[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos

To: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
From: Tom Yu <tlyu@xxxxxxx>
Date: Sun, 06 Nov 2005 01:01:06 -0500
Cc: Steven Legg <steven.legg@xxxxxxxxxxx>, Love Hörnquist Åstrand <lha@xxxxxx>, Tom Gindin <tgindin@xxxxxxxxxx>, Sam Hartman <hartmans-ietf@xxxxxxx>, ietf-pkix@xxxxxxx, jhutz@xxxxxxx, ietf-krb-wg@xxxxxxx
In-reply-to: <4369DA6D.7030300@xxxxxxxxxx> (Peter Sylvester's message of "Thu, 03 Nov 2005 10:37:49 +0100")
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@xxxxxxxxxx> <4367B0BC.6090601@xxxxxxxxxx> <m2ek5yrflj.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <43694DC7.2090308@xxxxxxxxxxx> <4369DA6D.7030300@xxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

>>>>> "Peter" == Peter Sylvester <Peter.Sylvester@xxxxxxxxxx> writes:

Peter> Steven Legg wrote:

>> Love, et al,
>> 
>> Love Hörnquist Åstrand wrote:
>> 
>>> Lets take another example:
>>> 
>>> PA-PK-AS-REQ ::= SEQUENCE {
>>> signedAuthPack          [0] IMPLICIT OCTET STRING,
>>> -- Contains a CMS type ContentInfo encoded
>>> -- according to [RFC3852].
>>> -- The contentType field of the type ContentInfo
>>> -- is id-signedData (1.2.840.113549.1.7.2),
>>> -- and the content field is a SignedData.
>>> 
>>> With you syntax this should be
>>> 
>>> signedAuthPack IMPLICIT OCTET STRING OPTIONAL CONTAINING ContentInfo
>>> 
>>> Now, ContentInfo in a CMS type, and is allowed to be encoded in BER.
>>> Kerberos datatypes uses DER.
>>> 
>>> How is that expressed in a formal way ?
>> 
>> 
>> signedAuthPack IMPLICIT OCTET STRING

"IMPLICIT" only goes after a tag, so the above should contain something
like "[0] IMPLICIT" or drop the IMPLICIT completely.  Dropping the
context-specific tag would cause a change in wire encoding from
pkinit-29.

>> (CONTAINING ContentInfo
>> ENCODED BY {joint-iso-itu-t asn(1) ber-derived(2)
>> distinguished-encoding(1)})
>> OPTIONAL
>> 
>> The OID after the "ENCODED BY" is the OID that identifies DER.

Except here, we are using a CMS message, which is permitted to be
encoded in BER, and pkinit requires DER, so you really want something
like

PA-PK-AS-REQ ::= SEQUENCE {
    signedAuthPack [0] IMPLICIT OCTET STRING
        (CONTAINING ContentInfo ENCODED BY {
            joint-iso-itu-t asn1 (1) basic-encoding (1)
        })
}

You'll need to normatively reference X.682, because the "CONTAINING"
constraint isn't in X.680.

>>> Just saying IMPORT and CONTANING and expect the right thing to
>>> happen when
>>> given to a compiler seems very naive.
>> 
>> 
>> There's a better chance that the compiler can do something useful than if
>> the requirements are expressed informally as a comment.
>> 
>> Regards,
>> Steven
>> 
>>> 
>>> Love
>>> 

What one can expect from the compiler depends on what sort of compiler
one is using.  The open-source ASN.1 toolkits with acceptable license
conditions often omit much of the functionality of the full ASN.1
standard.

---Tom

Follow-Ups:
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Steven Legg

References:
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Tom Gindin
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Peter Sylvester
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Love Hörnquist Åstrand
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Steven Legg
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Peter Sylvester

Prev by Date: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos
Next by Date: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos
Previous by thread: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
Next by thread: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
Index(es):
- Date
- Thread