[TLS] Re: ASN.1 in draft-ietf-tls-trust-anchor-ids
David Benjamin <davidben@google.com> Wed, 14 May 2025 21:50 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6BA3828A86DE for <tls@mail2.ietf.org>; Wed, 14 May 2025 14:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xft3-T_H2oE6 for <tls@mail2.ietf.org>; Wed, 14 May 2025 14:50:24 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D473E28A86CF for <tls@ietf.org>; Wed, 14 May 2025 14:50:24 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-5fbc736f0c7so462692a12.2 for <tls@ietf.org>; Wed, 14 May 2025 14:50:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1747259424; x=1747864224; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sKCPOBARG1BJl4KqB+0zr70VJUkpU0knHv4kofwTASQ=; b=2gf54SKi/E8strtBGP7KxNA3bt+1HOx6jTMtJD/Qz+bjGDVcwhSfqN0OMte0b4n2Wj VEZOQ+wRElhKv8kMkoWD8oFMAGbf/Jx8s2RkhewnDf4qhVBlrgctHAXA0BylDkIOsAMu S46KVvHsi7UXa+i5gRcTs6AwkZnOmi+eC8UB0BH2s5yjhH89xxqMrLlCPvbcVsFZ64At fJB+UTcEcJ2JGULgvOPp70NCYukzRIIBP54Ft3LbffcEfM+lYL9P+bqsP/KC6DXIgbH8 Z9nszcGrEiJ71CuODwFHPUDQEx5CkfoB7rJDvQAR+9AlVx2cJpmehm6rA+sdIOJXsXEF g12Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747259424; x=1747864224; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sKCPOBARG1BJl4KqB+0zr70VJUkpU0knHv4kofwTASQ=; b=HXDNdbEK7BhKTiP5nf4el5H1l0RyIfahzSIiWag80rn+YFmShjquX55DR+BbIOnibZ VtpzAAzBr6fpC0vr533BicSpEttcgZS3vqSsip3M7fZHfVrnPRcPS5N9D7oU4lV5RNnJ C24AUYb46VcC7p5zpe6yxvJmgtBm7Rooq+SZ3yNLidbqVq8FvDCgx0F8bBPEEys9Yv1F enjw1JiY8klCJsIpxC3aFo53HoxYVwhUectFF10mf6ztEgpTyt4asCXgoxk8wqkzf4YA oupzY89Y0eCCa/lwetOvfZ3WFjU7r4F6/krimyYhHYo+Tarp51Pe1H/CQyzg3yzJd9Lf Aruw==
X-Forwarded-Encrypted: i=1; AJvYcCUOH0JLlgxxaxSjKNWhSE+LXGgEQOP4VXUzqZwrHios3L5oF9GhClj3+Yn4CnUVfwaJfxo=@ietf.org
X-Gm-Message-State: AOJu0YzHAsLLrkKXCUmkDqWzBIR1QTMHUEb20hYYzaWjLGco1oAQ7kge ZTpV9TQSJ+R4Igc9xW9GNTm4ciAyRbpFc/XF9X7doAWBImJllSaR+0KgtTdAVGguz95Qijsusrf 7jKFtOQi8abun8Ptvv9HURUzn5asXSv9hSEWtCGopp47zAthu9CM=
X-Gm-Gg: ASbGncvri3pVYOMq5YvMqNcXOU/nMQQ7yEQNbGUM0aWSQHqH5NQPQfoLPmuZsQlNRT3 Y2B9IhpchM6D0y0xz3SnHrSB4YSrana/zDVGctOSmHh3H0WV65sNjgGFjlRE7dX+GGCx3olmZsS j7MXicXQotFg4YFk/i0t0gvbxlxQkSf9k=
X-Google-Smtp-Source: AGHT+IGbqDEXr0+2b5DHm/rLwLj2Ts+P0eFT1Tge4RMSHp02Izi7m+AAfORXp5r71N1gUDm/MuFVZQXynghDfCYt7Xo=
X-Received: by 2002:a05:6402:510d:b0:5fc:ae61:29de with SMTP id 4fb4d7f45d1cf-5ff988dd62amr3950499a12.30.1747259423714; Wed, 14 May 2025 14:50:23 -0700 (PDT)
MIME-Version: 1.0
References: <02C4002B-5DEF-4FAB-AF1A-496AF83D746F@vigilsec.com> <677527EA-3E8A-46B1-88A3-8F83CA480A81@vigilsec.com>
In-Reply-To: <677527EA-3E8A-46B1-88A3-8F83CA480A81@vigilsec.com>
From: David Benjamin <davidben@google.com>
Date: Wed, 14 May 2025 17:50:06 -0400
X-Gm-Features: AX0GCFvKCM-15DbLw7H4lRle-7xZ1z2OfmMbMKueobZcD1WA9LBy1iD0ovn29R8
Message-ID: <CAF8qwaB0FD3A-ALL9uDy1XYJKtJfyE5P7NsuN3vn2UZMKA3UCA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="00000000000048b2ee06351f8909"
Message-ID-Hash: XXSIYA6AIC56RJE5PQEUXM6RH644LH5U
X-Message-ID-Hash: XXSIYA6AIC56RJE5PQEUXM6RH644LH5U
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-tls-trust-anchor-ids@ietf.org, IETF TLS <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ASN.1 in draft-ietf-tls-trust-anchor-ids
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/I55_RgRGYWOBrLgP4qZjbaYP6p0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Whoops, I cut a new version just to snapshot an old "identifier" -> "ID"
change hanging around in GitHub before I saw this message! Just replying to
acknowledge this and that I did not ignore it intentionally! Will add this
to the document, probably tomorrow. Thanks for putting that together!
On Mon, May 12, 2025 at 6:51 PM Russ Housley <housley@vigilsec.com> wrote:
> In addition, you could mandate that the extension can never be critical:
>
> ext-trustAnchorIdentifier EXTENSION ::= {
> SYNTAX TrustAnchorIdentifier
> IDENTIFIED BY id-pe-trustAnchorIdentifier
> CRITICALITY { FALSE } }
>
> Russ
>
> > On May 12, 2025, at 4:44 PM, Russ Housley <housley@vigilsec.com> wrote:
> >
> > Please include a full ASN.1 module in the document that follows the RFC
> 5912 conventions for defining extensions. I have attached it.
> >
> > I have assumed that the module identifier and the OID for the extension
> will be assigned from thr PKIX registries.
> >
> > Russ
> >
> > = = = = = = =
> >
> > <CODE BEGINS>
> > TrustAnchorIdentifiers-2025
> > { iso(1) identified-organization(3) dod(6) internet(1)
> > security(5) mechanisms(5) pkix(7) id-mod(0)
> > id-mod-TrustAnchorIdentifiers-2025(TBD1) }
> >
> > DEFINITIONS EXPLICIT TAGS ::=
> > BEGIN
> >
> > IMPORTS
> > EXTENSION
> > FROM PKIX-CommonTypes-2009 -- From [RFC5912]
> > { iso(1) identified-organization(3) dod(6)
> > internet(1) security(5) mechanisms(5) pkix(7)
> > id-mod(0) id-mod-pkixCommon-02(57) };
> >
> > -- Trust Anchor Identifiers Certificate Extension
> >
> > ext-TrustAnchorIdentifiers EXTENSION ::= {
> > SYNTAX TrustAnchorIdentifier
> > IDENTIFIED BY id-pe-trustAnchorIdentifier }
> >
> > id-pe-trustAnchorIdentifier OBJECT IDENTIFIER ::= { TBD2 }
> >
> > TrustAnchorIdentifier ::= RELATIVE-OID
> >
> > END
> > <CODE ENDS>
> >
>
>
- [TLS] Re: ASN.1 in draft-ietf-tls-trust-anchor-ids Russ Housley
- [TLS] ASN.1 in draft-ietf-tls-trust-anchor-ids Russ Housley
- [TLS] Re: ASN.1 in draft-ietf-tls-trust-anchor-ids David Benjamin
- [TLS] Re: ASN.1 in draft-ietf-tls-trust-anchor-ids David Benjamin