Re: [Trans] Alternate formats for Precertificates
Ben Laurie <benl@google.com> Wed, 26 February 2014 16:45 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BF4B1A06A4 for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:45:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.926
X-Spam-Level:
X-Spam-Status: No, score=-1.926 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hPX0jNAVPLwr for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:45:24 -0800 (PST)
Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id D6A191A068F for <trans@ietf.org>; Wed, 26 Feb 2014 08:45:05 -0800 (PST)
Received: by mail-ie0-f179.google.com with SMTP id to1so888865ieb.38 for <trans@ietf.org>; Wed, 26 Feb 2014 08:45:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Wbj9wjjP09ZADPcsofMZBWqLdF/SDPhVPbEugxys/UI=; b=eIIglSs0ukf6I+F/8AFVOwHl9krDypX/TR+u0PbVY2DCpNwRyOcj/L/4k4t00T0mDP VxMBzegIYzKBteZIPJsC9U1u2EtW1Mb79/kz+PY/5dhn13nmEZvyxqex8DdedDOi9pM+ frzoUDvZf1LCKYPIvRoyMFlbAD83Fg3QHEKM4oIaAmJPMEh+3kLTRe1IhAUC6MtZbObC D17bq+Exdlh0Z42zrOrJgzD+Lfl/zqwL+eexLrpxQesiNMYwJaDluVZqjxWqjJIOJoMB A/lC9qQj+tQwBVB08YVqNYfgX5UDpbYFikniH4gk6jLUhx0681Dq3swI2N5SYgjg/B7C z12A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Wbj9wjjP09ZADPcsofMZBWqLdF/SDPhVPbEugxys/UI=; b=JQ1d4MQhR48xB6TnLb9FuEMTMCYywAQw8kT/a8UaT2ATyOPVpHpCqs8LPDEsbJu6Q7 KuLcwH4yv+t6V97IErizYC7Xpj6Z7wtDp/I7kwtLqy/QpKtQFiHDK3hb6uGJCB1FF6Pz 5+Wu5DRhWq5pAQTvBtyYKOAm7zthp9mJ7iMHrAK6hi6CYFSqy0fAKU3IyVruyArwJBk/ OIUKE4yDJ4BKIp0Em/sNBRC2W8rLATJOP5TP2muZMCzrqSE4rPZhZxtz8qVOwqiWym3E wuvCgTfFsSMEX2YjyPzSOBi+NE1TPq419CA9CyKvfxfjbJ66zQmiCnkcE71hqPBHXrwL 0PZw==
X-Gm-Message-State: ALoCoQlqbm4PED2lXbn83Zyf0TwyfAtoWxTYD4IbmNOw9t3VWlluzzCAqNAPPZKKK8uVzlyIu13wIvx5tugjvHD2JGg4Lvx8Ah0hTyqRa7N2QINJsP5GtZ0qI4vjIPG/L5v7snoAU81JW6FalJH3dBRdyrH570RHXBR7DV79VADMFZ+zxz4w3eGv810G+kIsHb0DVr1CHynT
MIME-Version: 1.0
X-Received: by 10.42.41.82 with SMTP id o18mr398111ice.50.1393433104509; Wed, 26 Feb 2014 08:45:04 -0800 (PST)
Received: by 10.64.27.8 with HTTP; Wed, 26 Feb 2014 08:45:04 -0800 (PST)
In-Reply-To: <530E16CD.6030908@primekey.se>
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com> <530E100A.7040503@primekey.se> <530E142A.90007@comodo.com> <530E16CD.6030908@primekey.se>
Date: Wed, 26 Feb 2014 16:45:04 +0000
Message-ID: <CABrd9SR1S7Fg5Xs_dkgou3HfF4O_hyzFxW4qS=-2eti7DmGZew@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Tomas Gustavsson <tomas@primekey.se>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/GAeYryzbbiFl5jg2BCg8KGf3kvE
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 16:45:33 -0000
On 26 February 2014 16:31, Tomas Gustavsson <tomas@primekey.se> wrote: > > On 02/26/2014 08:19 AM, Rob Stradling wrote: >> >> On 26/02/14 16:02, Tomas Gustavsson wrote: >>> >>> On 02/26/2014 07:30 AM, Ben Laurie wrote: >>>> >>>> On 26 February 2014 14:13, Tomas Gustavsson <tomas@primekey.se> wrote: >>>>> >>>>> >>>>> Did anyone consider using RFC4211 CRMF requests as "pre-certificates"? >>>>> CRMF has both issuer and serialNumber, as well as extensions. The >>>>> CertTemplate of RFC4211 is basically a TBSCertificate. >>>> >>>> >>>> Hmm. So it is. I had not come across this RFC before. >>>> >>>> Does anything implement it? >>> >>> >>> Absolutely. It is used in CMP (RFC4210). EJBCA has had support for it as >>> a request format for years, so we have code for both producing and >>> parsing of course. >>> >>> BouncyCastle has Java APIs for CMP/CRMF. >>> http://www.bouncycastle.org/ >>> >>> cmpforopenssl supports it I believe, C API and command line. >>> >>> http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=Main_Page >>> >>> >>> >>> I don't know why I did not think of this earlier, since I use it all the >>> time. CMP with CRMF is used in many systems in production. Card >>> management, LTE base stations (3GPP standardization), some routers etc. >>> >>> Re-using existing RFC always feels good :-) >> >> >> RFC4211 says: >> "The fields of CertRequest have the following meaning: >> ... >> serialNumber MUST be omitted. This field is assigned by the CA >> during certificate creation. >> >> signingAlg MUST be omitted. This field is assigned by the CA >> during certificate creation." >> >> So that's two ways we would need to violate RFC4211 in order to use its >> CertTemplate format for Precertificates. > > > Seems like very minor violations to me. In addition using CRMF would remove > the need for the poison certificate extension. CRMF also gives more > flexibility as you (RFC 6962 that is) can choose which fields to include > and/or exclude, potentially answering to questions like privacy issues and > such. We're only discussing alternatives to avoid breaking ritual compliance with the RFC, so selecting another one we have to violate hardly seems like forward motion. > > >> >> In contrast, allowing a Precertificate/Certificate pair to use the same >> serial number only violates RFC5280 in one way. (Oh, and to me, reusing >> the TBSCertificate format feels good too! ;-) ) > > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans
- [Trans] Alternate formats for Precertificates Ben Laurie
- Re: [Trans] Alternate formats for Precertificates Phillip Hallam-Baker
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Goulet, Walter
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Ben Laurie
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Paul Hoffman
- Re: [Trans] Alternate formats for Precertificates Carl Wallace
- Re: [Trans] Alternate formats for Precertificates Paul Hoffman
- Re: [Trans] Alternate formats for Precertificates Carl Wallace
- Re: [Trans] Alternate formats for Precertificates Melinda Shore
- Re: [Trans] Alternate formats for Precertificates Robin Alden
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson