Re: [Trans] Alternate formats for Precertificates
Rob Stradling <rob.stradling@comodo.com> Wed, 26 February 2014 16:20 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EDE11A0680 for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:20:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.29
X-Spam-Level:
X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xWYAJaeuEqIM for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:20:04 -0800 (PST)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 4AD281A0454 for <trans@ietf.org>; Wed, 26 Feb 2014 08:19:57 -0800 (PST)
Received: (qmail 23469 invoked by uid 1000); 26 Feb 2014 16:19:54 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Wed, 26 Feb 2014 16:19:54 +0000
Message-ID: <530E142A.90007@comodo.com>
Date: Wed, 26 Feb 2014 16:19:54 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Tomas Gustavsson <tomas@primekey.se>, "trans@ietf.org" <trans@ietf.org>
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com> <530E100A.7040503@primekey.se>
In-Reply-To: <530E100A.7040503@primekey.se>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/XfY9z3Hgdyqa1thq0265VUmgI8w
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 16:20:08 -0000
On 26/02/14 16:02, Tomas Gustavsson wrote: > On 02/26/2014 07:30 AM, Ben Laurie wrote: >> On 26 February 2014 14:13, Tomas Gustavsson <tomas@primekey.se> wrote: >>> >>> Did anyone consider using RFC4211 CRMF requests as "pre-certificates"? >>> CRMF has both issuer and serialNumber, as well as extensions. The >>> CertTemplate of RFC4211 is basically a TBSCertificate. >> >> Hmm. So it is. I had not come across this RFC before. >> >> Does anything implement it? > > Absolutely. It is used in CMP (RFC4210). EJBCA has had support for it as > a request format for years, so we have code for both producing and > parsing of course. > > BouncyCastle has Java APIs for CMP/CRMF. > http://www.bouncycastle.org/ > > cmpforopenssl supports it I believe, C API and command line. > http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=Main_Page > > > I don't know why I did not think of this earlier, since I use it all the > time. CMP with CRMF is used in many systems in production. Card > management, LTE base stations (3GPP standardization), some routers etc. > > Re-using existing RFC always feels good :-) RFC4211 says: "The fields of CertRequest have the following meaning: ... serialNumber MUST be omitted. This field is assigned by the CA during certificate creation. signingAlg MUST be omitted. This field is assigned by the CA during certificate creation." So that's two ways we would need to violate RFC4211 in order to use its CertTemplate format for Precertificates. In contrast, allowing a Precertificate/Certificate pair to use the same serial number only violates RFC5280 in one way. (Oh, and to me, reusing the TBSCertificate format feels good too! ;-) ) -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [Trans] Alternate formats for Precertificates Ben Laurie
- Re: [Trans] Alternate formats for Precertificates Phillip Hallam-Baker
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Goulet, Walter
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Ben Laurie
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Paul Hoffman
- Re: [Trans] Alternate formats for Precertificates Carl Wallace
- Re: [Trans] Alternate formats for Precertificates Paul Hoffman
- Re: [Trans] Alternate formats for Precertificates Carl Wallace
- Re: [Trans] Alternate formats for Precertificates Melinda Shore
- Re: [Trans] Alternate formats for Precertificates Robin Alden
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson