IETF Logo Mail Archive

Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-updates

Russ Housley <housley@vigilsec.com> Wed, 28 April 2021 16:50 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A82B3A1649 for <spasm@ietfa.amsl.com>; Wed, 28 Apr 2021 09:50:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RbPbgKiOK6o7 for <spasm@ietfa.amsl.com>; Wed, 28 Apr 2021 09:50:41 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 963493A1642 for <spasm@ietf.org>; Wed, 28 Apr 2021 09:50:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 0C09A300AF2 for <spasm@ietf.org>; Wed, 28 Apr 2021 12:50:40 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Q-iPP0KfMxhr for <spasm@ietf.org>; Wed, 28 Apr 2021 12:50:34 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id B8B0E3001B3; Wed, 28 Apr 2021 12:50:34 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <AM0PR10MB24188B3EE703B9921260AE25FE409@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
Date: Wed, 28 Apr 2021 12:50:35 -0400
Cc: LAMPS <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5964C5FD-572B-4EA2-B571-41747EAE9FB6@vigilsec.com>
References: <A2268B02-A30E-4C6F-9C76-6BD726CA9C83@vigilsec.com> <AM0PR10MB24184DBE20BFD57CF29D90C8FE429@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <FB74A5AC-73AD-475F-80E4-336C2ECA72F1@vigilsec.com> <AM0PR10MB24188B3EE703B9921260AE25FE409@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
X-Mailer: Apple Mail (2.3445.104.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ya4wr_b3hPs8hqeZcco2bhC2feg>
Subject: Re: [lamps] ASN.1 Module in draft-ietf-lamps-cmp-updates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2021 16:50:46 -0000


> On Apr 28, 2021, at 12:27 PM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com> wrote:
> 
> 
>> Von: Russ Housley <housley@vigilsec.com>
>> 
>>> On Apr 26, 2021, at 2:52 AM, Brockhaus, Hendrik
>> <hendrik.brockhaus@siemens.com> wrote:
>>> 
>>> 
>>>> Von: Russ Housley <housley@vigilsec.com>
>>>> Gesendet: Freitag, 23. April 2021 20:06
>>>> 
>>>> Hendrik:
>>>> 
>>>> I do not understand how the AlgIdCtrl works.  Can you provide more
>>>> text in the document?  Is it about the subject public key?  Is it
>>>> about the signature algorithm to be used by the CA?
>>> 
>>> The purpose of AlgIdCtrl is to provide the algorithm specification the end
>> entity should use for generating its new key pair.
>>> We discussed the concept of the new controls in thread "dtaft-ietf-lamps-cmp-
>> updates and rsaKeyLen".
>>> 
>>> The current text is:
>>> 5.3.19.16.  Certificate Request Template
>>>  This MAY be used by the client to get a template containing
>>>  requirements for certificate request attributes and extensions and
>>>  optionally a specification for the key pair to generate for a future
>>>  certificate request operation.
>>> 
>>> I could change this to:
>>> 5.3.19.16.  Certificate Request Template
>>>  This MAY be used by the client to get a template containing
>>>  requirements for certificate request attributes and extensions.
>>>  The controls id-regCtrl-algId and id-regCtrl-rsaKeyLen MAY contain
>>>  details on the algorithms whose subject public key values the CA is
>>>  willing to certify.
>>> 
>>> Is this clearer?
>>> More details on the usage will be provided in the Lightweight CMP Profile
>> document.
>> 
>> Yes, but I would like to see another sentence about parameters.  With ECDSA,
>> for example, the parameters tell which curve the client should use.
>> 
> 
> I would propose to add the following text.
> 
> "The id-regCtrl-algId control MAY be used to identify a cryptographic algorithm, 
> see RFC 5820 Section 4.1.2.7, other than rsaEncryption. The algorithm field 
> SHALL identify the cryptographic algorithm. The contents of the optional 
> parameters field will vary according to the algorithm identified.
> 
> The id-regCtrl-rsaKeyLen control SHALL be used for algorithm rsaEncrytion and 
> SHALL contain the intended length of the RSA key."

This seems fine.  I might also say: For example, when the algorithm is set to id-ecPublicKey, the parameters identify the elliptic curve to be used [RFC5480].

Russ

v2.23.0 | Report a Bug | By Email