8 00 01
: }
: }
: }
On 02.08.22 15:10, Corey Bonnell wrote:
>
> One comment on the encoding of the subjectAltName, copied below:
>
> SEQUENCE {
> OBJECT IDENTIFIER subjectAltName (2 5 29 17)
> [0] {
> BOOLEAN TRUE
> }
> OCTET STRING, encapsulates {
> SEQUENCE {
> [2] 'domain.example'
> }
> }
> }
>
[...]
>
> Given this ASN.1 definition, I believe the correct encoding of the
> subjectAltName would be:
>
> SEQUENCE {
> OBJECT IDENTIFIER subjectAltName (2 5 29 17)
> BOOLEAN TRUE
> OCTET STRING, encapsulates {
> SEQUENCE {
> [2] 'domain.example'
> }
> }
> }
>
Right, thanks. I had already questioned Michael's original example in
this regard:
> /The "[0] {" (and the closing "}") is likely superfluous/wrong here./
>
but did not check thoroughly so far.
Fixed the example in the repo accordingly.
Cheers,
David
> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *David von Oheimb
> *Sent:* Tuesday, August 2, 2022 6:45 AM
> *To:* Michael Richardson <mcr+ietf@sandelman.ca>
> *Cc:* LAMPS WG <spasm@ietf.org>
> *Subject:* Re: [lamps] struggling with CSRAttrs
>
> Here are further things to clarify, which I happened to come across
> yesterday
> when tweaking the OpenSSL implementation
> <https://github.com/openssl/openssl/pull/18931> of X.509 extensions in
> PKCS#10 CSRs (and certs).
>
> It is common practice for PKCS#10 objects to contain just one X.509
> extension attribute with a single set element,
> although this appears not explicitly required by RFC 2986
> <https://www.rfc-editor.org/rfc/rfc2986> (at least I did not find this
> there),
> and the value of this attribute is a sequence of actual extensions:
>
> Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
>
> defined in RFC 5280 section 4.1
> <https://datatracker.ietf.org/doc/html/rfc5280#section-4.1>, which
> also makes clear that X.509 certs can bear only one such list:
>
> TBSCertificate ::= SEQUENCE {
> version [0] EXPLICIT Version DEFAULT v1,
> ...
> extensions [3] EXPLICIT Extensions OPTIONAL
> -- If present, version MUST be v3
> }
>
> As mentioned on July 19 (see other email below), the CsrAttrs syntax
> gives quite some needless
>
> freedom how to represent multiple X.509 extensions (and potentially
> other types of attributes).
>
> I believe we should clarify that
>
> * There MUST be /at most one/ attribute describing X.509 extensions,
> i.e., one bearing the OID extensionRequest (1.2.840.113549.1.9.14)
> as its type.
> * The set in such an X.509 extension value MUST contain exactly one
> element.
> * The value of such an attribute MUST be of type Extensions, i.e., a
> sequence of Extension.
>
> In this light, I've just updated the example to reflect the type
> *SEQUENCE OF* Extension
> and extended it with two (non-critical) extensions to make it more
> general/educative:
>
> SEQUENCE {
> SEQUENCE {
> OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
> SET {
> SEQUENCE {
> SEQUENCE {
> OBJECT IDENTIFIER basicConstraints (2 5 29 19)
> OCTET STRING, encapsulates {
> SEQUENCE {}
> }
> }
> SEQUENCE {
> OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
> OCTET STRING, encapsulates {
> SEQUENCE {
> OBJECT IDENTIFIER serverAuth (1 3 6 1 5 5 7 3 1)
> }
> }
> }
> SEQUENCE {
> OBJECT IDENTIFIER subjectAltName (2 5 29 17)
> [0] {
> BOOLEAN TRUE
> }
> OCTET STRING, encapsulates {
> SEQUENCE {
> [2] 'domain.example'
> }
> }
> }
> }
> }
> }
> }
>
> Moreover, we might specify what an empty list of X.509 extensions means,
> such as to express that no X.509 extensions should/must be used in the
> CSR.
>
> David
>
> On 31.07.22 19:40, David von Oheimb wrote:
>
> Hi Michael et al.
>
> On 29.07.22 20:45, Michael Richardson wrote:
>
> Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>
> extType ATTRIBUTE.&id({IOSet}),
>
> extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
>
> }
>
> Well, this definition is semantically identical to the original one.
>
> So better not rename the two fields of the Attribute structure, i.e., we
>
> should stick with 'type' and 'values',
>
> in particular since there may be attributes that are not X.509
>
> extensions.
>
> I found it clearer, but if you object to this rename, then I'll go with your preference.
>
> Let's keep the original field names.
> Also because this underlines the important fact that we do not
> change the ASN.1 syntax at all,
> which is critical for bits-on-the-wire compatibility, but we just
> clarify its use and interpretation.
>
> I've just made a pass on lamps-rfc7030-csrattrs.mkd in the GitHub
> repository.
> Its new version contains various suggestions for improvements here
> and there.
> Also updated the subjectAltName example to be of the more usual
> form of a dNSName
> and inserted two questions/remarks:
>
> (TODO: Do we want to allow an empty extnValue (which is of type
> OCTET
> STRING), which would mean that the client is told to include an
> X.509
> extension of the given type and fill in the concrete value itself?)
>
> (TODO: Note that this mechanism does not support telling the client
> to include in the CSR a specific subject DN, simply because
> there is
> no OID for this. I think we should better make this clear, or we
> have to define such an OID if setting a subject name should be
> supported.)
>
> I also corrected the spelling of my (co-author's) name in
> presentations/ietf114-lamps-csrattrs.{fodp,pdf}.
>
> David
>
>
> On Tue, 2022-07-19 at 20:58 +0200, David von Oheimb wrote:
>
> Hi Michael, Sean, et al.,
>
> on Sun, 2022-07-10 at 22:18 -0400, Michael Richardson wrote:
>
> Sean, sorry to be asking this with less than 24h to ID cut-off.
>
> I didn't want to post an updated ID until I had example code
> that produced
>
> what I *thought* you are suggesting. Moving a SEQ/SET around
> isn't that
>
> hard... only now I've confused myself.
>
> We had:
>
> CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
>
> AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER,
>
> attribute Attribute }
>
> Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>
> extType ATTRIBUTE.&id({IOSet}),
>
> extAttr SET SIZE(1..MAX) OF
> ATTRIBUTE.&Type({IOSet}{@type})
>
> }
>
> Well, this definition is semantically identical to the original one.
> So better not rename the two fields of the Attribute structure,
> i.e., we should stick with 'type' and 'values',
> in particular since there may be attributes that are not X.509
> extensions.
>
>
> According to
> https://datatracker.ietf.org/doc/html/draft-richardson-lamps-rfc7030-csrattrs
> <https://datatracker.ietf.org/doc/html/draft-richardson-lamps-rfc7030-csrattrs>
> the only thing that is "changed" is the clarification that the
> attributes may contain entire X.509 extensions.
>
> So BTW I believe we can and should claim that this is bit-on-the
> wire compatible with RFC 7030.
>
> with the understanding that extAttr could be a SET of Extensions.
>
> Better also state that in this case the type/extType field MUST
> bear the value extensionRequest (1.2.840.113549.1.9.14).
>
> Each Extension is given by:
>
> Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
>
> The Extensions structure is only needed within certificates (where
> there is just one extensions field).
> All needed here is the Extension structure - there are already
> more than enough of those sequences and sets around;-)
>
> Extension ::= SEQUENCE {
>
> extnID OBJECT IDENTIFIER,
>
> critical BOOLEAN DEFAULT FALSE,
>
> extnValue OCTET STRING
>
> -- contains the DER encoding of an ASN.1 value
>
> -- corresponding to the extension type
> identified
>
> -- by extnID
>
> }
>
> 1) I'm not sure why I need a SET of a Sequence, unless your
> intent was that
>
> extAttr could be an *Extension* ?? I'm gonna go with yes
> here, but I
>
> didn't code that yet.
>
> In my view, the set-valued
>
> extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type
> <mailto:%7bIOSet%7d%7b@type>})
>
> (or better, as in the original definition in 7030):
>
> values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type
> <mailto:%7bIOSet%7d%7b@type>})
>
> is not really needed because multiple attributes can be given
> anyway using multiple attributes, and each of them may then have a
> different type.
> If multiple values are given as a set within a single attribute,
> all its elements must have the same type.
> So in practice I suppose that for all attributes the SETs given
> within each of them usually will have just one value element.
>
> 2) I think that extnID would be things like subjectAltName,
>
> i.e. OID: 2.5.29.17
>
> Right.
>
> But, if so, what is extType for this?
>
> The (ext)type is needed to provide the information, using
> "extensionRequest", that an X.509 extension is being given in this
> attribute.
>
> ASN1 that I have right now, where I've put subjectAltName in
> twice:
>
> obiwan-[projects/pandora/fountain](2.6.6) mcr 10396 %dumpasn1
> tmp/csr_bulb1.der
>
> 0 84: SEQUENCE {
>
> 2 82: SEQUENCE {
>
> 4 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
> <--- WHAT GOE, uS HERE?
>
> Replace this by extensionRequest (1.2.840.113549.1.9.14)
>
> 9 75: SET {
>
> 11 73: SEQUENCE { <--- SEQUENCE here might be undesired.
>
> SEQUENCE here is fine, as demanded by the Extension structure.
>
> 13 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
>
> 18 3: [0] {
>
> The "[0] {" (and the closing "}") is likely superfluous/wrong here.
>
> 20 1: BOOLEAN TRUE
>
> : }
>
> 23 61: SEQUENCE {
>
> 25 59: [0] {
>
> 27 57: UTF8String
>
> :
> 'rfc8994+fd739fc23c3440112233445500000000+@acp.ex
> <mailto:rfc8994+fd739fc23c3440112233445500000000+@acp.ex>'
>
> : 'ample.com'
>
> : }
>
> : }
>
> This encoding of a SAN appears strange to me - which flavor of
> GeneralName are you aiming at?
>
> : }
>
> : }
>
> : }
>
> : }
>
> - David
>
- [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] strugling with CSRAttrs David von Oheimb
- Re: [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- [lamps] Fixed the RFC 8994 / ACP Subject Alternat… David von Oheimb
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] IANA Considerations text for OID allo… Russ Housley
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… von Oheimb, David
- [lamps] IANA Considerations text for OID allocati… Michael Richardson
- Re: [lamps] IANA Considerations text for OID allo… Michael Richardson
- Re: [lamps] [EXTERNAL] Re: IANA Considerations te… Mike Ounsworth
- Re: [lamps] IANA Considerations text for OID allo… Tim Hollebeek
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell