lamps-wg / cmp-updates

RFC4210bis and RFC6712bis
Other
2 stars 5 forks source link

Section 5.1.1.4: clarify restriction on number of certProfile elements #31

Closed DDvO closed 1 year ago

DDvO commented 1 year ago

For clarity, please replace

When used in an ir/cr/kur/genm message, the CertProfileValue sequence MUST NOT contain more certificate profile names than the number of CertReqMsg or GenMsgContent InfoTypeAndValue elements contained in the message body.

by, e.g.,

When used in an ir/cr/kur message, the number of profile names in the CertProfileValue sequence MUST NOT exceed the number of CertReqMsg elements contained in the message body. Similarly, when used in a genm message, this number MUST NOT exceed the number of InfoTypeAndValue elements in the message body.

HBrock commented 1 year ago

I am uncertain if this change is needed. I feel like the text is correct and ciscumvents dublication of text.

For clarity, please replace

When used in an ir/cr/kur/genm message, the CertProfileValue sequence MUST NOT contain more certificate profile names than the number of CertReqMsg or GenMsgContent InfoTypeAndValue elements contained in the message body.

by, e.g.,

When used in an ir/cr/kur message, the number of profile names in the CertProfileValue sequence MUST NOT exceed the number of CertReqMsg elements contained in the message body. Similarly, when used in a genm message, this number MUST NOT exceed the number of InfoTypeAndValue elements in the message body.

RFC4211 definiert: CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg RFC4210 definiert: GenMsgContent ::= SEQUENCE OF InfoTypeAndValue

We want to say that the number of elements in CertProfileValue must not be larger than the number of element in CertReqMessages or GenMsgContent. So maybe we could rephrase like this.

When used in an ir/cr/kur/genm message, the CertProfileValue sequence MUST NOT contain more certificate profile names than the number of elements in the CertReqMessages or GenMsgContent sequence.

@johngray-dev As this text was contributed from you, what do you think? BTW, this change may also affect the next paragraphe.

RufusJWB commented 1 year ago

There must be a misunderstanding. This:

When used in an ir/cr/kur/genm message, the CertProfileValue sequence MUST NOT contain more certificate profile names than the number of CertReqMsg or GenMsgContent InfoTypeAndValue elements contained in the message body.

is not the actual text from https://datatracker.ietf.org/doc/draft-ietf-lamps-cmp-updates/23/ chapter 2.4 . There you write

When used in an ir/cr/kur/genm, the value MUST NOT contain more elements than the number of CertReqMsg or InfoTypeAndValue elements and the certificate profile names refer to the elements in the given order.

And one more question: what happens if the number of elements in the CertProfileValue sequence is neither 1 nor the number of CertReqMsg but smaller than the number of CertReqMsg. For example there are two values in the CertProfileValue sequence but three CertReqMsg. Wouldn't it be more reasonable to say, that the number of elements in the CertProfileValue sequence needs to be either 1 or exactly the number of CertReqMsg?

HBrock commented 1 year ago

Regarding rfc4210bis, this topic was already discussed and concluded in #28. CMP-Updates was approved a year ago, but there are some changes from the AD review of the Lightweight CMP Profile in the pipeline for AUTH48. Rfc4210bis shall include the changes from CMP Updates and will obsolete this document when published. If there is no change request regarding rfc4210bis, we should close this issue here.

HBrock commented 1 year ago

The issue was mainly about the wording in Section 2.4 of V23 of CMP Updates.

The current text in Section 5.1.1.4 of rfc4210bis seams to be sufficient.