Re: [Trans] Bad Technical Decision: Closing out the SCT encoding discussion
Nico Williams <nico@cryptonector.com> Mon, 16 March 2015 16:47 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC1E51A88C2 for <trans@ietfa.amsl.com>; Mon, 16 Mar 2015 09:47:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dfppKEDU0-Ql for <trans@ietfa.amsl.com>; Mon, 16 Mar 2015 09:47:41 -0700 (PDT)
Received: from homiemail-a107.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 284951A1B2E for <trans@ietf.org>; Mon, 16 Mar 2015 09:47:41 -0700 (PDT)
Received: from homiemail-a107.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTP id 14D702004F4DE; Mon, 16 Mar 2015 09:47:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=t7f2mNUytpHzsA mAf6IRrVqFkqs=; b=JrZfQbxJELRRhjicpuMD14kPygidRikJCz9TEt7mFU56Rr EOpiSPnWY2mfGYnZsMsICtWto8KDJ1VPYPoMWz4TAAA/biUUPhvjQ7QjhZwmoGQr L/Lcw6H6qV7xQkWj4Y0/Mjy3NsgPjlm9ISFEbV840j4vLXqnvcHFiv07Wq5MA=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTPA id C49132004F4D6; Mon, 16 Mar 2015 09:47:39 -0700 (PDT)
Date: Mon, 16 Mar 2015 11:47:38 -0500
From: Nico Williams <nico@cryptonector.com>
To: Paul Wouters <paul@nohats.ca>
Message-ID: <20150316164736.GF3479@localhost>
References: <550257A0.8050401@gmail.com> <B87AFA6C-2B9F-474C-AE0F-BF07829CD139@vigilsec.com> <20150314000210.GD3479@localhost> <alpine.LFD.2.10.1503132156440.17274@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1503132156440.17274@bofh.nohats.ca>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/fISMX697dsmi9fXCoqqPEFN-87E>
Cc: trans@ietf.org
Subject: Re: [Trans] Bad Technical Decision: Closing out the SCT encoding discussion
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 16:47:42 -0000
On Fri, Mar 13, 2015 at 09:57:57PM -0400, Paul Wouters wrote: > On Fri, 13 Mar 2015, Nico Williams wrote: > > >Indeed. The fact that Certificate includes TBSCertificate without > >wrapping it in an OCTET STRING has caused problems before. > > Can you share what problems this has caused before? That would be > a useful addition to this discussion. Yes, I can. Say you want to use an ASN.1 compiler to generate all your encoding and decoding code... A compiler-generated decoder will generally lose all information about encoding options (think BER) for the TBSCertificate, so that if you write code that passes around decoded structures without passing around the original cert... then you can't validate signatures that were taken over a non-canonical encoding of the tbsCertificate. Even if you pass the original cert around, you need to hand-code a parser to extract the tbsCertificate. Fun stuff. Wrapping to-be-signed objects in OCTET STRINGs completely solves the problem. We use ASN.1 in part because the idea that we can use off-the-shelf compilers is attractive. There exist such x.509 implementations, FYI. Heimdal's libhx509, for example. Nico --
- Re: [Trans] Bad Technical Decision: Closing out t… Paul Wouters
- Re: [Trans] Bad Technical Decision: Closing out t… Nico Williams
- [Trans] Closing out the SCT encoding discussion Melinda Shore
- [Trans] Bad Technical Decision: Closing out the S… Russ Housley
- Re: [Trans] Bad Technical Decision: Closing out t… Stephen Farrell
- Re: [Trans] Bad Technical Decision: Closing out t… Rob Stradling
- Re: [Trans] Bad Technical Decision: Closing out t… Russ Housley
- Re: [Trans] Bad Technical Decision: Closing out t… Stephen Farrell
- Re: [Trans] Bad Technical Decision: Closing out t… Russ Housley
- Re: [Trans] Bad Technical Decision: Closing out t… Rob Stradling
- Re: [Trans] Bad Technical Decision: Closing out t… Rob Stradling
- Re: [Trans] Bad Technical Decision: Closing out t… Stephen Farrell
- Re: [Trans] Bad Technical Decision: Closing out t… Erwann Abalea
- Re: [Trans] Bad Technical Decision: Closing out t… Nico Williams