IETF Logo Mail Archive

Re: [TLS] TLS grammar checker?

Carl Wallace <carl@redhoundsoftware.com> Fri, 21 June 2013 21:38 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBA7521F9E27 for <tls@ietfa.amsl.com>; Fri, 21 Jun 2013 14:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.566
X-Spam-Level:
X-Spam-Status: No, score=-0.566 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_ASCII_ART_SPACINGc=0.833, J_CHICKENPOX_19=0.6, J_CHICKENPOX_44=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZR0AobDjia3 for <tls@ietfa.amsl.com>; Fri, 21 Jun 2013 14:38:15 -0700 (PDT)
Received: from mail-qc0-x229.google.com (mail-qc0-x229.google.com [IPv6:2607:f8b0:400d:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 80DAA21F9E11 for <tls@ietf.org>; Fri, 21 Jun 2013 14:38:15 -0700 (PDT)
Received: by mail-qc0-f169.google.com with SMTP id c10so5059969qcz.14 for <tls@ietf.org>; Fri, 21 Jun 2013 14:38:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=Il8PSvKLAoSqthF89DQsacshqMTyGVEtUFHzMKClU2g=; b=cOL8N3cBObSrTnjkZCLQZOOHhM/LLdINeUhLTo7u76laDESfJi2RnnTV5Mwlx01pvL R8C1tknsevMcbrkk668b593kXB4tOUp1H2phpGGOapEivT+IPb0w9DOOfjuC+VI2X8Pg qlz5F7E1zlVDirr1HYqKiA5oFLRz2d8t3AJjsiN1QqcvIQgAc2rqt133YgmJ0WfasqpY xr/HvWVs5y15Dgm2bSIwA06qs6AN3b6q+l+9GETWiGPvd/ZEqzlGlD5oLJSRGsFT5uEq ts7rP0NERndEIBvO/G7Zqaa2wVuC3yINAkyuow6tMR/33Aw84pz9Lq0Fpmsvo+FkYuIR phag==
X-Received: by 10.49.35.65 with SMTP id f1mr7614262qej.72.1371850694887; Fri, 21 Jun 2013 14:38:14 -0700 (PDT)
Received: from [10.226.70.81] (209.sub-174-236-199.myvzw.com. [174.236.199.209]) by mx.google.com with ESMTPSA id 15sm8826428qaa.9.2013.06.21.14.38.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Jun 2013 14:38:14 -0700 (PDT)
References: <20130621213358.0235D1A842@ld9781.wdf.sap.corp>
Mime-Version: 1.0 (1.0)
In-Reply-To: <20130621213358.0235D1A842@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <09A2DAED-00A3-4A6C-83F4-1AB80619F691@redhoundsoftware.com>
X-Mailer: iPhone Mail (10B146)
From: Carl Wallace <carl@redhoundsoftware.com>
Date: Fri, 21 Jun 2013 17:38:03 -0400
To: "mrex@sap.com" <mrex@sap.com>
X-Gm-Message-State: ALoCoQlnl4N2idYaCip6AMZiB5td2bvdePuYIWK5qCtj3hys/XNoAVI5otxN0582FZL7hkjLnPEA
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] TLS grammar checker?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jun 2013 21:38:24 -0000

See RFC5911 and RFC5912.  Those provide a nice collection. 

On Jun 21, 2013, at 5:33 PM, mrex@sap.com (Martin Rex) wrote:

> the most appropriate guidance is probably in X.208-1988 Section 32,
> but the source of the original confusion is from where the information
> originally comes from, that OCSP conveys in these fields.
> 
> When the mentioned OCSP elements originate from X.509 and PKIX CRLs,
> then from an element that is defined as (e.g. rfc5280 page 17):
> 
>   Time ::= CHOICE {
>        utcTime        UTCTime,
>        generalTime    GeneralizedTime }
> 
> and the CRL definition (rfc5280, page 56):
> 
>   CertificateList  ::=  SEQUENCE  {
>        tbsCertList          TBSCertList,
>        signatureAlgorithm   AlgorithmIdentifier,
>        signatureValue       BIT STRING  }
> 
>   TBSCertList  ::=  SEQUENCE  {
>        version                 Version OPTIONAL,
>                                     -- if present, MUST be v2
>        signature               AlgorithmIdentifier,
>        issuer                  Name,
>        thisUpdate              Time,
>        nextUpdate              Time OPTIONAL,
>        revokedCertificates     SEQUENCE OF SEQUENCE  {
>             userCertificate         CertificateSerialNumber,
>             revocationDate          Time,
>             crlEntryExtensions      Extensions OPTIONAL
>                                      -- if present, version MUST be v2
>                                  }  OPTIONAL,
>        crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
>                                      -- if present, version MUST be v2
>                                  }
> 
> But the real problem really isn't about whether you can find something
> intelligible hidden somewhere in some X.something document, but how
> clear will this be to an average implementor.  And on this particular
> account, ASN.1 is a real nightmare.
> 
> 
> -Martin
> 
> 
> Martin Rex wrote:
>> Kemp, David P. wrote:
>>> Of all the possible criticisms of ASN.1, this doesn't seem to be
>>> among them.  X.680 is unambiguous - the year MUST be 4 digits:
>> 
>> Your answer is way off the target.
>> 
>> I didn't ask about what to send out, but what to accept(!) and why.
>> 
>> rfc2560 OSCP is based on X.690-1994:
>>   http://tools.ietf.org/html/rfc2560#section-6
>> 
>>   [X.690]   ITU-T Recommendation X.690 (1994) | ISO/IEC 8825-1:1995,
>>             Information Technology - ASN.1 encoding rules:
>>             Specification of Basic Encoding Rules (BER), Canonical
>>             Encoding Rules (CER) and Distinguished Encoding Rules
>>             (DER).
>> 
>> If you search X.680 from 1994 for GeneralizedTime, it only says that it
>> is a reserved keyword (therefore useless for the question at hand).
>> 
>> In order to figure out what to **ACCEPT**, you have to refer to the
>> original specifcation exclusively.
>> 
>> 
>> Your quote seems to be from X.680 2008.
>> 
>> -Martin
>> 
>>> 
>>>  46.3 The type is defined, using ASN.1, as follows:
>>>      GeneralizedTime ::= [UNIVERSAL 24] IMPLICIT VisibleString
>>>      with the values of the VisibleString restricted to strings
>>>      of characters which are either:
>>>          a) a specification of a calendar date followed by a local
>>>             time, consisting of:
>>>             1) a string representing the calendar date, as specified
>>>                in ISO 8601, 4.1.2.2 - Basic format); followed by:
>>> 
>>>                 NOTE 1 - This specifies a four-digit representation
>>>                 of the year, a two-digit representation of the month
>>>                 and a two-digit representation of the day, without
>>>                 use of separators.
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> 
>>> To illustrate one of my many problems with ASN.1 complexity and lack
>>> of clarity, I was recently wondering on OCSP, whether it is permissible
>>> or not _on_receipt_ when the "RevodedInfo->revocationTime" element
>>> 
>>>   http://tools.ietf.org/html/rfc2560#page-9
>>> 
>>> or the CRL Extension "CRL References" "CrlID->crlTime" element
>>> 
>>>   http://tools.ietf.org/html/rfc2560#section-4.4.2
>>> 
>>> contains a date&time with only 2-year, where exactly in ASN.1 it is
>>> described how the receiver ought to be implemented, and whether
>>> support for 2-digit years in GeneralizedTime is a "MAY", "SHOULD NOT"
>>> or "MUST NOT".
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email