Re: [lamps] I-D Action: draft-ietf-lamps-rfc7030-csrattrs-05.txt
David von Oheimb <David.von.Oheimb@siemens.com> Fri, 28 July 2023 07:34 UTC
Return-Path: <david.von.oheimb@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E7A0C15155A for <spasm@ietfa.amsl.com>; Fri, 28 Jul 2023 00:34:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OuZIQS05B1Tp for <spasm@ietfa.amsl.com>; Fri, 28 Jul 2023 00:34:03 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on2072.outbound.protection.outlook.com [40.107.13.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DA61C1519A9 for <spasm@ietf.org>; Fri, 28 Jul 2023 00:34:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WU+LK3+Ik4yQAcV1KQ7rvTc7RprSNKA83wLJiiphNUOmyVquznYWMboDXyaCFVdyWCjwf+mMgjdjjG0wMzXQDoABwpnoV3iMkHeQXdg09ORz6Hp8pEFMUwS5AaYMnjFp4fXMavn9Sz68V/u7SjMpp3TUgTGzHdYCkdj5NbftwvfFyaPvsI+lda0pUqU/aeLQgetGzAQ+6HXtfe+Zxvb8ITRRzTcY3qigmSQwjd6vqhZ1QsfhycuzGsX0TA4CpqWy40CjLzl6Xz+8r7oVJEvT/qg1ETBMWd+XUeQtC1hRyITkB8opv5AVXcGvFQKWCg7E2WfnWuxc75KH3BZiN1uvpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gVx01FhwE6CF9DZRqGy931qA9cLkHlfw3F6wRByqVl0=; b=X5NGvGOj88/JgqPrUbquptfcHeNlLjti3rPMHUZ55oOl8EjC/2C0rX57BlC7O29/m2jHkVMnzcsqLfHBtUfN9ZPuRrbyIQehoE/URxBnJfGkjDtaI0n+W/1EKhuTjUzDhvpb6Z+br3YxvlYP4hJNSN5GPkrFqO70zZhw/kagTTp7H6o4s9l2oie1wXKFluhtoLENOLtg/M6qRjfhWtQ4cOQEI5Xickh9CK5H3vKvBYgqV4kNFMhVNBYvYet7i6EXtdstx2lMoLd3igFjQKzVNIQoPY4SywgP7JsNorMvO4/er2X1zIDeU7UG9mBn2zcwGFkG6+V15bBZzfDSmHuC5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.138.21.74) smtp.rcpttodomain=sn3rd.com smtp.mailfrom=siemens.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=siemens.com; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gVx01FhwE6CF9DZRqGy931qA9cLkHlfw3F6wRByqVl0=; b=YwjYCmdGXLBO2RVpafUnwlELyaff4Mz6Hp/870j+wxgpDNXbfgiSketUMsjOS+3FhcBJL46lOrIovkpQm9srHI3luHhULGcKrCS5m3KZperHhsBCzX/qsXNjph1KXLhRi1G/c91A7iSktDnoCr/o65JjhWvKMOY4O2oQ//J351ecShoQDhAQiNDjw7HxC4S/LADpCxdOXQ0noXGyJC39H2Hc1be62MApztW+gwmL9WCeVnZRqPVVYm8mkNlg9oIt4YUjyRrif1CAQla/WvlsBc4Uj21TfKAnKNyZZ44EYqyyk+iWOVhWP7oQ/b/t9dcdAeUKHP2vcRVpLi0BFfg0IA==
Received: from AS8P251CA0003.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:2f2::23) by GVXPR10MB5936.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:1::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.29; Fri, 28 Jul 2023 07:33:58 +0000
Received: from AM1PEPF000252DF.eurprd07.prod.outlook.com (2603:10a6:20b:2f2:cafe::ee) by AS8P251CA0003.outlook.office365.com (2603:10a6:20b:2f2::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.29 via Frontend Transport; Fri, 28 Jul 2023 07:33:58 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.74) smtp.mailfrom=siemens.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=siemens.com;
Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates 194.138.21.74 as permitted sender) receiver=protection.outlook.com; client-ip=194.138.21.74; helo=hybrid.siemens.com; pr=C
Received: from hybrid.siemens.com (194.138.21.74) by AM1PEPF000252DF.mail.protection.outlook.com (10.167.16.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.22 via Frontend Transport; Fri, 28 Jul 2023 07:33:58 +0000
Received: from DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) by DEMCHDC8VQA.ad011.siemens.net (194.138.21.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.16; Fri, 28 Jul 2023 09:33:57 +0200
Received: from [100.64.0.1] (194.138.14.36) by DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.12; Fri, 28 Jul 2023 09:33:57 +0200
Content-Type: multipart/alternative; boundary="------------WPjWSkIykS1isnfCqfDFD0wB"
Message-ID: <bfd1ddd0-19fc-5450-aab5-bb01ea131a7f@siemens.com>
Date: Fri, 28 Jul 2023 09:33:53 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: de-DE, en-US
To: Sean Turner <sean@sn3rd.com>, Michael Richardson <mcr@sandelman.ca>
References: <168895202223.52838.11155599537784769876@ietfa.amsl.com> <791BDE36-F8A8-46B3-A062-6FEFA44F9FFD@sn3rd.com>
From: David von Oheimb <David.von.Oheimb@siemens.com>
CC: LAMPS <spasm@ietf.org>, Steffen Fries <Steffen.Fries@siemens.com>
In-Reply-To: <791BDE36-F8A8-46B3-A062-6FEFA44F9FFD@sn3rd.com>
X-Originating-IP: [194.138.14.36]
X-ClientProxiedBy: DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) To DEMCHDC8WAA.ad011.siemens.net (139.25.226.104)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM1PEPF000252DF:EE_|GVXPR10MB5936:EE_
X-MS-Office365-Filtering-Correlation-Id: 03301f0f-cf2d-4a84-37d7-08db8f3d014a
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Jtf+Wcd4YomkFmX1pTQZpoWSO8qQOoVeHIVxdrVj0fDe9lUFm7y03NSU3eRvLItDhwooQ6KT9K/shqAADdAtkKni++2147ddbMxDbbomP9IwWhwQBCJuSGrmJkttGxG76W1hJRiaVXu72lRNskWedhHjdf5S0r3mwoRd0l9+XtbuZHLLg9pSgAuDYQjMMW65xCPOdB8ywikXv2LORK3jt2Uxgb8DfbmoS3pag8f/pVOjmlQVHs72lsW4acqdQNQTB9dcU8N5mpA86AQFfl3HTGGdJwKPvjZvFHqhsrmIkmyO3nmEw3Z+xQOrV/zkJz8+718hmrLU7uHpYFsjCBmCc9Yw3TgKN0dw28wqnNN71GAQ0YQa0+R2W6RUG/ce6haVxpfnJvUj4VYwVTg0PcM5dEsd9cmpaKBnsAV2FbtIgapbU4Grq+WxMKZgi6LjArCuGYTNgoSlR4B1x54FRB1a3XTiiNhAn0P7tngj53ehY9AaC6mOmC+vaAcjlTXnH9KXBsHkVDzyZe78usfkP2StCATaV6S3bb1PSybsD4DvUzQt6JfZn1V0TACgeN0Pdk7k/pRIaQUtekfLyivlHxRdli4OB835bvm1qjrtR3BgFV4CW4MiIFw8k6zde7A93rUAVidBbNObvfPiMyu0kSnvFsdUZs0urVKM0Ut0Bcl0cIxT2uaMjFdRQpT8MJcnGCW/JFJ5HVLpwP/mF4N11jwDiw/qmOiVao1N3VeWx7/AB87gUv8tkkdkYSDS8E+LXNn1
X-Forefront-Antispam-Report: CIP:194.138.21.74; CTRY:DE; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:hybrid.siemens.com; PTR:hybrid.siemens.com; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(346002)(376002)(396003)(136003)(82310400008)(451199021)(46966006)(40470700004)(36840700001)(30864003)(86362001)(16576012)(41300700001)(2906002)(316002)(21615005)(5660300002)(8936002)(8676002)(36756003)(40460700003)(40480700001)(31696002)(966005)(166002)(53546011)(107886003)(26005)(7596003)(7636003)(33964004)(356005)(82740400003)(478600001)(6666004)(82960400001)(47076005)(83380400001)(16526019)(36860700001)(186003)(336012)(956004)(66574015)(31686004)(2616005)(6706004)(4326008)(70206006)(110136005)(54906003)(70586007)(43740500002); DIR:OUT; SFP:1101;
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jul 2023 07:33:58.0006 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 03301f0f-cf2d-4a84-37d7-08db8f3d014a
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; Ip=[194.138.21.74]; Helo=[hybrid.siemens.com]
X-MS-Exchange-CrossTenant-AuthSource: AM1PEPF000252DF.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR10MB5936
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/yBRvduNEssj88GN3LnebwzDtZMo>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-rfc7030-csrattrs-05.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2023 07:34:07 -0000
Thanks Sean for pointing out the (to us authors surprising) overlap of our new proposal with RFC 8925 in yesterday's IETF 177 LAMPS session. A pity you could not make it to our online design meeting on July 5th, were we could have discussed this beforehand, and apparently you did not have a close look at my email of July 14th where I gave and explained all the details. On 28.07.23 00:51, Sean Turner wrote: > The RFC I mentioned at the mic was RFC 8925 [0]; looks in Appendix B. It proposed sticking a CSR template, which is a pKCS7PDU ATTRIBUTE, in csrattrs. > [0]https://datatracker.ietf.org/doc/rfc8295/ I meanwhile had a closer look at that appendix and related definitions in other RFCs (thanks Steffen for providing me helpful pointers). Yes, the general idea is quite the same. (BTW, as mentioned before, essentially the same idea is used also for CMP in https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#name-get-certificate-request-tem.) Yet the solution given in RFC 8925 differs from our new proposal in several respects, which include: 1. It allows giving a sequence of CSR templates, which presumably is not needed for the EST context (and at least so far not intended to support). 2. It also provides the possibility to give a CertReqMsg (in CRMF format), which is not needed in the EST context as it uses CSRs in PKCS#10 format only. 3. For both variants, it requires giving a full CSR structure, which in the PKCS#10 case implies mandatory inclusion of a public key and a self-signature. 4. For the PKCS#10 variant, the type is TaggedCertificationRequest (see definition in https://www.rfc-editor.org/rfc/rfc5272#section-3.2.1.2.1), which includes a bodyPartID field not needed for the EST use case. To me, point 3. makes the approach sketched in RFC 8925 Appendix B not really feasible or at least needlessly ugly, as the server side would have to use a fake/temporary key pair just to satisfy the structural requirements of PKCS#10. Note that our new proposal does not include a full (PKCS#10) CSR but just the "to-be-signed" part: CertificationRequestInfo ::= SEQUENCE { version INTEGER { v1(0) } (v1,...), subject Name, subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, attributes [0] Attributes{{ CRIAttributes }} } This way, we avoid the need to provide the (for the given use case) useless and awkward self-signature. Moreover, as not mentioned in detail in yesterday's talk, we also foresee the options to * either specify in the AlgorithmIdentifier of the subjectPKInfo field the type of the key pair the client side is requested use * or to give a NULL OID in this AlgorithmIdentifier to indicate that the server has no requirements on the key type. > Note that the appendix is informative and maybe not as detailed as it might have been. I support the idea of moving the idea to a normative section of a document! Pleased to hear! Indeed, our new proposal for the upcoming improvement of the CsrAttrs aspect of RFC 7030 is going to provide all detail needed for practical use - in particular, a specification of how the server shall specify that certain (sub-)values of certain CSR fields should be filled in by the client, basically as done already in https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#name-get-certificate-request-tem David >> On Jul 9, 2023, at 18:20,internet-drafts@ietf.org wrote: >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. This Internet-Draft is a work item of the Limited Additional >> Mechanisms for PKIX and SMIME (LAMPS) WG of the IETF. >> >> Title : Clarification of RFC7030 CSR Attributes definition >> Authors : Michael Richardson >> Owen Friel >> Dr. David von Oheimb >> Dan Harkins >> Filename : draft-ietf-lamps-rfc7030-csrattrs-05.txt >> Pages : 15 >> Date : 2023-07-09 >> >> Abstract: >> The Enrollment over Secure Transport (EST, RFC7030) is ambiguous in >> its specification of the CSR Attributes Response. This has resulted >> in implementation challenges and implementor confusion. >> >> This document updates RFC7030 (EST) and clarifies how the CSR >> Attributes Response can be used by an EST server to specify both CSR >> attribute OIDs and also CSR attribute values, in particular X.509 >> extension values, that the server expects the client to include in >> subsequent CSR request. >> >> The IETF datatracker status page for this Internet-Draft is: >> https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc7030-csrattrs/ >> >> There is also an HTML version available at: >> https://www.ietf.org/archive/id/draft-ietf-lamps-rfc7030-csrattrs-05.html >> >> A diff from the previous version is available at: >> https://author-tools.ietf.org/iddiff?url2=draft-ietf-lamps-rfc7030-csrattrs-05 >> >> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts >> >> >> _______________________________________________ >> I-D-Announce mailing list >> I-D-Announce@ietf.org >> https://www.ietf.org/mailman/listinfo/i-d-announce >> Internet-Draft directories:http://www.ietf.org/shadow.html >> orftp://ftp.ietf.org/ietf/1shadow-sites.txt > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] I-D Action: draft-ietf-lamps-rfc7030-csra… internet-drafts
- Re: [lamps] I-D Action: draft-ietf-lamps-rfc7030-… Sean Turner
- Re: [lamps] I-D Action: draft-ietf-lamps-rfc7030-… David von Oheimb
- Re: [lamps] I-D Action: draft-ietf-lamps-rfc7030-… Michael Richardson