Hi,
It would be a good idea to add a practical example of the CSR attributes
response. Is there a particular reason to have an example with very little
content in it i.e. 1 root-level attribute only ?
In RFC 7030:
The structure of the CSR Attributes Response SHOULD, to the greatest
extent possible, reflect the structure of the CSR it is requesting.
So I would expect to have a data structure that defines for example what
Subject DN attributes the client should include. Or particular choice of crypto
system, signature scheme etc.
Given the amount of confusion around this particular data structure, examples
would be good. Or maybe explain why having a "minimal" CSR attributes response
is a good thing?
I can imagine it is good if the Registrar puts as little as possible
requirements on the Pledge how to structure its CSR and only MUST-have fields
(like ACP related ones?) are indicated.
Here another example:
30 30 06 03 55 04 03 06 03 55 04 05 06 03 55 04 0A 06 08 2A 86 48 CE 3D 04 03
02 30 15 06 07 2A 86 48 CE 3D 02 01 31 0A 06 08 2A 86 48 CE 3D 03 01 07
SEQUENCE (5 elem)
OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
OBJECT IDENTIFIER 2.5.4.5 serialNumber (X.520 DN component)
OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA
algorithm with SHA256)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
SET (1 elem)
OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named
elliptic curve)
Not sure whether this is better or worse, in terms of usage of CSR attributes
in practice. But it is more clear at least from an explanation point of view,
what this data was intended for.
Esko
-----Original Message-----
From: Michael Richardson <[email protected]>
Sent: Wednesday, April 14, 2021 01:56
To: [email protected]; [email protected]; Esko Dijk <[email protected]>;
Mudumbai Ranganathan <[email protected]>
Cc: [email protected]; [email protected]; [email protected];
[email protected]
Subject: AUTH48 request for CSR example
https://github.com/anima-wg/anima-bootstrap/issues/20 asks me to provide an
example of a CSR attributes reply. I have one, it looks like:
obiwan-[files/product/00-D0-E5-F2-00-02](2.6.6) mcr 11413 %openssl asn1parse
-in csrattr.der -inform der
0:d=0 hl=2 l= 72 cons: SEQUENCE
2:d=1 hl=2 l= 70 cons: SEQUENCE
4:d=2 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
9:d=2 hl=2 l= 63 cons: SET
11:d=3 hl=2 l= 61 cons: SEQUENCE
13:d=4 hl=2 l= 59 cons: cont [ 1 ]
15:d=5 hl=2 l= 57 prim: UTF8STRING
:[email protected]
I don't know if this worth adding.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
