search

lamps-wg / cmp-updates

RFC4210bis and RFC6712bis
Other
2 stars 5 forks source link

Add clarification to Section 5.1.1.4. - CertProfile #28

Closed HBrock closed 1 year ago

HBrock commented 1 year ago

Liao Lijun adked the following question:

"As stated in " 2.4. New Section 5.1.1.3. - CertProfile":

id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String

When used in an ir/cr/kur/genm, the value MUST NOT contain more elements than the number of CertReqMsg or InfoTypeAndValue elements and the certificate profile names refer to the elements in the given order.

My question is how to interpret the profile names if the names in the CertProfileValue field is less than the CertReqMsg? For example, there are 4 CertReqMsg entries, but only 3 values in CertProfileValue."

HBrock commented 1 year ago

My feedback was: "If you have multiple certReqMsg in an ir/cr/kur/p10cr, you should use the certProfile names in the same order. If you have no certProfile for one or several certReqMsg you can put theses either at the end of the sequence in the ir/cr/kur/p10cr or add a “” (empty string) as certProfile name to the sequence."

We should add a correcponding note to the rfc4210bis.

HBrock commented 1 year ago

I added this text to Section 5.1.1.4

"If you have multiple certReqMsg in an ir/cr/kur/p10cr, you MUST use the certProfile names in the same order as the certReqMsg. If you have no certProfile for one or several certReqMsg you can put theses either at the end of the sequence in the ir/cr/kur/p10cr or add an empty string as certProfile name to the sequence."

@johngray-dev @DDvO @xipki Do you have any comments?

xipki commented 1 year ago

Looks fine for me.

Lijun

Hendrik Brockhaus @.***> schrieb am Mo., 22. Mai 2023, 17:45:

I added this text to Section 5.1.1.4

"If you have multiple certReqMsg in an ir/cr/kur/p10cr, you MUST use the certProfile names in the same order as the certReqMsg. If you have no certProfile for one or several certReqMsg you can put theses either at the end of the sequence in the ir/cr/kur/p10cr or add an empty string as certProfile name to the sequence."

@johngray-dev https://github.com/johngray-dev @DDvO https://github.com/DDvO @xipki https://github.com/xipki Do you have any comments?

— Reply to this email directly, view it on GitHub https://github.com/lamps-wg/cmp-updates/issues/28#issuecomment-1557461369, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABWFTMHDDK6VDZLZFZOD74LXHOCZXANCNFSM6AAAAAAYCLHK44 . You are receiving this because you were mentioned.Message ID: @.***>

DDvO commented 1 year ago

I added this text to Section 5.1.1.4

This change is not (yet) visible at https://github.com/lamps-wg/cmp-updates/blob/main/draft-ietf-lamps-rfc4210bis.md I suppose the new text is meant to be placed after this sentence:

When used in an ir/cr/kur/genm, the value MUST NOT contain more elements than the number of CertReqMsg or InfoTypeAndValue elements and the certificate profile names refer to the elements in the given order.

and before this sentence:

When used in a p10cr, the value MUST NOT contain multiple certificate profile names.

So far, it supposedly reads as:

If you have multiple certReqMsg in an ir/cr/kur/p10cr, you MUST use the certProfile names in the same order as the certReqMsg. If you have no certProfile for one or several certReqMsg you can put theses either at the end of the sequence in the ir/cr/kur/p10cr or add an empty string as certProfile name to the sequence.

We should not use "you" in the spec.

I propose re-combining and re-phrasing these text sections as follows:

When used in a p10cr message, the sequence MUST NOT contain multiple certificate profile names. When used in an ir/cr/kur/genm message, the sequence MUST NOT contain more certificate profile names than the number of CertReqMsg or InfoTypeAndValue elements contained in the message body,

The certificate profile names in the sequence relate to the CertReqMsg or InfoTypeAndValue elements in the given order. An empty string has the same meaning as if no element is present at the given sequence position: no certificate profile name being associated with the respective CertReqMsg or InfoTypeAndValue element.

HBrock commented 1 year ago

Thank you @DDvO for your proposal. Are there any further comments?

@johngray-dev Anything from your side?

johngray-dev commented 1 year ago

The original text seemed clear to me, but I see where the question could come from, so I agree we should try to clarify without making it more complicated. The updated message from David is good, I was going to suggest we make it clear that when CertProfile is required by one or more CertReqMsg, either the Cert profile Name or an empty string (to indicate no profile name), MUST be present in the same order. So effectively we are saying they must have the same number of elements. However, I think we still should allow a more efficient use case:

For example, say you have 3 certReqMsg (this is a common and supported use-case at Entrust). Say you want to use a cert profile for only the 2nd certReqMsg. The most efficient structure would be a Sequence of 2 CertProfiles (the first one being the empty string, the second one containing the profile name). Anything else should not be required. The first one requires the empty String to act as a placeholder, but if all the ones at the end don't require it, then it shouldn't be needed.

In practise, the most efficient structure would be for the client to re-order the 3 certReqMsg so that the first one was the one that required the cert profile. Then they would only need a CertProfileValue sequence of 1 as the 2nd and 3rd would both be empty. Forcing them to send empty ASN.1 sequences is just a waste of bytes.

I can try to come up with some text to see if that can be further clarified if you agree that this type of efficiency makes sense. Or for the sake of simplicity and clarity, we could just say when CertProfile is used, it MUST contain the same number of sequence elements as the number of CertReqMsg, and where no Cert profile name is required, an Empty String must be used as a placeholder...

HBrock commented 1 year ago

I think we are aligned on the issue. If you propose a leaner wording, it will be fine.

HBrock commented 1 year ago

Meeting 15.6.23 John will review and potentially add some text.

johngray-dev commented 1 year ago

I think this covers all the bases. I also added clarity by specifically mentioned the names of the structures so it is clear what is being discussed.

When used in a p10cr message, the CertProfileValue sequence MUST NOT contain multiple certificate profile names. When used in an ir/cr/kur/genm message, the CertProfileValue sequence MUST NOT contain more certificate profile names than the number of CertReqMsg or GenMsgContent InfoTypeAndValue elements contained in the message body.

The certificate profile names in the CertProfileValue sequence relate to the CertReqMsg or GenMsgContent InfoTypeAndValue elements in the given order. An empty string means no certificate profile name is associated with the respective CertReqMsg or GenMsgContent InfoTypeAndValue element. If the CertProfileValue sequence contains less certificate profile entries than CertReqMsg or GenMsgContent InfoTypeAndValue elements, the remaining CertReqMsg or GenMsgContent InfoTypeAndValue elements have no profile name associated with them.

HBrock commented 1 year ago

Thank you John. I will update the section accordingly.