Re: [Trans] Alternate formats for Precertificates
Tomas Gustavsson <tomas@primekey.se> Wed, 26 February 2014 16:02 UTC
Return-Path: <tomas@primekey.se>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 495611A0454 for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:02:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YsIrTiDyFVVu for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:02:23 -0800 (PST)
Received: from mail.primekey.se (mail.primekey.se [213.179.18.11]) by ietfa.amsl.com (Postfix) with ESMTP id 3806A1A0231 for <trans@ietf.org>; Wed, 26 Feb 2014 08:02:23 -0800 (PST)
Received: from mail.primekey.se (localhost [127.0.0.1]) by mail.primekey.se (Postfix) with ESMTP id 0892A45C00CD for <trans@ietf.org>; Wed, 26 Feb 2014 17:03:36 +0100 (CET)
Received: from [192.168.1.107] (c-50-184-94-125.hsd1.ca.comcast.net [50.184.94.125]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.primekey.se (Postfix) with ESMTPSA id 8FCFE45C00C8 for <trans@ietf.org>; Wed, 26 Feb 2014 17:03:35 +0100 (CET)
Message-ID: <530E100A.7040503@primekey.se>
Date: Wed, 26 Feb 2014 08:02:18 -0800
From: Tomas Gustavsson <tomas@primekey.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: trans@ietf.org
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com>
In-Reply-To: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/YDnFZf_uQlW3E36TIEF2w7Jlsv4
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 16:02:26 -0000
On 02/26/2014 07:30 AM, Ben Laurie wrote: > On 26 February 2014 14:13, Tomas Gustavsson <tomas@primekey.se> wrote: >> >> Did anyone consider using RFC4211 CRMF requests as "pre-certificates"? >> CRMF has both issuer and serialNumber, as well as extensions. The >> CertTemplate of RFC4211 is basically a TBSCertificate. > > Hmm. So it is. I had not come across this RFC before. > > Does anything implement it? Absolutely. It is used in CMP (RFC4210). EJBCA has had support for it as a request format for years, so we have code for both producing and parsing of course. BouncyCastle has Java APIs for CMP/CRMF. http://www.bouncycastle.org/ cmpforopenssl supports it I believe, C API and command line. http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=Main_Page I don't know why I did not think of this earlier, since I use it all the time. CMP with CRMF is used in many systems in production. Card management, LTE base stations (3GPP standardization), some routers etc. Re-using existing RFC always feels good :-) Cheers, Tomas > >> >> Cheers, >> Tomas >> >> PS: time to change subject of the thread? >> >> >> On 02/26/2014 05:46 AM, Rob Stradling wrote: >>> On 26/02/14 13:33, Carl Wallace wrote: >>>>>> >>>>>> While I agree that lack of a CA certificate with the matching naming >>>>>> really doesn¹t matter, breaking name chaining seems like an odd way to >>>>>> maintain ³ritual compliance". Why not bump the version number instead? >>>>>> v4 could be defined as a pre-certificate containing a poison extension >>>>>> and >>>>>> a serial number that matches its v3 counterpart. >>>>> >>>>> Hi Carl. I briefly discussed the idea of changing the version number >>>>> with Ben a few months ago... >>>> >>>> Sorry for the rehash. There are occasions where I miss an email in this >>>> list:-) >>> >>> No need to apologize. It was an off-list discussion. :-) >>> >> >> _______________________________________________ >> Trans mailing list >> Trans@ietf.org >> https://www.ietf.org/mailman/listinfo/trans > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Alternate formats for Precertificates Ben Laurie
- Re: [Trans] Alternate formats for Precertificates Phillip Hallam-Baker
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Goulet, Walter
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Ben Laurie
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Paul Hoffman
- Re: [Trans] Alternate formats for Precertificates Carl Wallace
- Re: [Trans] Alternate formats for Precertificates Paul Hoffman
- Re: [Trans] Alternate formats for Precertificates Carl Wallace
- Re: [Trans] Alternate formats for Precertificates Melinda Shore
- Re: [Trans] Alternate formats for Precertificates Robin Alden
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson