Re: [Trans] Alternate formats for Precertificates

"Goulet, Walter" <Walter.Goulet@rsa.com> Wed, 26 February 2014 16:09 UTC

Return-Path: <Walter.Goulet@rsa.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39D7C1A0689 for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:09:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTBbNiBoqQwh for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:09:52 -0800 (PST)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id BE44B1A06A6 for <trans@ietf.org>; Wed, 26 Feb 2014 08:07:47 -0800 (PST)
Received: from maildlpprd02.lss.emc.com (maildlpprd02.lss.emc.com [10.253.24.34]) by mailuogwprd02.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s1QG7iF6019764 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Feb 2014 11:07:45 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com s1QG7iF6019764
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=rsa.com; s=jan2013; t=1393430866; bh=kVU7v8atrypN0hjN8AM85RFApdI=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=MTRpkTQeFSnn/onY3cOsxWIQl/o0N1wP5raHKfiJ4teol3Ut5ikNXUPjouMK1+4/5 czHhKgCIhjJQMIUEWKx5pDeuREG46Mc7a7NxPg5Jc5fFN86V09NeUL3MTz72bADYur GXvGrORQoozjyn5AvTMdW7Lyh/0MjbUg4MTxDGsk=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com s1QG7iF6019764
Received: from mailusrhubprd53.lss.emc.com (mailusrhubprd53.lss.emc.com [10.106.48.18]) by maildlpprd02.lss.emc.com (RSA Interceptor); Wed, 26 Feb 2014 11:07:32 -0500
Received: from mxhub05.corp.emc.com (mxhub05.corp.emc.com [128.222.70.202]) by mailusrhubprd53.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s1QG7VcA007895 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 26 Feb 2014 11:07:31 -0500
Received: from MXHUB108.corp.emc.com (10.253.58.24) by mxhub05.corp.emc.com (128.222.70.202) with Microsoft SMTP Server (TLS) id 8.3.327.1; Wed, 26 Feb 2014 11:07:31 -0500
Received: from MX108CL01.corp.emc.com ([169.254.9.61]) by MXHUB108.corp.emc.com ([10.253.58.24]) with mapi id 14.03.0158.001; Wed, 26 Feb 2014 11:06:48 -0500
From: "Goulet, Walter" <Walter.Goulet@rsa.com>
To: Tomas Gustavsson <tomas@primekey.se>, "trans@ietf.org" <trans@ietf.org>
Thread-Topic: [Trans] Alternate formats for Precertificates
Thread-Index: AQHPMwepfjiT//MNnUuY2Ce3m4D8QZrIBgEA//+tGiA=
Date: Wed, 26 Feb 2014 16:07:29 +0000
Message-ID: <E30E0FF66CE8AB4C8F4957334D34D8A102776A@MX108CL01.corp.emc.com>
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com> <530E100A.7040503@primekey.se>
In-Reply-To: <530E100A.7040503@primekey.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.251.33.75]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd53.lss.emc.com
X-RSA-Classifications: public
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/vBJCmYpuf-28z4l6t6ode2GhAxk
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 16:09:56 -0000

Another +1 for RFC4211/4210; my company's certificate issuance platform has supported CMP/CMRF for many years and we have several large customers using it for LTE applications as Tomas described below.

-----Original Message-----
From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Tomas Gustavsson
Sent: Wednesday, February 26, 2014 10:02 AM
To: trans@ietf.org
Subject: Re: [Trans] Alternate formats for Precertificates


On 02/26/2014 07:30 AM, Ben Laurie wrote:
> On 26 February 2014 14:13, Tomas Gustavsson <tomas@primekey.se> wrote:
>>
>> Did anyone consider using RFC4211 CRMF requests as "pre-certificates"?
>> CRMF has both issuer and serialNumber, as well as extensions. The 
>> CertTemplate of RFC4211 is basically a TBSCertificate.
>
> Hmm. So it is. I had not come across this RFC before.
>
> Does anything implement it?

Absolutely. It is used in CMP (RFC4210). EJBCA has had support for it as a request format for years, so we have code for both producing and parsing of course.

BouncyCastle has Java APIs for CMP/CRMF.
http://www.bouncycastle.org/

cmpforopenssl supports it I believe, C API and command line.
http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=Main_Page

I don't know why I did not think of this earlier, since I use it all the time. CMP with CRMF is used in many systems in production. Card management, LTE base stations (3GPP standardization), some routers etc.

Re-using existing RFC always feels good :-)

Cheers,
Tomas

>
>>
>> Cheers,
>> Tomas
>>
>> PS: time to change subject of the thread?
>>
>>
>> On 02/26/2014 05:46 AM, Rob Stradling wrote:
>>> On 26/02/14 13:33, Carl Wallace wrote:
>>>>>>
>>>>>> While I agree that lack of a CA certificate with the matching 
>>>>>> naming really doesn┬╣t matter, breaking name chaining seems like 
>>>>>> an odd way to maintain ┬│ritual compliance".  Why not bump the version number instead?
>>>>>> v4 could be defined as a pre-certificate containing a poison 
>>>>>> extension and a serial number that matches its v3 counterpart.
>>>>>
>>>>> Hi Carl.  I briefly discussed the idea of changing the version 
>>>>> number with Ben a few months ago...
>>>>
>>>> Sorry for the rehash.  There are occasions where I miss an email in 
>>>> this
>>>> list:-)
>>>
>>> No need to apologize.  It was an off-list discussion.  :-)
>>>
>>
>> _______________________________________________
>> Trans mailing list
>> Trans@ietf.org
>> https://www.ietf.org/mailman/listinfo/trans
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>

_______________________________________________
Trans mailing list
Trans@ietf.org
https://www.ietf.org/mailman/listinfo/trans