IETF Logo Mail Archive

Re: [Trans] Alternate formats for Precertificates

Melinda Shore <melinda.shore@gmail.com> Wed, 26 February 2014 17:30 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B21141A01EB for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 09:30:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJBtmfI0QVBO for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 09:30:04 -0800 (PST)
Received: from mail-yh0-x233.google.com (mail-yh0-x233.google.com [IPv6:2607:f8b0:4002:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 183DD1A06CB for <trans@ietf.org>; Wed, 26 Feb 2014 09:29:56 -0800 (PST)
Received: by mail-yh0-f51.google.com with SMTP id b6so742472yha.10 for <trans@ietf.org>; Wed, 26 Feb 2014 09:29:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GTH6bDbJKGDSnzarPvHed893fLXomHpBa4DQHI/aLQE=; b=AFPg1kXAUEto59gD1PW3egpjq4kh94nA/ExsC/kFTrV5m4BskEX8JZD2xXH9ydIqMO Mkmt5qa2t8t3d6l4NROfkKT22hi4cj8RVDUgIaJl81unbMXEGnNyeOIWxk4KZ5WE+04R cVnupXxhWSR9+0xDo923QUESAqOUPPtQBeYaJRB6RXCYiqnw6cTsy96FBRPqsDOnnSth /zQATK/2l5K7g8qIws3hyqI2++L/sW9A+SMZIfoRPR/CjNfIU4zzlMhrSB/pUA1vInd0 D2Sk5BYl2rP75KNbD2cALOdaSsrvp05U8/FyPWJ7XTZppcB1ua2iJIEMvyhhojxOehoN h9lA==
MIME-Version: 1.0
X-Received: by 10.236.19.11 with SMTP id m11mr2590772yhm.154.1393435795671; Wed, 26 Feb 2014 09:29:55 -0800 (PST)
Received: by 10.170.186.70 with HTTP; Wed, 26 Feb 2014 09:29:55 -0800 (PST)
Received: by 10.170.186.70 with HTTP; Wed, 26 Feb 2014 09:29:55 -0800 (PST)
In-Reply-To: <530E1AD0.9020401@primekey.se>
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com> <530E100A.7040503@primekey.se> <530E142A.90007@comodo.com> <530E16CD.6030908@primekey.se> <CABrd9SR1S7Fg5Xs_dkgou3HfF4O_hyzFxW4qS=-2eti7DmGZew@mail.gmail.com> <530E1AD0.9020401@primekey.se>
Date: Wed, 26 Feb 2014 08:29:55 -0900
Message-ID: <CAKRbAfCPNPsrQkVGe+3LirF1OZc+7+DfBMJpa3uJVJ5MtbG0KA@mail.gmail.com>
From: Melinda Shore <melinda.shore@gmail.com>
To: Tomas Gustavsson <tomas@primekey.se>
Content-Type: multipart/alternative; boundary="089e016350509e512e04f3528d72"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/-OcAgGAsMJYu2HtG3Q9fq-ZT440
Cc: Ben Laurie <benl@google.com>, trans@ietf.org
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 17:30:10 -0000

On Feb 26, 2014 7:48 AM, "Tomas Gustavsson" <tomas@primekey.se> wrote:
>
>
> <snip>
>
>
>>>>>
>>>>> I don't know why I did not think of this earlier, since I use it all
the
>>>>> time. CMP with CRMF is used in many systems in production. Card
>>>>> management, LTE base stations (3GPP standardization), some routers
etc.
>>>>>
>>>>> Re-using existing RFC always feels good :-)
>>>>
>>>>
>>>>
>>>> RFC4211 says:
>>>>     "The fields of CertRequest have the following meaning:
>>>>         ...
>>>>         serialNumber MUST be omitted.  This field is assigned by the CA
>>>>         during certificate creation.
>>>>
>>>>         signingAlg MUST be omitted.  This field is assigned by the CA
>>>>         during certificate creation."
>>>>
>>>> So that's two ways we would need to violate RFC4211 in order to use its
>>>> CertTemplate format for Precertificates.
>>>
>>>
>>>
>>> Seems like very minor violations to me. In addition using CRMF would
remove
>>> the need for the poison certificate extension. CRMF also gives more
>>> flexibility as you (RFC 6962 that is) can choose which fields to include
>>> and/or exclude, potentially answering to questions like privacy issues
and
>>> such.
>>
>>
>> We're only discussing alternatives to avoid breaking ritual compliance
>> with the RFC, so selecting another one we have to violate hardly seems
>> like forward motion.
>
>
> Just bringing some more alternatives to the table.
> I'm sure modifying RFC4211 is easier than modifying RFC5280 ;-)

(Apologies for the crispy formatting, I'm typing on a phone).  Anyway, that
would be essentially correct - there are issues around thongs like deployed
base, and how much would or could break as a result.  These are the sorts
of questions for which "ritual compliance" is unhelpful language.
>
>
>
>>>
>>>>
>>>> In contrast, allowing a Precertificate/Certificate pair to use the same
>>>> serial number only violates RFC5280 in one way.  (Oh, and to me,
reusing
>>>> the TBSCertificate format feels good too! ;-) )
>
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans

v2.29.0 | Report a Bug | By Email | System Status