Re: [lamps] New suggestion for a full and straightforward solution - Re: I-D Action: draft-ietf-lamps-rfc7030-csrattrs-04.txt
David von Oheimb <it@von-Oheimb.de> Thu, 22 June 2023 18:41 UTC
Return-Path: <it@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A3D9C15109D for <spasm@ietfa.amsl.com>; Thu, 22 Jun 2023 11:41:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOHQ7GOOG3V1 for <spasm@ietfa.amsl.com>; Thu, 22 Jun 2023 11:41:54 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D97EBC151099 for <spasm@ietf.org>; Thu, 22 Jun 2023 11:41:52 -0700 (PDT)
Received: from [100.72.81.181] (ip-109-43-48-245.web.vodafone.de [109.43.48.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 6A5AA6140F6C; Thu, 22 Jun 2023 20:41:50 +0200 (CEST)
Message-ID: <1c253c156d2f21a4ee43a39c132089146eb71549.camel@von-Oheimb.de>
From: David von Oheimb <it@von-Oheimb.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>, spasm@ietf.org
Date: Thu, 22 Jun 2023 20:41:49 +0200
In-Reply-To: <99e9c34707b84ec72980b8839a805920f930b401.camel@von-Oheimb.de>
References: <168687004656.20234.4344396997105904558@ietfa.amsl.com> <05277edb6f344d74c793d02d1aeb9fa9f015d50e.camel@von-Oheimb.de> <19251.1687376241@dyas> <99e9c34707b84ec72980b8839a805920f930b401.camel@von-Oheimb.de>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-rTnBNcTV7JAD/H6azJkZ"
User-Agent: Evolution 3.38.3-1+deb11u2
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/tfu3djrgXes069J64JDP0YLMY7U>
Subject: Re: [lamps] New suggestion for a full and straightforward solution - Re: I-D Action: draft-ietf-lamps-rfc7030-csrattrs-04.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 18:41:56 -0000
P.S. Some things I forgot to answer/comment on in my below email: > > but how backwards compatible is it? The newly suggested approach is fully backward compatible. Note that it does not touch the existing ASN.1 syntax at all, only a new attribute type with a new OID and dependent type is defined. Existing clients and servers can continue as before. I'd suggest that a new server MUST (or just SHOULD ?) use the new approach as long as it can expect that its clients will understand it, and that new clients MUST handle the new attribute if present, and otherwise MUST fall back to the old approach. If a new server uses the new approach and really wants to specify the hash algorithm to use for the PKCS#10 self-signature (though I see no real use for doing this, see below), it can do so essentially in the same way as suggested before, namely by providing an extra attribute with a suitable OID. In this case, for consistency with the new approach, this MUST not be done at the outer level (as an extra CsrAttrs sequence element), but as part of the new embedded CertificationRequestInfo structure. David On Thu, 2023-06-22 at 18:58 +0200, David von Oheimb wrote: > On Wed, 2023-06-21 at 15:37 -0400, Michael Richardson wrote: > > > > David von Oheimb <it@von-Oheimb.de> wrote: > > > thank you for the update. > > > > > The draft (so far) solves reasonably well the very specific > > issue > > > described in the intro, > > > > well... you are co-author already :-) > > Yes, and I already contributed various parts around early August last > year. > > > If this is something you want to add, then let's do it. > > I've just pushed a couple of minor improvements. > Yet before I contribute any more substantial things, > all authors should be in agreement on the way forward. > How about having a design call on this? > > > > > * it remains entirely unclear how a server could specify > > regular > > > subject DN values, which may be needed in addition to > > specifying > > > SANs, > > > possibly including partial specification of RDNs (such as : > > "include > > > a CN with value chosen by the client, while OU should have > > value > > > 'xyz') > > > > Given that we want to stop looking at DNs, I hadn't considered this > > mattered, > > but I agree that there are many cases where it does. I think that > > it should > > already be possible, but it's escaping me right now to think how it > > is > > specified in the CSR. > > Two years back I mentioned several options how it could be done. > With the new idea it can be done most naturally: as a DN (pattern). > > > > > * the spec how to interpret algorithm OIDs is very weak: just > > by means > > > of a few examples - no systematic semantic rules are given > > > > That's a reasonable criticism. > > > > > * there are no rules preventing conflicting "algorithm > > requirements", > > > such as OID ecdsaWithSHA384 and OID SHA256, > > > > You are right. So what does a client do when it see such a thing? > > As I wrote in the other current thread on csrattrs, > IMO an RFC should not specify any resolution strategy on malformed > CsrAttrs but > just rule out that such nonsensical or ambiguous CsrAttrs are provided > by the server. > > > > > * nothing general is specified how to use and interpret the > > multitude > > > of other OIDs that could potentially be given > > > > True. > > > > > * while addressed by examples, a general description is > > missing what it > > > means if for instance a cert extension > > > will have a value but the CSRattrs only give the OID - this > > issue is > > > the only one easy to cure in the current form of the draft. > > > > > So, while the draft so far gives clarification for a > > particular use case > > > of SANs and partly for other X.509v3 extensions, > > > the use of CsrAttrs is still heavily underspecified and thus > > > implementations are still far from reaching interoperability. > > > > .... > > > > > As I did already on 2021-07-30, I invite everyone to have a > > look at the > > > solution we took in the Lightweight CMP Profile, > > > which also defines a "Get Certificate Request Template" > > feature > > > in section 4.3.3 including an example in Appendix A. > > > The basic idea is to re-use the certificate template structure > > that is > > > also used in the actual CSRs (which in this case is in CRMF). > > > > > Today I had the thought that we can take over the same > > principle also > > > for EST CsrAttrs, even in a backward-compatible way! > > > > > Namely, by placing a partially filled CertificationRequestInfo > > structure > > > as the only(!) AttrOrOID element in the CsrAttrs > > > (with an OID identifying it, which likely needs to be defined > > for this > > > purpose). In this way, the server can specify in a > > straightforward > > > and pretty self-evident way what it expects from the client in > > the > > > actual PKCS#10 CSR, which has the very same content structure. > > > > okay, so I'm open to this idea, but how backwards compatible is it? > > Maybe the WG doesn't care. I just want to specify the SAN. > > Pleased to hear that you are open to this new idea for a more thorough > solution. > What do others think? > > > > > Within the CertificationRequestInfo structure, > > > the server can give for instance SANs and an other X.509v3 > > extensions as > > > well subject DNs etc. with desired values > > > exactly in the way they will appear in the CSR (and in the > > cert derived > > > from this data). This should also simplify implementations. > > > It can also give OIDs while leaving out the associated values, > > which > > > means that the client is expected to fill this in. > > > This scheme also works for specifying the type of the public > > key, where > > > an AlorithmIdentifier can be given with an empty key value. > > > > So, it would replace the SAN method here too. > > Yep - it would be implied naturally by the way SANs are to be > specified in PKCS#10 CSRs. > > > > > Examples would look very similar to the one given > > in Lightweight CMP > > > Profile Appendix A with the difference being that > > > there the structure used is of type CertTemplate, while for > > EST it will > > > be of type CertificationRequestInfo as in PKCS#10, > > > embedded in a simple CsrAttr sequence with one element > > containing the > > > "attribute" choice with the new OID > > for CertificationRequestInfo. > > BTW, the only thing I am aware of that does not structurally fit in > such a PKCS#10 pattern > is what has been given in the original CsrAttrs example used also in > the new document: > An OID such as ecdsaWithSHA384 intended to indicate what kind of hash > alg is expected > to be used for the self-signature of the PKCS#10 CSR structure. > > I see no real value in specifying the hash algorithm to use for the > CSR self-signature. > Note that anyway this hash alg and value will not become part of the > certificate requested, > and that the type of the public key can be specified by other, more > direct means: > by giving in the subjectPublicKeyInfo field an AlgorithmIdentifier > indicating > the key type and an empty subjectPublicKey BIT STRING. > > Hmm, I just realized that (as opposed to the certificate template > structure of CRMF), > the subject and subjectPublicKeyInfo fields are not optional. Yet we > can simply specify that > * in case the server has no requirements on the subject field, > it MUST provide a NULL-DN (which is the empty sequence of RDNs) > * in case it does not have requirements on the type of the public key, > it MUST provide an AlgorithmIdentifier with a NULL OID and empty > parameters. > > David > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] I-D Action: draft-ietf-lamps-rfc7030-csra… internet-drafts
- [lamps] New suggestion for a full and straightfor… David von Oheimb
- Re: [lamps] New suggestion for a full and straigh… Michael Richardson
- Re: [lamps] New suggestion for a full and straigh… David von Oheimb
- Re: [lamps] New suggestion for a full and straigh… David von Oheimb
- [lamps] Dates for Meeting - Re: New suggestion fo… David von Oheimb