ounsworth
commented
6 months ago Does this affect the wire encoding of the examples in the appendix? I think not because both are a CHOICE with the default option (which the TCG example uses) being untagged. IE this is an ASN.1 change but does not affect the wire encoding.
From Russ:
After looking at this for the past few days, I am not convinced that the separation of non-ASN.1 and non-X.509 ASN.1 provides any value to the implementer. At some point, the implementation must look up the OID to detimen how to fully parse the certificate. Mike has shown some tricks to detect errors early with the current syntax. To that end, I suggest that the module IMPORT CertificateChoices from RFC 6268.
The resulting ASN.1 for EvidenceBundle would be:
EvidenceBundle ::= SEQUENCE { evidence EvidenceStatements, certs SEQUENCE SIZE (1..MAX) OF CertificateChoices OPTIONAL -- CertificateChoices MUST only contain certificate or other }
In addition, the text should say:
CertificateChoices MUST only contain certificate or other. CertificateChoices MUST NOT contain extendedCertificate, v1AttrCert, or v2AttrCert.
Russ
P.S. If the WG likes this suggestion, then the full ASN.1 module for this Internet-Draft follows.
CSR-ATTESTATION-2024 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix-attest-01(TBDMOD)}
DEFINITIONS IMPLICIT TAGS ::= BEGIN
EXPORTS ALL;
IMPORTS
Certificate, id-pkix FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
CertificateChoices FROM CryptographicMessageSyntax-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
EXTENSION, ATTRIBUTE, AttributeSet{}, SingleAttribute{} FROM PKIX-CommonTypes-2009 -- from [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
id-aa FROM SecureMimeMessageV3dot1 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) msg-v3dot1(21) } ;
-- OID Arc for attestation statement types id-ata OBJECT IDENTIFIER ::= { id-pkix TBD1 }
EVIDENCE-STATEMENT ::= TYPE-IDENTIFIER
EvidenceStatementSet EVIDENCE-STATEMENT ::= { ... -- None defined in this document -- }
EvidenceHint ::= CHOICE { rfc822Name [0] IA5String, dNSName [1] IA5String, uri [2] IA5String, text [3] UTF8String }
EvidenceStatements ::= SEQUENCE SIZE (1..MAX) OF EvidenceStatement
EvidenceStatement ::= SEQUENCE { type EVIDENCE-STATEMENT.&id({EvidenceStatementSet}), stmt EVIDENCE-STATEMENT.&Type({EvidenceStatementSet}{@type}), hint EvidenceHint OPTIONAL }
id-aa-evidence OBJECT IDENTIFIER ::= { id-aa TBDAA }
-- For PKCS#10 attr-evidence ATTRIBUTE ::= { TYPE SEQUENCE OF EvidenceBundles IDENTIFIED BY id-aa-evidence }
-- For CRMF ext-evidence EXTENSION ::= { SYNTAX EvidenceBundles IDENTIFIED BY id-aa-evidence }
EvidenceBundles ::= SEQUENCE SIZE (1..MAX) OF EvidenceBundle
EvidenceBundle ::= SEQUENCE { evidence EvidenceStatements, certs SEQUENCE SIZE (1..MAX) OF CertificateChoices OPTIONAL -- CertificateChoices MUST only contain certificate or other }
END