IETF Logo Mail Archive

[lamps] Advertising S/MIME capabilities in a certificate?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 22 November 2019 14:08 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800AB120116 for <spasm@ietfa.amsl.com>; Fri, 22 Nov 2019 06:08:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.407
X-Spam-Level:
X-Spam-Status: No, score=-0.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=BBcWN8p6; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=kQ3BbzaS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ED97A_i0uWQ4 for <spasm@ietfa.amsl.com>; Fri, 22 Nov 2019 06:08:55 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8BB1200B9 for <spasm@ietf.org>; Fri, 22 Nov 2019 06:08:55 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574431733; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=Lky2/DYBanvlInpcH4kT2nDbacpK4dBftR2yoR6QKqQ=; b=BBcWN8p6rHEfKN6RodbO9Y6EXnJwGyOWX20nzgXts5eCDsyKF8bOQKo1 eXFyaL2ys2yHm3uiB4awPbJqIvoRAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574431733; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=Lky2/DYBanvlInpcH4kT2nDbacpK4dBftR2yoR6QKqQ=; b=kQ3BbzaSw8WAh/yLfwDy7T0BiYh0vDQzQViNYZYFL5gbg6dL8gDSFCXi xRBnPXpESLIfACiVEC11BVPIZX0t+l24vdXtOtl1V/CTolBscblCuJxZXh PldYgkGtFdRKTomhsfbAcX6dFY2bgfgySDG+yO8OpsL8sgsr5LzQ+JHTJR 84LelRjtO11vDXJadjon0h4OJMQbpb8E0LF1oDo+r++TzTzsap+bwUsr8Q QtCrR4mvCxQXfzT1qs9f1eVOj0fQv/npYFgzGSAQ7jBzsmK2d5E87WZ0Yz gI1HFD5cIkmvhAj+yJLiXKp5xzCrS1DaZm7r1BD3JSjxJ4zjAGKYwA==
Received: from fifthhorseman.net (unknown [103.137.210.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 76C12F9AF for <spasm@ietf.org>; Fri, 22 Nov 2019 09:08:51 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 997B4204D2; Fri, 22 Nov 2019 19:07:53 +0800 (+08)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: LAMPS WG <spasm@ietf.org>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Fri, 22 Nov 2019 19:07:53 +0800
Message-ID: <87blt4i2ye.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vZbQBc5kds9ZIsRxzrPifBRRanw>
Subject: [lamps] Advertising S/MIME capabilities in a certificate?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 14:08:57 -0000

Hi folks--

It occurs to me that i'd like at least one of the certificates in
https://www.ietf.org/id/draft-dkg-lamps-samples-01.html to announce some
SMIMECapabilities.  For example, maybe it could advertise that it is
capable of handling a PKCS#7 Compression layer?  Or that it is capable
of processing authEnveloped-data?

However, reading RFC 8551 and related specs i realize how rusty my ASN.1
is (and my knowledge of CMS is so paltry that there was never even
enough of it to rust).

It looks to me like S/MIME capabilities are never advertised in the cert
itself, but rather expected to be included as a signedAttribute in a
signedData object.  Is that right?  Is there no way that the
advertisement can be included in the certificate?

I suppose if the advertisement could be included in both the signedData
object *and* the certificate itself then the algorithm in §2.7.1 of RFC
8551 would need to be much more complicated.

Any pointers or examples would be welcome,

              --dkg

v2.23.0 | Report a Bug | By Email