Re: [Trans] Alternate formats for Precertificates

Tomas Gustavsson <tomas@primekey.se> Wed, 26 February 2014 16:02 UTC

Return-Path: <tomas@primekey.se>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 495611A0454 for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:02:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YsIrTiDyFVVu for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:02:23 -0800 (PST)
Received: from mail.primekey.se (mail.primekey.se [213.179.18.11]) by ietfa.amsl.com (Postfix) with ESMTP id 3806A1A0231 for <trans@ietf.org>; Wed, 26 Feb 2014 08:02:23 -0800 (PST)
Received: from mail.primekey.se (localhost [127.0.0.1]) by mail.primekey.se (Postfix) with ESMTP id 0892A45C00CD for <trans@ietf.org>; Wed, 26 Feb 2014 17:03:36 +0100 (CET)
Received: from [192.168.1.107] (c-50-184-94-125.hsd1.ca.comcast.net [50.184.94.125]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.primekey.se (Postfix) with ESMTPSA id 8FCFE45C00C8 for <trans@ietf.org>; Wed, 26 Feb 2014 17:03:35 +0100 (CET)
Message-ID: <530E100A.7040503@primekey.se>
Date: Wed, 26 Feb 2014 08:02:18 -0800
From: Tomas Gustavsson <tomas@primekey.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: trans@ietf.org
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com>
In-Reply-To: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/YDnFZf_uQlW3E36TIEF2w7Jlsv4
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 16:02:26 -0000

On 02/26/2014 07:30 AM, Ben Laurie wrote:
> On 26 February 2014 14:13, Tomas Gustavsson <tomas@primekey.se> wrote:
>>
>> Did anyone consider using RFC4211 CRMF requests as "pre-certificates"?
>> CRMF has both issuer and serialNumber, as well as extensions. The
>> CertTemplate of RFC4211 is basically a TBSCertificate.
>
> Hmm. So it is. I had not come across this RFC before.
>
> Does anything implement it?

Absolutely. It is used in CMP (RFC4210). EJBCA has had support for it as 
a request format for years, so we have code for both producing and 
parsing of course.

BouncyCastle has Java APIs for CMP/CRMF.
http://www.bouncycastle.org/

cmpforopenssl supports it I believe, C API and command line.
http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=Main_Page

I don't know why I did not think of this earlier, since I use it all the 
time. CMP with CRMF is used in many systems in production. Card 
management, LTE base stations (3GPP standardization), some routers etc.

Re-using existing RFC always feels good :-)

Cheers,
Tomas

>
>>
>> Cheers,
>> Tomas
>>
>> PS: time to change subject of the thread?
>>
>>
>> On 02/26/2014 05:46 AM, Rob Stradling wrote:
>>> On 26/02/14 13:33, Carl Wallace wrote:
>>>>>>
>>>>>> While I agree that lack of a CA certificate with the matching naming
>>>>>> really doesn┬╣t matter, breaking name chaining seems like an odd way to
>>>>>> maintain ┬│ritual compliance".  Why not bump the version number instead?
>>>>>> v4 could be defined as a pre-certificate containing a poison extension
>>>>>> and
>>>>>> a serial number that matches its v3 counterpart.
>>>>>
>>>>> Hi Carl.  I briefly discussed the idea of changing the version number
>>>>> with Ben a few months ago...
>>>>
>>>> Sorry for the rehash.  There are occasions where I miss an email in this
>>>> list:-)
>>>
>>> No need to apologize.  It was an off-list discussion.  :-)
>>>
>>
>> _______________________________________________
>> Trans mailing list
>> Trans@ietf.org
>> https://www.ietf.org/mailman/listinfo/trans
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>