Re: [Trans] [pkix] a question of cert (and OCSP) extension syntax
"Manger, James" <James.H.Manger@team.telstra.com> Tue, 17 March 2015 23:08 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13B6C1A1BA9; Tue, 17 Mar 2015 16:08:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.799
X-Spam-Level: *
X-Spam-Status: No, score=1.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994, WEIRD_PORT=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8Fpfs8A3cHu; Tue, 17 Mar 2015 16:08:12 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id ADCD71A1BCF; Tue, 17 Mar 2015 16:08:11 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.11,418,1422882000"; d="scan'208";a="76950754"
Received: from unknown (HELO ipccvi.tcif.telstra.com.au) ([10.97.217.208]) by ipocvi.tcif.telstra.com.au with ESMTP; 18 Mar 2015 09:38:26 +1100
X-IronPort-AV: E=McAfee;i="5600,1067,7743"; a="284037117"
Received: from wsmsg3703.srv.dir.telstra.com ([172.49.40.171]) by ipccvi.tcif.telstra.com.au with ESMTP; 18 Mar 2015 10:08:09 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3703.srv.dir.telstra.com ([172.49.40.171]) with mapi; Wed, 18 Mar 2015 10:08:09 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Stephen Kent <kent@bbn.com>, pkix <pkix@ietf.org>, "trans@ietf.org" <trans@ietf.org>
Date: Wed, 18 Mar 2015 10:08:08 +1100
Thread-Topic: [pkix] a question of cert (and OCSP) extension syntax
Thread-Index: AdBg6YKgnqK8ubTHQe+lGZN7OB2IYQAFTW6Q
Message-ID: <255B9BB34FB7D647A506DC292726F6E12855BD177A@WSMSG3153V.srv.dir.telstra.com>
References: <550881DE.8090304@bbn.com>
In-Reply-To: <550881DE.8090304@bbn.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/PKvxlfTV91oHi_BTP9i1Hy7DIuM>
Subject: Re: [Trans] [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 23:08:15 -0000
I came across a real cert with a Certificate Transparency extension the other day and took a look inside.
(I assume) the cert extension complies with RFC6962 "Certificate Transparency", and I believe this is also consistent with the current update draft-ietf-trans-rfc6962-bis-07.
Below are extracts from the certificate in hex: preceded by line numbers; indenting to show structure; and some comments starting with #.
Notable items:
Line 145: start of cert extension holding 3 signed cert timestamps (SCTs).
Line 147: extnValue OCTET STRING
Line 148: Another OCTET STRING, embedded in extnValue. Hence, an "ASN.1 DER encoded structure" (this OCTET STRING) "is the value of the octet string extnValue". That is, the syntax is a valid extension.
Lines 149-182: TLS-style encoding (eg most 2-byte/4-hexdigit items are lengths).
Lines 158-160: A DER-encoding embedded in the TLS-style encoding.
Each SCT has version (1 byte), log id (32 bytes), timestamp (8 bytes, milliseconds since 1970), alg ids (1 byte each), and a signature (DER-encoding of SEQ. {r, s}).
The signature in the extension is calculated over (most of) the tbsCertificate, but the tbsCertificate does NOT appear in the extension.
I suggest keeping this TLS-style-encoding-embedded-in-an-OCTET-STRING. It is a bit Frankenstein-esq, but I don’t think that is avoidable. Certificate Transparency mixes X.500 and TLS, they chose different encoding styles, the styles have to meet somewhere.
The cert extension should definitely have the exact bytes for fields that will be signed, which means TLS-style 1-byte alg ids, 8-byte timestamp, and SCT extensions. Converting each individual field to ASN.1 would just make it more awkward to reconstruct the exact bytes to be signed.
# Certificate Transparency extension
# from the certificate for https://op.certification.openid.net:60054/
# 3 SignedCertificateTimestamps
# from Google 'Pilot' (A4...10), DigiCert (56...DD), Google 'Aviator' (68...C4)
1 30 82072A # certificate
2 30 820612 # tbsCertificate (to be signed)
3 A0 03
4 02 01 02 # v3
5 02 10 0D1C890FBE7061A327B970DA2FC3B90A # cert serial number
...
74 31 24
75 30 22
76 06 03 550403 # cn
77 0C 1B 6F702E63657274696669636174696F6E2E6F70656E69642E6E6574 # op.certification.openid.net
...
86 A3 8202F5
87 30 8202F1
88 30 26
89 06 03 551D11 # id-ce-subjectAltName
90 04 1F
91 30 1D
92 82 1B 6F702E63657274696669636174696F6E2E6F70656E69642E6E6574 # op.certification.openid.net
...
145 30 82017C
146 06 0A 2B06010401D679020402 # 1.3.6.1.4.1.11129.2.4.2
147 04 82016C
148 04 820168 # PrecertificateSCTList
149 0166
150 0075
151 00 # version
152 A4B90990B418581487BB13A2CC67700A3C359804F91BDFB8E377CD0EC80DDC10 # id Google Pilot
153 0000014B99953C14 # timestamp
154 0000 # extensions
155 04 # hash sha256
156 03 # signature ecdsa
157 0046
158 30 44
159 02 20 11666B9E97E4E4AC6434E4B67C02617A31FB14DAEE4BB018D7B2B178133E1630 # r
160 02 20 6A13F32E7C704CDCB7B1D12241AA3E346F4DED5670CA01DA5B850BCFB04285B5 # s
161 0075
162 00
163 5614069A2FD7C2ECD3F5E1BD44B23EC74676B9BC99115CC0EF949855D689D0DD # id DigiCert
164 0000014B99953E24
165 0000
166 04
167 03
168 0046
169 30 44
170 02 20 3EC2C5C2408ED171F2D3B8B0FD3DFA8CA09C4BE3A7DD1ADA871444D39B0828A7
171 02 20 596955FE3F434579E9CD9144455AE7848094CDA89EED2A5F3DC254B38F2E4335
172 0076
173 00
174 68F698F81F6482BE3A8CEEB9281D4CFC71515D6793D444D10A67ACBB4F4FFBC4 # id Google Aviator
175 0000014B99953C08
176 0000
177 04
178 03
179 0047
180 30 45
181 02 21 008E8E239C48C46E0AD1F0B102071B2CA73E199C791654E93B406F9F3BB4EEC967
182 02 20 49427C3C633C5D0FC21088921AE2F01BF49D8B21012A0A8EEBD8B2967B72F2B4
183
184 30 0D
185 06 09 2A864886F70D01010B # sha256WithRSAEncryption
186 05 00
187 03 820101 009710D1B54C9F9241694CF1927223F0AE6901B7AD419685F1DBE39F2959ADCCAD7EB0C1FD10583E1502DE6A52D58078ECEA9F17DA018D203E7EA5A5805FEA2811031776F3EDC02C18A426AC80A76735C69DCC87E885D76E40E75D3FA70F060F967D551CDBC1AECEC8993169BDCA45764B0D2857CCFDF87E0DF0A1594E3EF35EC031D4967F844EFE07C402FEC501DDEA5787D1DD4D6F0EF0E9E1B241E200922A35C279C41F248E62015494FD2820823317C9B08B5EFC5C46943453AB81AB7BC78DAA35B757CAD323F97F8C1DC5A0B69C39FE77A4354685ECB68AE04C5F32B152D39C4DA22A3A16CE395FE0CFC03BF7247265BCD032AF1E5A80D86D38B2F9D749C6 # signature
A few more comments inline below.
--
James Manger
----------
From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Stephen Kent
Sent: Wednesday, 18 March 2015 6:35 AM
To: pkix
Subject: [pkix] a question of cert (and OCSP) extension syntax
Folks,
Stephen Farrell suggested that I pose a question to this list based on an ongoing debate in another WG.
A certificate and OCSP extension has been proposed in TRANS. The extension consists of a few data items, principally:
version number (an integer)
a log ID (an octet string)
a time stamp
a certificate or TBS certificate
[JM] No, the cert/tbsCert is NOT in this cert ext
a hash value (a bit or octet string)
[JM] I think you mean a signature
an optional set of TBD protocol-specific extensions
The authors of the proposed extension elected to encode all of these data items as one big OCTET STRING, rather than using the existing, base ASN.1 data types. They elected to not use an ASN.1 structure here because one of the three ways to communicate this data to a client is via a TLS handshake. They believe that the TLS handshake will eventually become the predominant means of transporting this data. (I didn’t find the argument for this prediction compelling, but ...). Thus they chose to employ the syntax defined in RFC 5246.
Russ Housley and I have argued that using OCTET STRING here is inconsistent with the intent of 5280 (and 2594 and 3280), which defines an extension as:
Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue.
Since the bulk of the data items have an obvious ASN.1 representation,
[JM] Is the "obvious ASN.1" for the timestamp (ms since 1970) GeneralizedTime or INTEGER or OCTET STRING (SIZE(8))?
[JM] I guess the "obvious ASN.1" for the alg ids is INTEGER {sha256(4), ...}, even though ASN.1 uses OID (or actually AlgorithmIdentifier).
[JM] The ASN.1 for SCT extensions would presumably be SEQUENCE OF OCTET STRING, which still embeds a TLS-style encoding in an OCTET STRING.
and the certificate or TBS certificate are native ASN.1 structures, we feel that the decision to stuff all of the data items into an OCTET STRING is inappropriate, and that it sets a bad precedent for others developing certificate (and OCSP) extensions in the future
I’m soliciting feedback from this list on this topic, to pass on to Stephen, Kathleen, and the TRANS WG.
Thanks,
Steve
- Re: [Trans] [pkix] a question of cert (and OCSP) … Manger, James
- Re: [Trans] [pkix] a question of cert (and OCSP) … Massimiliano Pala
- Re: [Trans] [pkix] a question of cert (and OCSP) … Melinda Shore
- Re: [Trans] [pkix] a question of cert (and OCSP) … Massimiliano Pala
- Re: [Trans] [pkix] a question of cert (and OCSP) … Salz, Rich
- [Trans] Use of private OIDs in WG document Massimiliano Pala
- Re: [Trans] [pkix] a question of cert (and OCSP) … Leif Johansson
- Re: [Trans] Use of Private OIDs in WG document (R… Melinda Shore
- [Trans] Use of Private OIDs in WG document (Re: [… Massimiliano Pala
- Re: [Trans] Use of private OIDs in WG document Russ Housley
- Re: [Trans] Use of private OIDs in WG document Rob Stradling
- Re: [Trans] Use of private OIDs in WG document Russ Housley
- Re: [Trans] Use of Private OIDs in WG document (R… Nico Williams
- Re: [Trans] [pkix] a question of cert (and OCSP) … Salz, Rich
- Re: [Trans] [pkix] a question of cert (and OCSP) … Warren Kumari