[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos

To: Tom Yu <tlyu@xxxxxxx>
Subject: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
From: Steven Legg <steven.legg@xxxxxxxxxxx>
Date: Mon, 07 Nov 2005 10:20:46 +1100
Cc: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>, Love Hörnquist Åstrand <lha@xxxxxx>, Tom Gindin <tgindin@xxxxxxxxxx>, Sam Hartman <hartmans-ietf@xxxxxxx>, ietf-pkix@xxxxxxx, jhutz@xxxxxxx, ietf-krb-wg@xxxxxxx
In-reply-to: <ldvhdaqiacd.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <OF4418E07D.316DA9AC-ON852570A8.0071203C-852570AC.004AB30B@xxxxxxxxxx> <4367B0BC.6090601@xxxxxxxxxx> <m2ek5yrflj.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <43694DC7.2090308@xxxxxxxxxxx> <4369DA6D.7030300@xxxxxxxxxx> <ldvhdaqiacd.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050319



Tom,

Tom Yu wrote:

"Peter" == Peter Sylvester <Peter.Sylvester@xxxxxxxxxx> writes:



Peter> Steven Legg wrote:

Love, et al,

Love Hörnquist Åstrand wrote:

Lets take another example:

PA-PK-AS-REQ ::= SEQUENCE {
signedAuthPack          [0] IMPLICIT OCTET STRING,
-- Contains a CMS type ContentInfo encoded
-- according to [RFC3852].
-- The contentType field of the type ContentInfo
-- is id-signedData (1.2.840.113549.1.7.2),
-- and the content field is a SignedData.

With you syntax this should be

signedAuthPack IMPLICIT OCTET STRING OPTIONAL CONTAINING ContentInfo

Now, ContentInfo in a CMS type, and is allowed to be encoded in BER.
Kerberos datatypes uses DER.

How is that expressed in a formal way ?



signedAuthPack IMPLICIT OCTET STRING



"IMPLICIT" only goes after a tag, so the above should contain something
like "[0] IMPLICIT"


Quite right. I was focussed on the constraint and didn't notice the tag
had been dropped.

or drop the IMPLICIT completely.  Dropping the

context-specific tag would cause a change in wire encoding from
pkinit-29.

(CONTAINING ContentInfo
ENCODED BY {joint-iso-itu-t asn(1) ber-derived(2)
distinguished-encoding(1)})
OPTIONAL

The OID after the "ENCODED BY" is the OID that identifies DER.



Except here, we are using a CMS message, which is permitted to be
encoded in BER, and pkinit requires DER, so you really want something
like

PA-PK-AS-REQ ::= SEQUENCE {
    signedAuthPack [0] IMPLICIT OCTET STRING
        (CONTAINING ContentInfo ENCODED BY {
            joint-iso-itu-t asn1 (1) basic-encoding (1)
        })
}


I'm not an expert on this but it would seem that as far as pkinit is
concerned, the encoding of a ContentInfo value contained in the
signedAuthPack component of a PA-PK-AS-REQ value is always a DER
encoding. It doesn't matter what encoding rules CMS uses to encode
values of ContentInfo, and the constraint has no effect whatsoever
on encodings of ContentInfo values outside the signedAuthPack component.


You'll need to normatively reference X.682, because the "CONTAINING"
constraint isn't in X.680.


Yes.

Just saying IMPORT and CONTANING and expect the right thing to
happen when
given to a compiler seems very naive.



There's a better chance that the compiler can do something useful than if
the requirements are expressed informally as a comment.

Regards,
Steven

Love



What one can expect from the compiler depends on what sort of compiler
one is using.  The open-source ASN.1 toolkits with acceptable license
conditions often omit much of the functionality of the full ASN.1
standard.


And they always will if ASN.1 specifications always pander to the lowest
common denominator. Contents constraints are a nudge in the right direction.

Regards,
Steven


---Tom

References:
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Tom Gindin
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Peter Sylvester
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Love Hörnquist Åstrand
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Steven Legg
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Peter Sylvester
- Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
  - From: Tom Yu

Prev by Date: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos
Next by Date: RE: Public key validation and Proof of possession
Previous by thread: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
Next by thread: Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos
Index(es):
- Date
- Thread