Re: [Trans] Alternate formats for Precertificates

Phillip Hallam-Baker <hallam@gmail.com> Wed, 26 February 2014 15:39 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF3E61A0690 for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 07:39:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yAdQDTDoIcmI for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 07:39:35 -0800 (PST)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 7763C1A0685 for <trans@ietf.org>; Wed, 26 Feb 2014 07:39:32 -0800 (PST)
Received: by mail-la0-f46.google.com with SMTP id hr17so747855lab.33 for <trans@ietf.org>; Wed, 26 Feb 2014 07:39:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BTmMTWaAFS3Rejnx3hk1AOqXIZQqjtKXVwVcf7cS5Hk=; b=ZVckOduRrNTBTUWeLp5QpNYzCu3G+GjY9fVNo08pBeiCBUWNvCWwXLR9dxU1eaMzFt rqb2UWuQl7HsVzgwC4uDdXo6t1SXeCIgQU1Uzq+dh0bcTxxP+9PYSf33WH30bzDZvtEM Ew2SiGMJwCteLFM3sKEsBMkYe5Cei41hDyNpxw/o9bL5JsFEn8iIvZDPhH57UUifAagM 4+tFzFV5fj+ClDeiZdtoqVy/Mml1R8tuFlYed6e4hXEu0UkuvvM7XrDsSHla11PcluUR ibZYcNU3EuIqqqpQkcDq6Jj7STfSzJFkXpm3dwZtAjPVeeHKjqmPeX1Jx50/5Y/4gDDF 4IaQ==
MIME-Version: 1.0
X-Received: by 10.152.23.169 with SMTP id n9mr2144787laf.45.1393429170448; Wed, 26 Feb 2014 07:39:30 -0800 (PST)
Received: by 10.112.37.168 with HTTP; Wed, 26 Feb 2014 07:39:30 -0800 (PST)
In-Reply-To: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com>
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com>
Date: Wed, 26 Feb 2014 10:39:30 -0500
Message-ID: <CAMm+LwjqOQaJSyr_Es3+5TZ8L0LLv1HwGkV0+0W_=rogQsqLPg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: multipart/alternative; boundary="089e0160b99ab9700f04f351024a"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/lipRcsEmo1ohdb6OQEROfVtxHwM
Cc: Tomas Gustavsson <tomas@primekey.se>, "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 15:39:38 -0000

We can easily knock up some ASN.1

The only criteria is that it isn't mistaken for an X.509v3 cert. We can
wrap TBSCertificate any which way, just put the signature ahead of the cert
and the job is done.

But as an aside, isn't it rather a bug in the ASN.1 encoding that two such
structures could be confused? I think that is something we might want to
consider in the JSON world. I always put a unique format specifier in a
signed object to prevent substitution attacks. One of my dislikes of XML
Signature is it is difficult to see this is done right.






On Wed, Feb 26, 2014 at 10:30 AM, Ben Laurie <benl@google.com> wrote:

> On 26 February 2014 14:13, Tomas Gustavsson <tomas@primekey.se> wrote:
> >
> > Did anyone consider using RFC4211 CRMF requests as "pre-certificates"?
> > CRMF has both issuer and serialNumber, as well as extensions. The
> > CertTemplate of RFC4211 is basically a TBSCertificate.
>
> Hmm. So it is. I had not come across this RFC before.
>
> Does anything implement it?
>
> >
> > Cheers,
> > Tomas
> >
> > PS: time to change subject of the thread?
> >
> >
> > On 02/26/2014 05:46 AM, Rob Stradling wrote:
> >> On 26/02/14 13:33, Carl Wallace wrote:
> >>>>>
> >>>>> While I agree that lack of a CA certificate with the matching naming
> >>>>> really doesn┬╣t matter, breaking name chaining seems like an odd way
> to
> >>>>> maintain ┬│ritual compliance".  Why not bump the version number
> instead?
> >>>>> v4 could be defined as a pre-certificate containing a poison
> extension
> >>>>> and
> >>>>> a serial number that matches its v3 counterpart.
> >>>>
> >>>> Hi Carl.  I briefly discussed the idea of changing the version number
> >>>> with Ben a few months ago...
> >>>
> >>> Sorry for the rehash.  There are occasions where I miss an email in
> this
> >>> list:-)
> >>
> >> No need to apologize.  It was an off-list discussion.  :-)
> >>
> >
> > _______________________________________________
> > Trans mailing list
> > Trans@ietf.org
> > https://www.ietf.org/mailman/listinfo/trans
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>



-- 
Website: http://hallambaker.com/