> On Apr 20, 2017, at 6:51 PM, Kent Watsen <kwat...@juniper.net> wrote: > > > Hi Max, > > I'd like to reproduce your experiment, but I can't find a library > that supports the 'x5c' header. What do you mean that you added > it (the x5c header) to the JWS?
The x5c header is defined in JWT but the library I used off github (libjwt) didn’t support it. After looking at the code more closely I’m not sure a jwt abstraction layer is really even needed; JWS is pretty simple to use directly. I’ve forked libjwt and will upload my diff to github tomorrow so you can see what i mean. > > Separately, I don't think "-----BEGIN CERTIFICATE-----" is valid > for the 'domain-cert-trusted-ca' field, for which the YANG in > the voucher-02 draft says is a "binary" type field called > 'trusted-ca-certificate'. If it's type binary, then it's > encoded as just the base64 of the DER, with no PEM header/footer > ceremony. See here: > > https://tools.ietf.org/html/draft-ietf-netmod-yang-json-10#section-6.6. Totally true. This was discovered at the hackathon too … I just didn’t fix it before looking at the JWT stuff. - max > > Kent > > > -----ORIGINAL MESSAGE----- > > Folks, in Chicago we discussed the signing method for vouchers. > > Because the voucher is JSON, and there is expectation of a CBOR encoding for > future work, there is an open discussion point about using the JWS/COSE > signing methods; if not JWT/CWT. There was brief discussion of this at IETF98 > and one person indicated they liked PKCS7, others indicates JWT and others > did not speak up. Fully meeting minutes might provide more information but my > recollection was that we’d move the discussion to the list. This thread is > for that discussion. > > The current text of draft-ietf-anima-voucher-02 is: > >> The voucher is signed a PKCS#7 SignedData structure, as specified by Section >> 9.1 >> of [RFC2315], encoded using ASN.1 distinguished encoding rules (DER), as >> specified in ITU-T X.690. > > > For concrete discussion, the proposed change is: > >> The voucher is a JWT [RFC7519] signed token. > > > I’ve updated my tooling that was used during the IETF98 hackathon to support > a JWT token format; I did this as homework to be informed for the discussion. > > MY POSITION: is that I appreciate the simplicity of the JWS signing and feel > it is a good match for us. It was easy enough to implement, was a refreshing > change from the ASN1 complexity of PKCS7, and seems to provide a good path > toward CBOR/COSE in a future document without maintaining PKCS7/CMS technical > debt or revisiting/rewriting too much. > > QUESTION FOR THE WORKING GROUP: What is your position? Why? > > What follows is a dump of the raw JWS before signing (the equivalent > PKCS7/CMS structure would be the SignedData asn1 structures which is hard to > capture). After that is an encoded and signed voucher. Further below is an > example of a PKCS7 signed voucher. > > Please note these characteristics: > > a) From JWT RFC7519 "JWTs are always represented using the JWS Compact > Serialization”. There are some JWT headers that overlap with voucher fields. > I’m using JWT here; but the distinction between JWS/JWT is not fundamental to > our discussion. The important point is JWS vs PKCS7. > > b) I’ve added the x5c header to the JWS. This is used to carry the > certificate chain of the signer. Our current voucher format indicates PKCS7 > which supports an equivalent field called “CertificateSet structure”. Its in > the BRSKI document that we specify "The entire certificate chain, up to and > including the Domain CA, MUST be included in the CertificateSet structure”. > With the transition to JWT we’d be specifying that the x5c header be fully > populated up to an including the Domain CA etc. > > c) From these examples we can’t directly compare size encodings. I don’t > think this is a significant aspect of the conversation but can create > comparable examples if folks feel that is necessary. > > The dumps: > > A debug dump of the JWT form before encoding: > { > "typ": "JWT", > "alg": "ES256", > "x5c": > ["MIIBdjCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjArMRYwFAYDVQQKDA1DaXNjbyBTeXN0ZW1zMREwDwYDVQQDDAhWZW5kb3JDQTAeFw0xNzA0MDMxNTE1NDVaFw0xODA0MDMxNTE1NDVaMC0xFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxEzARBgNVBAMMClZlbmRvck1BU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT9GTrDd0GWgwcuSy8LCn0waMeknpLznajZzqWlLhrPwshgIPIPvbyY6IyCo4uBYU/e4OO6TQD9UVLlyU5R6cA6ozAwLjALBgNVHQ8EBAMCBaAwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwCgYIKoZIzj0EAwIDRwAwRAIgAQ8YR2IdLodEE8k+JxpBOIAGuzCeT9BmFOVhFUb8eJMCIC23Goss6manRjNSmh6+2oB9tsRbjmnnwuMlDXR8fzug", > > "MIIBnTCCAUOgAwIBAgIJAK9Pd5G+/r0UMAoGCCqGSM49BAMCMCsxFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxETAPBgNVBAMMCFZlbmRvckNBMB4XDTE3MDQwMzE0MTAwNVoXDTE4MDQwMzE0MTAwNVowKzEWMBQGA1UECgwNQ2lzY28gU3lzdGVtczERMA8GA1UEAwwIVmVuZG9yQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASunsQL2PVOSFWWp0oCjlqF8iVPPpEgJct931CZQ6assp07otmfgZqXsk1JYRTlKCGjROxrAiVRQsB54ioA0yu0o1AwTjAdBgNVHQ4EFgQUR4oEpb4YFuelkMrQjlnKtM01ovEwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEA+SSOhiNQ23RWA76kZ/2u70FCpU8OsU7X9IRiWGDgIAgCIFLu8FnJuqPx10sgHvIzqI5BgOcwCa5vFQZdCDBHIx18"] > } > . > { > "ietf-voucher:voucher": { > "assertion": "logging", > "domain-cert-trusted-ca": "-----BEGIN > CERTIFICATE-----\nMIIBUjCB+qADAgECAgkAwP4qKsGyQlYwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAwwM\nZXN0RXhhbXBsZUNBMB4XDTE3MDMyNTIyMTc1MFoXDTE4MDMyNTIyMTc1MFowFzEV\nMBMGA1UEAwwMZXN0RXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nRVrNlEN2ocYscAILBU7NggABo0JgA1rEGdYdCQj1nHKL6xKONJIUfBibe6iMVYd3\nRUmPwaPiHNZJ98kRwHIwnKMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU+dVX\naXoucU1godNF0bycS1U5W54wCgYIKoZIzj0EAwIDRwAwRAIgNsCGjpEjuvz6OKJ/\n3rOvMc2ZfDhD02K+0PCVFJGCQGwCIAzf3BS6x9kKSROJJvxDSpg0QK9+b9LSFkbZ\nM1PW98AN\n-----END > CERTIFICATE-----\n", > "nonce": "ea7102e8e88f119e", > "serial-number": "PID:1 SN:widget1", > "serial-number-issuer": "36097E3DEA39316EA4CE5C695BE905E78AF2FB5A", > "version": "1" > } > } > . > [signature goes here] > > As per JWT RFC7519 this is what it looks like after URL-safe encoding. You > can see that now the signature is included (look to the second to last line > to see the second “.” followed by a valid signature): > > eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsICAgICJ4NWMiOlsiTUlJQmRqQ0NBUjJnQXdJQkFnSUJBVEFLQmdncWhrak9QUVFEQWpBck1SWXdGQVlEVlFRS0RBMURhWE5qYnlCVGVYTjBaVzF6TVJFd0R3WURWUVFEREFoV1pXNWtiM0pEUVRBZUZ3MHhOekEwTURNeE5URTFORFZhRncweE9EQTBNRE14TlRFMU5EVmFNQzB4RmpBVUJnTlZCQW9NRFVOcGMyTnZJRk41YzNSbGJYTXhFekFSQmdOVkJBTU1DbFpsYm1SdmNrMUJVMEV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVQ5R1RyRGQwR1dnd2N1U3k4TENuMHdhTWVrbnBMem5halp6cVdsTGhyUHdzaGdJUElQdmJ5WTZJeUNvNHVCWVUvZTRPTzZUUUQ5VVZMbHlVNVI2Y0E2b3pBd0xqQUxCZ05WSFE4RUJBTUNCYUF3SHdZRFZSMGpCQmd3Rm9BVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdBUThZUjJJZExvZEVFOGsrSnhwQk9JQUd1ekNlVDlCbUZPVmhGVWI4ZUpNQ0lDMjNHb3NzNm1hblJqTlNtaDYrMm9COXRzUmJqbW5ud3VNbERYUjhmenVnIiwiTUlJQm5UQ0NBVU9nQXdJQkFnSUpBSzlQZDVHKy9yMFVNQW9HQ0NxR1NNNDlCQU1DTUNzeEZqQVVCZ05WQkFvTURVTnBjMk52SUZONWMzUmxiWE14RVRBUEJnTlZCQU1NQ0ZabGJtUnZja05CTUI0WERURTNNRFF3TXpFME1UQXdOVm9YRFRFNE1EUXdNekUwTVRBd05Wb3dLekVXTUJRR0ExVUVDZ3dOUTJselkyOGdVM2x6ZEdWdGN6RVJNQThHQTFVRUF3d0lWbVZ1Wkc5eVEwRXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBU3Vuc1FMMlBWT1NGV1dwMG9DamxxRjhpVlBQcEVnSmN0OTMxQ1pRNmFzc3AwN290bWZnWnFYc2sxSllSVGxLQ0dqUk94ckFpVlJRc0I1NGlvQTB5dTBvMUF3VGpBZEJnTlZIUTRFRmdRVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdId1lEVlIwakJCZ3dGb0FVUjRvRXBiNFlGdWVsa01yUWpsbkt0TTAxb3ZFd0RBWURWUjBUQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUVBK1NTT2hpTlEyM1JXQTc2a1ovMnU3MEZDcFU4T3NVN1g5SVJpV0dEZ0lBZ0NJRkx1OEZuSnVxUHgxMHNnSHZJenFJNUJnT2N3Q2E1dkZRWmRDREJISXgxOCJdfQ.eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJsb2dnaW5nIiwiZG9tYWluLWNlcnQtdHJ1c3RlZC1jYSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJQlVqQ0IrcUFEQWdFQ0Fna0F3UDRxS3NHeVFsWXdDZ1lJS29aSXpqMEVBd0l3RnpFVk1CTUdBMVVFQXd3TVxuWlhOMFJYaGhiWEJzWlVOQk1CNFhEVEUzTURNeU5USXlNVGMxTUZvWERURTRNRE15TlRJeU1UYzFNRm93RnpFVlxuTUJNR0ExVUVBd3dNWlhOMFJYaGhiWEJzWlVOQk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVxuUlZyTmxFTjJvY1lzY0FJTEJVN05nZ0FCbzBKZ0ExckVHZFlkQ1FqMW5IS0w2eEtPTkpJVWZCaWJlNmlNVllkM1xuUlVtUHdhUGlITlpKOThrUndISXduS012TUMwd0RBWURWUjBUQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVK2RWWFxuYVhvdWNVMWdvZE5GMGJ5Y1MxVTVXNTR3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnTnNDR2pwRWp1dno2T0tKL1xuM3JPdk1jMlpmRGhEMDJLKzBQQ1ZGSkdDUUd3Q0lBemYzQlM2eDlrS1NST0pKdnhEU3BnMFFLOStiOUxTRmtiWlxuTTFQVzk4QU5cbi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS1cbiIsIm5vbmNlIjoiZWE3MTAyZThlODhmMTE5ZSIsInNlcmlhbC1udW1iZXIiOiJQSUQ6MSBTTjp3aWRnZXQxIiwic2VyaWFsLW51bWJlci1pc3N1ZXIiOiIzNjA5N0UzREVBMzkzMTZFQTRDRTVDNjk1QkU5MDVFNzhBRjJGQjVBIiwidmVyc2lvbiI6IjEifX0.QkTUpcxv6Ng6ylyWYnlqun-5SFhD1XwLIW1kD7Y9dNwioheNMcVnowkELl_EMClyOWuLvvWuoCHAcWz_UA0IGw > > > Here is an equivalent PKCS7 voucher via asn1 dump. You’d have to look at the > binary if you really want to decode it. This voucher was generated by MCR > during the hackathon: > > pritikin@ubuntu:~/src/brski-project/brski_msgs$ openssl asn1parse -in > mcr.voucher.txt.pkcs7 > 0:d=0 hl=4 l=2706 cons: SEQUENCE > 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData > 15:d=1 hl=4 l=2691 cons: cont [ 0 ] > 19:d=2 hl=4 l=2687 cons: SEQUENCE > 23:d=3 hl=2 l= 1 prim: INTEGER :01 > 26:d=3 hl=2 l= 15 cons: SET > 28:d=4 hl=2 l= 13 cons: SEQUENCE > 30:d=5 hl=2 l= 9 prim: OBJECT :sha256 > 41:d=5 hl=2 l= 0 prim: NULL > 43:d=3 hl=4 l=1644 cons: SEQUENCE > 47:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data > 58:d=4 hl=4 l=1629 cons: cont [ 0 ] > 62:d=5 hl=4 l=1625 prim: OCTET STRING > :{"ietf-voucher:voucher":{"nonce":"62a2e7693d82fcda2624de58fb6722e5","created-on":"2017-01-01T00:00:00.000Z","device-identifier":"00-d0-e5-f2-00-01","assertion":"logged","owner":"MIIEEzCCAvugAwIBAgIJAK6rFouvk+7YMA0GCSqGSIb3DQEBCwUAMIGfMQsw\nCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdh\nMRowGAYDVQQKDBFPd25lciBFeGFtcGxlIE9uZTERMA8GA1UECwwITm90IFZl\ncnkxGzAZBgNVBAMMEm93bmVyMS5leGFtcGxlLmNvbTEhMB8GCSqGSIb3DQEJ\nARYSb3duZXIxQGV4YW1wbGUuY29tMB4XDTE3MDMyNTE2MjkzNFoXDTE3MDQy\nNDE2MjkzNFowgZ8xCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8w\nDQYDVQQHDAZPdHRhd2ExGjAYBgNVBAoMEU93bmVyIEV4YW1wbGUgT25lMREw\nDwYDVQQLDAhOb3QgVmVyeTEbMBkGA1UEAwwSb3duZXIxLmV4YW1wbGUuY29t\nMSEwHwYJKoZIhvcNAQkBFhJvd25lcjFAZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4QYAEnTtXgiKqsfSVYkgkHddFcP34\nOU3YP7ibrsgx0i9cyj7xOzWHOF2PsoKBgTRH75MSMhTl5UidrCszlluK+qp4\nd3Zg31oQM/HDmyRJyRpY+PC1n5Vx/Mj5VagRQbqG7XTDQCfCrhqIKrKBTuPQ\n4vYKeL0tQk4UJlPIoZXEmBk5dkn/Fzl9AfIZSvUzQ1QAhQ9oaLz5Nf5MWHPK\nUY+6b2zA/yQaXduPrVuxp7xCj11C/Ljlhl1/Hx16MJrV33MCbd+RKW711D/3\n0XlWSqEprdbKbqw8WMPjuJ1aoX8aQEWoL+xbomRQQJJoFaMPlzgdDcfoAHDU\nTsxd0+FN8pFHAgMBAAGjUDBOMB0GA1UdDgQWBBSqp5TwQtHsQy9oYLZb0D5W\n+licHDAfBgNVHSMEGDAWgBSqp5TwQtHsQy9oYLZb0D5W+licHDAMBgNVHRME\nBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBgSQGacjwxmbRrrBhW63gY5KaW\nim76rG45p3uh9A8WUfMWryCUufrFOm/QEJnlUUK3QX4KEVj2eywb9gsfkiCE\nyaJzxe665Q2BrWwe3rGVkAhO/fn8upec4E1ASc31ASaF8m+pYqCCPSflL5kV\nMefHG4lEs3XJkHceClRzyXvjb5Kj/u02C5YCjcALYd8/kcSbf4joe1GufvKF\n5wvPBPkRVfbW2KagL+jw62j+8U6oB7FbxtFyqQP1YoZGia9MkPKnK+yg5o/0\ncZ57hgk4mQmM1i82RrUZQVoBP3CD5LdBJZfJoXstRlXe6dX7+TisdSAspp5e\nhNm0BcqdLK+z8ntt\n"}} > 1691:d=3 hl=4 l= 557 cons: cont [ 0 ] > 1695:d=4 hl=4 l= 553 cons: SEQUENCE > 1699:d=5 hl=4 l= 431 cons: SEQUENCE > 1703:d=6 hl=2 l= 3 cons: cont [ 0 ] > 1705:d=7 hl=2 l= 1 prim: INTEGER :02 > 1708:d=6 hl=2 l= 1 prim: INTEGER :01 > 1711:d=6 hl=2 l= 10 cons: SEQUENCE > 1713:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 > 1723:d=6 hl=2 l= 77 cons: SEQUENCE > 1725:d=7 hl=2 l= 18 cons: SET > 1727:d=8 hl=2 l= 16 cons: SEQUENCE > 1729:d=9 hl=2 l= 10 prim: OBJECT :domainComponent > 1741:d=9 hl=2 l= 2 prim: IA5STRING :ca > 1745:d=7 hl=2 l= 25 cons: SET > 1747:d=8 hl=2 l= 23 cons: SEQUENCE > 1749:d=9 hl=2 l= 10 prim: OBJECT :domainComponent > 1761:d=9 hl=2 l= 9 prim: IA5STRING :sandelman > 1772:d=7 hl=2 l= 28 cons: SET > 1774:d=8 hl=2 l= 26 cons: SEQUENCE > 1776:d=9 hl=2 l= 3 prim: OBJECT :commonName > 1781:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA > 1802:d=6 hl=2 l= 30 cons: SEQUENCE > 1804:d=7 hl=2 l= 13 prim: UTCTIME :160507023655Z > 1819:d=7 hl=2 l= 13 prim: UTCTIME :180507023655Z > 1834:d=6 hl=2 l= 77 cons: SEQUENCE > 1836:d=7 hl=2 l= 18 cons: SET > 1838:d=8 hl=2 l= 16 cons: SEQUENCE > 1840:d=9 hl=2 l= 10 prim: OBJECT :domainComponent > 1852:d=9 hl=2 l= 2 prim: IA5STRING :ca > 1856:d=7 hl=2 l= 25 cons: SET > 1858:d=8 hl=2 l= 23 cons: SEQUENCE > 1860:d=9 hl=2 l= 10 prim: OBJECT :domainComponent > 1872:d=9 hl=2 l= 9 prim: IA5STRING :sandelman > 1883:d=7 hl=2 l= 28 cons: SET > 1885:d=8 hl=2 l= 26 cons: SEQUENCE > 1887:d=9 hl=2 l= 3 prim: OBJECT :commonName > 1892:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA > 1913:d=6 hl=2 l= 118 cons: SEQUENCE > 1915:d=7 hl=2 l= 16 cons: SEQUENCE > 1917:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey > 1926:d=8 hl=2 l= 5 prim: OBJECT :secp384r1 > 1933:d=7 hl=2 l= 98 prim: BIT STRING > 2033:d=6 hl=2 l= 99 cons: cont [ 3 ] > 2035:d=7 hl=2 l= 97 cons: SEQUENCE > 2037:d=8 hl=2 l= 15 cons: SEQUENCE > 2039:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints > 2044:d=9 hl=2 l= 1 prim: BOOLEAN :255 > 2047:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF > 2054:d=8 hl=2 l= 14 cons: SEQUENCE > 2056:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage > 2061:d=9 hl=2 l= 1 prim: BOOLEAN :255 > 2064:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106 > 2070:d=8 hl=2 l= 29 cons: SEQUENCE > 2072:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier > 2077:d=9 hl=2 l= 22 prim: OCTET STRING [HEX > DUMP]:0414258EDF2D51788F0CEC872A22FBD4FEBE0676EB07 > 2101:d=8 hl=2 l= 31 cons: SEQUENCE > 2103:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier > 2108:d=9 hl=2 l= 24 prim: OCTET STRING [HEX > DUMP]:30168014258EDF2D51788F0CEC872A22FBD4FEBE0676EB07 > 2134:d=5 hl=2 l= 10 cons: SEQUENCE > 2136:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 > 2146:d=5 hl=2 l= 104 prim: BIT STRING > 2252:d=3 hl=4 l= 454 cons: SET > 2256:d=4 hl=4 l= 450 cons: SEQUENCE > 2260:d=5 hl=2 l= 1 prim: INTEGER :01 > 2263:d=5 hl=2 l= 82 cons: SEQUENCE > 2265:d=6 hl=2 l= 77 cons: SEQUENCE > 2267:d=7 hl=2 l= 18 cons: SET > 2269:d=8 hl=2 l= 16 cons: SEQUENCE > 2271:d=9 hl=2 l= 10 prim: OBJECT :domainComponent > 2283:d=9 hl=2 l= 2 prim: IA5STRING :ca > 2287:d=7 hl=2 l= 25 cons: SET > 2289:d=8 hl=2 l= 23 cons: SEQUENCE > 2291:d=9 hl=2 l= 10 prim: OBJECT :domainComponent > 2303:d=9 hl=2 l= 9 prim: IA5STRING :sandelman > 2314:d=7 hl=2 l= 28 cons: SET > 2316:d=8 hl=2 l= 26 cons: SEQUENCE > 2318:d=9 hl=2 l= 3 prim: OBJECT :commonName > 2323:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA > 2344:d=6 hl=2 l= 1 prim: INTEGER :01 > 2347:d=5 hl=2 l= 13 cons: SEQUENCE > 2349:d=6 hl=2 l= 9 prim: OBJECT :sha256 > 2360:d=6 hl=2 l= 0 prim: NULL > 2362:d=5 hl=3 l= 228 cons: cont [ 0 ] > 2365:d=6 hl=2 l= 24 cons: SEQUENCE > 2367:d=7 hl=2 l= 9 prim: OBJECT :contentType > 2378:d=7 hl=2 l= 11 cons: SET > 2380:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data > 2391:d=6 hl=2 l= 28 cons: SEQUENCE > 2393:d=7 hl=2 l= 9 prim: OBJECT :signingTime > 2404:d=7 hl=2 l= 15 cons: SET > 2406:d=8 hl=2 l= 13 prim: UTCTIME :170325220308Z > 2421:d=6 hl=2 l= 47 cons: SEQUENCE > 2423:d=7 hl=2 l= 9 prim: OBJECT :messageDigest > 2434:d=7 hl=2 l= 34 cons: SET > 2436:d=8 hl=2 l= 32 prim: OCTET STRING [HEX > DUMP]:552DD2EE5CBC4C7C4D207F98A2519F031EE10074D674265A7DD0CA73E68BE57D > 2470:d=6 hl=2 l= 121 cons: SEQUENCE > 2472:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities > 2483:d=7 hl=2 l= 108 cons: SET > 2485:d=8 hl=2 l= 106 cons: SEQUENCE > 2487:d=9 hl=2 l= 11 cons: SEQUENCE > 2489:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc > 2500:d=9 hl=2 l= 11 cons: SEQUENCE > 2502:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc > 2513:d=9 hl=2 l= 11 cons: SEQUENCE > 2515:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc > 2526:d=9 hl=2 l= 10 cons: SEQUENCE > 2528:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc > 2538:d=9 hl=2 l= 14 cons: SEQUENCE > 2540:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc > 2550:d=10 hl=2 l= 2 prim: INTEGER :80 > 2554:d=9 hl=2 l= 13 cons: SEQUENCE > 2556:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc > 2566:d=10 hl=2 l= 1 prim: INTEGER :40 > 2569:d=9 hl=2 l= 7 cons: SEQUENCE > 2571:d=10 hl=2 l= 5 prim: OBJECT :des-cbc > 2578:d=9 hl=2 l= 13 cons: SEQUENCE > 2580:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc > 2590:d=10 hl=2 l= 1 prim: INTEGER :28 > 2593:d=5 hl=2 l= 10 cons: SEQUENCE > 2595:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 > 2605:d=5 hl=2 l= 103 prim: OCTET STRING [HEX > DUMP]:3065023100E60EAF73A69826077CF6B760AF9BD1C9BF723D0E84812B06B5A8B7C252362394D98E1B5B4C02D8ACD8DA5BD2248D51EA02306B5BDBDFFBB022A1E039A1847259D2E0AA332E12D24053B3E7ECA6D18EA821E29A53D93EE3BA4DE7D8C594C51736511C > > And this is the “encoded” form: > -----BEGIN PKCS7----- > MIIKkgYJKoZIhvcNAQcCoIIKgzCCCn8CAQExDzANBglghkgBZQMEAgEFADCCBmwG > CSqGSIb3DQEHAaCCBl0EggZZeyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJub25j > ZSI6IjYyYTJlNzY5M2Q4MmZjZGEyNjI0ZGU1OGZiNjcyMmU1IiwiY3JlYXRlZC1v > biI6IjIwMTctMDEtMDFUMDA6MDA6MDAuMDAwWiIsImRldmljZS1pZGVudGlmaWVy > IjoiMDAtZDAtZTUtZjItMDAtMDEiLCJhc3NlcnRpb24iOiJsb2dnZWQiLCJvd25l > ciI6Ik1JSUVFekNDQXZ1Z0F3SUJBZ0lKQUs2ckZvdXZrKzdZTUEwR0NTcUdTSWIz > RFFFQkN3VUFNSUdmTVFzd1xuQ1FZRFZRUUdFd0pEUVRFUU1BNEdBMVVFQ0F3SFQy > NTBZWEpwYnpFUE1BMEdBMVVFQnd3R1QzUjBZWGRoXG5NUm93R0FZRFZRUUtEQkZQ > ZDI1bGNpQkZlR0Z0Y0d4bElFOXVaVEVSTUE4R0ExVUVDd3dJVG05MElGWmxcbmNu > a3hHekFaQmdOVkJBTU1FbTkzYm1WeU1TNWxlR0Z0Y0d4bExtTnZiVEVoTUI4R0NT > cUdTSWIzRFFFSlxuQVJZU2IzZHVaWEl4UUdWNFlXMXdiR1V1WTI5dE1CNFhEVEUz > TURNeU5URTJNamt6TkZvWERURTNNRFF5XG5OREUyTWprek5Gb3dnWjh4Q3pBSkJn > TlZCQVlUQWtOQk1SQXdEZ1lEVlFRSURBZFBiblJoY21sdk1ROHdcbkRRWURWUVFI > REFaUGRIUmhkMkV4R2pBWUJnTlZCQW9NRVU5M2JtVnlJRVY0WVcxd2JHVWdUMjVs > TVJFd1xuRHdZRFZRUUxEQWhPYjNRZ1ZtVnllVEViTUJrR0ExVUVBd3dTYjNkdVpY > SXhMbVY0WVcxd2JHVXVZMjl0XG5NU0V3SHdZSktvWklodmNOQVFrQkZoSnZkMjVs > Y2pGQVpYaGhiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdcblNJYjNEUUVCQVFVQUE0 > SUJEd0F3Z2dFS0FvSUJBUUM0UVlBRW5UdFhnaUtxc2ZTVllrZ2tIZGRGY1AzNFxu > T1UzWVA3aWJyc2d4MGk5Y3lqN3hPeldIT0YyUHNvS0JnVFJINzVNU01oVGw1VWlk > ckNzemxsdUsrcXA0XG5kM1pnMzFvUU0vSERteVJKeVJwWStQQzFuNVZ4L01qNVZh > Z1JRYnFHN1hURFFDZkNyaHFJS3JLQlR1UFFcbjR2WUtlTDB0UWs0VUpsUElvWlhF > bUJrNWRrbi9Gemw5QWZJWlN2VXpRMVFBaFE5b2FMejVOZjVNV0hQS1xuVVkrNmIy > ekEveVFhWGR1UHJWdXhwN3hDajExQy9MamxobDEvSHgxNk1KclYzM01DYmQrUktX > NzExRC8zXG4wWGxXU3FFcHJkYkticXc4V01QanVKMWFvWDhhUUVXb0wreGJvbVJR > UUpKb0ZhTVBsemdkRGNmb0FIRFVcblRzeGQwK0ZOOHBGSEFnTUJBQUdqVURCT01C > MEdBMVVkRGdRV0JCU3FwNVR3UXRIc1F5OW9ZTFpiMEQ1V1xuK2xpY0hEQWZCZ05W > SFNNRUdEQVdnQlNxcDVUd1F0SHNReTlvWUxaYjBENVcrbGljSERBTUJnTlZIUk1F > XG5CVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmdTUUdhY2p3eG1i > UnJyQmhXNjNnWTVLYVdcbmltNzZyRzQ1cDN1aDlBOFdVZk1XcnlDVXVmckZPbS9R > RUpubFVVSzNRWDRLRVZqMmV5d2I5Z3Nma2lDRVxueWFKenhlNjY1UTJCcld3ZTNy > R1ZrQWhPL2ZuOHVwZWM0RTFBU2MzMUFTYUY4bStwWXFDQ1BTZmxMNWtWXG5NZWZI > RzRsRXMzWEprSGNlQ2xSenlYdmpiNUtqL3UwMkM1WUNqY0FMWWQ4L2tjU2JmNGpv > ZTFHdWZ2S0ZcbjV3dlBCUGtSVmZiVzJLYWdMK2p3NjJqKzhVNm9CN0ZieHRGeXFR > UDFZb1pHaWE5TWtQS25LK3lnNW8vMFxuY1o1N2hnazRtUW1NMWk4MlJyVVpRVm9C > UDNDRDVMZEJKWmZKb1hzdFJsWGU2ZFg3K1Rpc2RTQXNwcDVlXG5oTm0wQmNxZExL > K3o4bnR0XG4ifX2gggItMIICKTCCAa+gAwIBAgIBATAKBggqhkjOPQQDAjBNMRIw > EAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAa > BgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwHhcNMTYwNTA3MDIzNjU1WhcNMTgw > NTA3MDIzNjU1WjBNMRIwEAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZ > FglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwdjAQBgcq > hkjOPQIBBgUrgQQAIgNiAASqSixrp/Zj0Omnzho8bLONYgrPsxrL3DTmJkqiyZ4T > we/LK3+/iwBgWnohKrOVvO1POtaDHdBuiUjX2CBM66Fg18NSyvwzEJEtFLutFL7S > cjDYA8JzPLClw0zt/YBad+CjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ > BAQDAgEGMB0GA1UdDgQWBBQljt8tUXiPDOyHKiL71P6+BnbrBzAfBgNVHSMEGDAW > gBQljt8tUXiPDOyHKiL71P6+BnbrBzAKBggqhkjOPQQDAgNoADBlAjB6dhfujag2 > xQEgOUr19iWwAyOhu9nHUfcqXhGb6i3nDuKfeIU7Am/WzvAAmqAWXyQCMQDTLKaN > vf2k//JcW+4+xapVhW83t8UdlMk0+Eoe/YnKPj/a1WIOuzzh6zJtCYjlimYxggHG > MIIBwgIBATBSME0xEjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkW > CXNhbmRlbG1hbjEcMBoGA1UEAwwTVW5zdHJ1bmcgSGlnaHdheSBDQQIBATANBglg > hkgBZQMEAgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 > DQEJBTEPFw0xNzAzMjUyMjAzMDhaMC8GCSqGSIb3DQEJBDEiBCBVLdLuXLxMfE0g > f5iiUZ8DHuEAdNZ0Jlp90Mpz5ovlfTB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFl > AwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqG > SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB > KDAKBggqhkjOPQQDAgRnMGUCMQDmDq9zppgmB3z2t2Cvm9HJv3I9DoSBKwa1qLfC > UjYjlNmOG1tMAtis2Npb0iSNUeoCMGtb29/7sCKh4DmhhHJZ0uCqMy4S0kBTs+fs > ptGOqCHimlPZPuO6TefYxZTFFzZRHA== > -----END PKCS7----- > > > _______________________________________________ > Anima-bootstrap mailing list > anima-bootst...@ietf.org > https://www.ietf.org/mailman/listinfo/anima-bootstrap > > > > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima