Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Mon, 21 September 2020 16:02 UTC

From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>
Thread-Topic: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen
Thread-Index: AQHWi6YYHaZzdnX6XEOInEZKE7MbAalqzO3QgAByT4CAAvhy8IAAMHuAgATELwA=
Content-Class:
Date: Mon, 21 Sep 2020 16:02:49 +0000
Message-ID: <AM0PR10MB241834D3212142CE41D2F347FE3A0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB2418651EF480383C1FBAD448FE440@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <ECF4A046-3690-4B8A-9851-935CDACA89C2@vigilsec.com> <AM0PR10MB241896142536A43A77C92C05FE210@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <CFB4BA33-4F63-4825-A5D6-DA3D6A4F721E@vigilsec.com> <AM0PR10MB2418EE32B86335DEADEBB2C8FE3F0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <A997BF81-E150-46F9-8D02-1E5125BB391F@vigilsec.com>
In-Reply-To: <A997BF81-E150-46F9-8D02-1E5125BB391F@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-09-21T16:02:47Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=9b2432ae-a827-4060-9e3a-794de9276bb7; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [165.225.200.169]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 267d97a8-c181-43a0-5c1a-08d85e47ca0a
x-ms-traffictypediagnostic: AM9PR10MB4037:
x-ld-processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM9PR10MB40377A9A9ADCAE118016AB97FE3A0@AM9PR10MB4037.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eSr2vS6R2O4pKr10HV/sCs/j+QFNJxQPbTST7DIte/AhC9NSSD8Qqcmj1qJKwBb819tnDgleulnkiNWWV4A5QQbT17dSQkMj0nntsE8tlIvOYpk7NJEUxwKJz8vJMK4ZmgpR3QWyVLqlu8jaCzad2PCTQtftBfM+1hbKOqtIkZWAOZHHb4BzsbWgZI9AdT/udj/BmwcOYGxRqFgXGWO5gkRnhyCdGtd4bjvQ6K9LmEFSzcUEClat0OJVqrIngxfAZGpMMrL5DGP8e0QF5QYZznqWbKoVui0+y07A0Lo5gWKrWPEKjc5BwmG5XcBzRjwf1dp9Xufz4HriE99ckd1LSw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(39860400002)(366004)(376002)(136003)(316002)(2906002)(86362001)(33656002)(8676002)(8936002)(66946007)(76116006)(55236004)(6506007)(7696005)(5660300002)(52536014)(66556008)(9686003)(55016002)(4326008)(107886003)(66476007)(6916009)(71200400001)(54906003)(26005)(186003)(478600001)(66446008)(64756008)(66574015); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: yryTMHIszk2pQVNHHmCRrU1bHXx3nl9OlHh09S2vWwF3LQpFUchfjOOaA1jmvsTROm/zfHpV99azMQ+in+gSVtz6hP4uDdlMa9GiYqEB35P8RWTmyLjCye86cFT8uHJ9RCnWvN5hf9clsGoPAH0FElIZekfmdPCCrSvGEqL+77o7utCEL/rfV9+k5oe5WwO91WegCnXr23uSEqMNbVEcR4LQuUK9icGY+umsWgmKdF6PBo/sgemniKauVRgZZ9tFNRuRNGvVSWq1t6InYuP0wobTr92lU6SAVbd1MuIpjU2i0F4xCGoHRmlkXAmSpu6Gsx/IIR+M3JCJe7ABW63Yasxr4ohfm/+E+GFN+yu1TigoKh/ZYrdZsgJ4n/VxxopVcmvsT/Y6PfahLGiMEFMfAg/JCjM16WK7jcobKbHdMPp8ZbHfcCJhwiCh6Y3x6/5PheXZcqIozMbN8YOr+jWAWIX7zhAHs20jun83stXpxv+3LOTmATTT5i2jNXGN1Kq2YDl242vhfkf5oMT1pJ8Fx0e3MDocQ7ygikzhjuo0Z+aROzSZTz0Il6m0QjEf+1mdKOki/I3eT7jS7DgAl/NYT24RSzlGTJn2zdmRKoiQ/HmrxT1IxpABHo5N5R1TiuDhqWwQ4xzYR+yVxxnzRY1EBA==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 267d97a8-c181-43a0-5c1a-08d85e47ca0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2020 16:02:49.6701 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Y3egEPyLlKEiw3AsQnuJdQ7d/58np07GRbpIMGU7ptpVqDBIc5hr8JDGqsYBJzz8t22QMm2ZFg8TYNCwZToN2xJf8/Wi59TZG+uHicicFiQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4037
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/UukG4Iyj1kgy0NOwDgjF5hZcbmg>
Subject: Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 16:02:55 -0000

Russ:

> -----Ursprüngliche Nachricht-----
> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Russ Housley
> 
> Hendrik:
> 
> > Right, a genRep can carry a sequence of InfoTypeAndValue and therefore a
> sequence of offered algorithms.
> > - In the case of 5.3.19.2 it could be a number of id-ecPublicKey structures.
> > - In the case of id-it-certReqTemplate (Lightweight CMP Profile, Section 4.4.4)
> we did not allow this case, but yes, we could change Lightweight CMP Profile
> Section 4.4.1 accordingly to offer it.
> > I can add a sentence to RFC 4210 Section 5.3.20 to explicitly state that several
> InfoTypeAndValues of the same type are allowed.
> > Did I get your suggestion right?
> 
> That seems like a fine way to move forward.
> 

I agree. 
But I just think I caused a little confusion above. I will try to sort this out:
- 5.3.19.2 and 5.3.19.3 already allow for a list of AlgorithmIdentifier. This should be fine except that one cannot specify RSA key lengths this way.
- If id-it-certReqTemplate uses the new Controls element (instead of rsaKeyLen) it also allows specifying several AlgorithmIdentifier elements and in addition also several RSA key lengths.
Therefore I feel like there is no need to add a note to 5.3.20 to point out that it is allowed to return several InfoTypeAndValue elements of same type but different values.
Do we have the same understanding?

- Hendrik

[lamps] dtaft-ietf-lamps-cmp-updates add section … Brockhaus, Hendrik
Re: [lamps] dtaft-ietf-lamps-cmp-updates add sect… Fries, Steffen
[lamps] dtaft-ietf-lamps-cmp-updates and rsaKeyLen Russ Housley
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Tomas Gustavsson
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Brockhaus, Hendrik
Re: [lamps] dtaft-ietf-lamps-cmp-updates and rsaK… Russ Housley