Re: [stir] x5u
Alec Fenichel <alec.fenichel@transnexus.com> Mon, 18 March 2024 08:35 UTC
Return-Path: <alec.fenichel@transnexus.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F36D8C151070 for <stir@ietfa.amsl.com>; Mon, 18 Mar 2024 01:35:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=transnexus.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FqmmH-co06b for <stir@ietfa.amsl.com>; Mon, 18 Mar 2024 01:35:00 -0700 (PDT)
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2117.outbound.protection.outlook.com [40.107.102.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34C42C15109F for <stir@ietf.org>; Mon, 18 Mar 2024 01:34:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CTC5C0nb1MtnGjvXahRAlekpfP5j4nw/gKyb+jdIQaRySt1oGUiqzrU3R7rcBepJLhtwC3jt+prGh4XCSpV3ocGP40v32EKi6+K+23NI7sBmWLgFf8qBlex7oLsXpzkbxxA/G00r8mAaucodUGGEintAgiQUzdTBoaHysj2MF5l9zaVWu1m2zWEZrpIiSuLDjbjhKCbtC04tt7Ocv7mYg0TqzOx1xHjCiZREBs/X5Lbq6pfArVrV5+1IplpJgloucV6oQD+q/UqR0Hb9TsXS4OsONVdrMmpgYqs4gBl8XbajmYIu54UfQiG40Uln0Lm4wOsmhYMD9KnAosXssBsMbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LEHldaxkpXXfuWx6QBUW9POPyxMkLhHQuHCF7tMipLE=; b=TPtPWyw/R0a8LcFlFpP+em8I34rUsIdb0zh4cbZFD/EhdfNxk2b0VD8BsvpqEvUVsoNWTzDEkStzKc60kjIarV9T73PMNSTG84MkXjkq5jk6RLgzZXS9cnmYoRVFUAE2apxeTelI+3SAOtJwJjy/67RuUYm7Q9UlghqaqzXOd5Pz4TaGhKPGdv3/HE52ELUrwLaLBSUqu5ESrgnWj3JkAGVkrERcWQGqFAilkwHMyq6HohcFwTOVzy8+hsNrQEnHCMX2TWZqyM7GKg/+2yDL/pGdFaxyiwOWmA5mI6FlQLdy0xsFiwix8fL0C8rmQlRDgdTp+qgrXv0sp3qYjFQ+ew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=transnexus.com; dmarc=pass action=none header.from=transnexus.com; dkim=pass header.d=transnexus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transnexus.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LEHldaxkpXXfuWx6QBUW9POPyxMkLhHQuHCF7tMipLE=; b=bpNelRi9P+fKGLp7k845HJ67FlbfYhwQmCGIGGoM5ReQapyihp+etlMnNpZDXz9SfwhMruf8T/HE2DUj1JGeCzu3RulOT1eOnQPL/v8mDtdRsKA+z+tsTsYlEFM4PeS8V08jkFITnJipIfmzVUldYRkHL8cRAdo9jvDI7lwUtws=
Received: from SJ2PR11MB8402.namprd11.prod.outlook.com (2603:10b6:a03:545::18) by MN2PR11MB4518.namprd11.prod.outlook.com (2603:10b6:208:24f::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.10; Mon, 18 Mar 2024 08:34:54 +0000
Received: from SJ2PR11MB8402.namprd11.prod.outlook.com ([fe80::60ba:a4f3:c479:c160]) by SJ2PR11MB8402.namprd11.prod.outlook.com ([fe80::60ba:a4f3:c479:c160%6]) with mapi id 15.20.7409.009; Mon, 18 Mar 2024 08:34:53 +0000
From: Alec Fenichel <alec.fenichel@transnexus.com>
To: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] x5u
Thread-Index: AQHaeQu46CJeGmzz0E+1uFfXuHXEILE9JZH5
Date: Mon, 18 Mar 2024 08:34:53 +0000
Message-ID: <SJ2PR11MB8402048A6AB32F3AED42ACA3992D2@SJ2PR11MB8402.namprd11.prod.outlook.com>
References: <68E625F9-F114-4B40-AC5B-9F636C32D2AE@vigilsec.com>
In-Reply-To: <68E625F9-F114-4B40-AC5B-9F636C32D2AE@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_bbffddd8-f0ef-4859-b7a2-4d67ee51c2d0_Enabled=True; MSIP_Label_bbffddd8-f0ef-4859-b7a2-4d67ee51c2d0_SiteId=8e2972a2-d21d-49ac-b005-18e8ceaadee3; MSIP_Label_bbffddd8-f0ef-4859-b7a2-4d67ee51c2d0_SetDate=2024-03-18T08:11:07.7434724Z; MSIP_Label_bbffddd8-f0ef-4859-b7a2-4d67ee51c2d0_ContentBits=0; MSIP_Label_bbffddd8-f0ef-4859-b7a2-4d67ee51c2d0_Method=Standard
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=transnexus.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ2PR11MB8402:EE_|MN2PR11MB4518:EE_
x-ms-office365-filtering-correlation-id: 2084e8e6-3541-46f1-463e-08dc472648c5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2Ym/2ea+t/4UxueubxSy5SM9TUeMxzTGy3JPdI7/kzmoCcphUgePOWnkxUvA40u2HfpCBqVWrEyyWPSownDRY9z0tEl3swo3uRhABo0ks9IrV7TQSH9d9G/3+UbsFM2oL13bV0504l0D4bXbhSJseklFSD/BYYBsXq9PWNGBFDloxFMB5fOF/jLMkuuQcB6MXG5kkzEEmwBPgY4LPPYCe/viLwDpOaecPt86B53Rsx3R0yrLtQNK+/x0wSXvCNII8GSfakhZYN/F9KkmKVa3cq5sj6IDLfldp+dH8a94GDqOF+FjhvtsRVK4qlOStxYSQ8jAhKVYMjJ7DkhV75xszb32bBXr7efPrT8yYcX0gUJX5hUL5aB6p7QffE/iQCDtPAzSO3+W8F7puOEw23Ct48YfWaLizpj8MTiUig6Gcv5Fq+op2l70Mol2QgiZEmGznxe+Mil5npfr783wA9g4N4VQ9PrhqhXGhXB1ZIzQ4BrBT6S5D8Qe0KjIFotm4YaO6bug6MrX9ym4cOO9lI8sko39EuSjjgJGfcEY89BoWRuIthgHTETnWCqj79ZPOY+sKTo++VdId1CCp8dxwkyP7Thvi0NotC+cV1YE3epUb3A=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ2PR11MB8402.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: K30dzXQ9Pu+9eitCctLxaSF9AOs1VCJwbnTJP4TzoGUklp0a0hbvAKkJ6iPrpjPgsgogVt9CNlM5PXK5lRETVzOMGV961PnH+oB9Jy93R58jtM3hhFSTS+6vPGHvO2zsFaftO+YjKdgGxMCdwM5xjkBxQsILnJkLl9GIsrCDznF8Zu04/hhAodLhIvIPmm6dQp3d5cU6MOyGunZSX/6NjLKxGT5fhma17qpA+emhMErstjDcy2iEk4ZN5Ar+41d9LNMuJr/fr1sKEz8AeklrbDiR0x9dJ4OfcLSUUYvHOzKVs7hbrPuKgZMOlNo7w2srmtq1EINLvtFQHJNZBUYjS3LNe1G/GXvf9vWOig0+Q93J5WcAHqhpLD9AfCxQabcQGkFy87yd9zlXioGyBn2NNHf0lazaewCqawY/jvBaQLek5ElWGdhLNyuAjVotvKSWlx8slmLodS7msM50+i4VLy0j4TmWktCqPxdQz1FcvY2N2s32azQQp+RpfKIGM6hNCFBPdMDmAgWOqrzWyNk0kpMdJCnlprhKjhKg1+AP6hg734D2O17zO1sMwnL69hM2lgTk5wmgIfxXVw/0kmI20KQu/g2Y9wnpoFeCr9CkqomDCuX29Z3apX5Z4sb+uobZm9kVP1zaezCrZq/f73lUHqVZJxWPhJa0EMF+xGAOHPcl++oxC5yqorrEfC2e0K/2tzt+UYDF3Oc57ds2fp0YZGbF/jTOXpBAkHKcLhuz5WRk+9o17hjon47afLtUtPblZpD5h0juaznW/JA7kDLfgqbVoK989HroDyn6yDl7NWxg9OQG5YOHBO4awP+IxWD0T9tBleEKaGXQyxITOtA1FQhMKSMkAM41JD9mA1YkO7jE7YljNARfY4XGuHfLopqQjCcrdlcTO/YX+k1Hg6p0+tWXx4C0FJzi+iYriMupyL7gPntazj6tYB6OL4RhhGHyrSDCmQZhEg/S/1T/gar7ORgdfMhdXdYpt34wEODgkMBFMNezWpQGN1k4PIaKTiTxY4YtYEQiChwRAN4u3+IAKc9jdR4U+pwRJ8qoaeCQDmjI1vaCREQSS5NxgauZlWYSIsU9uAWCVLWJktysmGkYLQePNOhAWpOmr2mUur6wlKmGYQiRhLrZ4j5Zz1UFywoc//T1Uwn4H5BrcZ5ZFqTrK+LKLEZC7OaPCRA/3qwLzBZHqVDrxvo/gpEYKDRZ/ZLw/hmZNqSmXaE6GPiCIceZ7TeRhLx4MdW0vw6d6MKUXpmj16mDgwddQZPBY0VsQsLbYU0YIINjArcOEvKps0YuKj4Bwr8OSSHdl+zSEyifxw+uoUrs4ikznETGtHB3SKoy2w8X8ymd3KfPtQewdBdgyQUJg7XNGq4GIyeGDz93MsdoCiN5oEy9SOOMCqFysXzFHsnW9gebpRboUBRuGxSSObvlVkcphrhG9tt/5TL6/JiTYmyDVv6g/6U/Qe/Ysylao4YU0i36xHlTiWXtJouxQl0aNd6RobapIF3FOPvFj1innkIJVLNgMr2u+EtpskHVACps20fcH5rNaPgd03FIU2cqV25W/Mx7yZO78UXrUWlPpA6AUdg+7Gtqie+e54WVXLk/3V8aJ0IbcKlIKlXRtmuP007mCt2ZRDx5P5o6HYfEfv3ee6beb/mIPtg2FT0i
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_B41BF4B9-3C45-334E-8620-AA0A3AA3A772_"
MIME-Version: 1.0
X-OriginatorOrg: transnexus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ2PR11MB8402.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2084e8e6-3541-46f1-463e-08dc472648c5
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2024 08:34:53.4763 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8e2972a2-d21d-49ac-b005-18e8ceaadee3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XKS3UCbXwB3MVl6oqpNeikbSalnVfvhwrndOzKzCfMH/YvMaVFMi5CiHAHzYiH1TEoTQ/oaFsuePoFVcUSh/szPHrOhOR+K7iIXHm6HYiTc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4518
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/7RDOlVOhVaL6uxSk7xNaRmAKn4I>
Subject: Re: [stir] x5u
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 08:35:04 -0000
The “.cer” file extension is generally (though not always) used for DER certificate format, not PEM certificate format. So the example x5u URL here <https://www.ietf.org/archive/id/draft-ietf-stir-certificates-ocsp-07.html#name-ocsp-staple-passport-elemen> should not end in “.cer”. It should end in “.pem”. Sincerely, Alec Fenichel Chief Technology Officer TransNexus <https://transnexus.com/> alec.fenichel@transnexus.com <mailto:alec.fenichel@transnexus.com> +1 (404) 369-2407 <tel:+14043692407> From: stir <stir-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com> Date: Monday, March 18, 2024 at 04:10 To: IETF STIR Mail List <stir@ietf.org> Subject: [stir] x5u RFC 5715 says: 4.1.5. "x5u" (X.509 URL) Header Parameter The "x5u" (X.509 URL) Header Parameter is a URI [RFC3986] that refers to a resource for the X.509 public key certificate or certificate chain [RFC5280] corresponding to the key used to digitally sign the JWS. The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [RFC5280] in PEM-encoded form, with each certificate delimited as specified in Section 6.1 of RFC 4945 [RFC4945]. The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [RFC2818] [RFC5246]; and the identity of the server MUST be validated, as per Section 6 of RFC 6125 [RFC6125]. Also, see Section 8 on TLS requirements. Use of this Header Parameter is OPTIONAL. And, RFC 4945 says: 6.1. Certificates Certificates MUST be Base64 [19] encoded and appear between the following delimiters: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- An example of a file that uses this encoding is here: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fenc%2Fverifybundle.pem&data=05%7C02%7Calec.fenichel%40transnexus.com%7C724b2ed462454d9dddd208dc4722d8cf%7C8e2972a2d21d49acb00518e8ceaadee3%7C0%7C0%7C638463462215154720%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oH3HoYc03umYi%2Fh1CmpmDuggA3iY9xq%2BUkBgrTS3G2c%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fenc%2Fverifybundle.pem&data=05%7C02%7Calec.fenichel%40transnexus.com%7C724b2ed462454d9dddd208dc4722d8cf%7C8e2972a2d21d49acb00518e8ceaadee3%7C0%7C0%7C638463462215154720%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oH3HoYc03umYi%2Fh1CmpmDuggA3iY9xq%2BUkBgrTS3G2c%3D&reserved=0> Russ _______________________________________________ stir mailing list stir@ietf.org https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=05%7C02%7Calec.fenichel%40transnexus.com%7C724b2ed462454d9dddd208dc4722d8cf%7C8e2972a2d21d49acb00518e8ceaadee3%7C0%7C0%7C638463462215164689%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nMF1FshBEEtloICfHj3TZkmJhqWI9cNC7I0Cz5pX7o4%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=05%7C02%7Calec.fenichel%40transnexus.com%7C724b2ed462454d9dddd208dc4722d8cf%7C8e2972a2d21d49acb00518e8ceaadee3%7C0%7C0%7C638463462215164689%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nMF1FshBEEtloICfHj3TZkmJhqWI9cNC7I0Cz5pX7o4%3D&reserved=0>
- [stir] x5u Russ Housley
- Re: [stir] x5u Alec Fenichel
- Re: [stir] x5u Russ Housley