Re: [Anima] [lamps] key algorithm in CSR

Thu, 27 May 2021 08:58:58 -0700 

Hi Michael,

The csrattr response can include OIDs + values which will be in the client
CSR. They do not necessarily need to be DN attributes. A  CSR could have
more like 

   CertificationRequest ::= SEQUENCE {
        certificationRequestInfo CertificationRequestInfo,
        signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
        signature          BIT STRING
   }
   AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
        algorithm          ALGORITHM.&id({IOSet}),
        parameters         ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
   }
   CertificationRequestInfo ::= SEQUENCE {
        version       INTEGER { v1(0) } (v1,...),
        subject       Name,
        subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
        attributes    [0] Attributes{{ CRIAttributes }}
   }

as specified in https://datatracker.ietf.org/doc/html/rfc2986

Any of the CertificationRequestInfo attributes can be included in the
csrattrs. 

We have not been using many of them in our use of csrattrs and overall I
have not seen CAs implementing them either. Pretty much support for both RSA
and ECDSA alg OIDS is assumed. 

Rgs,
Panos


-----Original Message-----
From: Spasm <[email protected]> On Behalf Of Michael Richardson
Sent: Thursday, May 27, 2021 10:16 AM
To: [email protected]; Max Pritikin (pritikin) <[email protected]>
Cc: [email protected]
Subject: [lamps] key algorithm in CSR


RFC7030 defines the CSR attributes.
It says:
   "In addition, a CA may desire to certify a certain type of public key and
   a client may not have a priori knowledge of that fact.  "

and:
  If the CA requires a particular crypto system or use of a particular
  signature scheme (e.g., certification of a public key based on a
  certain elliptic curve, or signing using a certain hash algorithm) it
  MUST provide that information in the CSR Attribute Response.

I think that this means, if a CA wants RSA, then it should include the
attribute sha256WithRSAEncryption ( 1 2 840 113549 1 1 11 ).
It feels odd, because that's not an DN attribute.

I am asking this because my ACP implementation has to deal with RSA
certificates until everything is ECDSA happy.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks
[ 
]   Michael Richardson, Sandelman Software Works        | network architect
[ 
]     [email protected]  http://www.sandelman.ca/        |   ruby on rails
[

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima

Reply via email to