Dear Randy, working group,
It appears to me you really wanted to ask 'how the heck did you do it???'
*** warning: operating a CA is real work, do NOT follow the below ***
I declared my signing operation 'proprietary' because I can't recommend
it as a 'recipe'. I prefer to promote man pages over howtos; especially
when signing operators need to walk the path towards production
environment.
My objective in sharing a real-world example @ 2001:67c:208c::/48 is to
facilitate the 'draft-ietf-opsawg-finding-geofeeds' effort. I imagine
publishing a publicly verifable real-world example helps validator
implementers. Validators ofcourse should assume extreme hostile input.
My show case was generated without any assistance or communication with
the authors of the draft. In doing so, hopefully proving (or disproving)
the draft is readable and understandable, so that implementers can
produce similar results.
As you asked how exactly the 'kroket' is made....
On Tue, Feb 02, 2021 at 02:33:54PM -0800, Randy Bush wrote:
> > The signature was produced through proprietary means, but for the
> > purpose of validating the signature & interopability testing that
> > shouldn't matter... right?
>
> unless you are a security person and lived through trojans such as
> dual-ec. extension of kerckhoffs's principle.
I used modern versions of libressl and openssl to generate the EE cert
and the signature.
$ openssl cms -sign \
-econtent_type 1.2.840.113549.1.9.16.1.47 \
-nosmimecap \
-md sha256 \
-signer ee.cert \
-inkey ee.key \
-in geofeed.csv \
-outform DER \
-out signature.der
The EE cert was created with a CSR and a lengthy .cnf file. The
'1.2.840.113549.1.9.16.1.47' string can be replaced with a text string
after OpenSSL merges in https://github.com/openssl/openssl/pull/14050
The 'free, functional, secure, and mostly compatible public-API'
LibreSSL project appears comfortable adding the OID based on just the
IANA registry.
Kind regards,
Job
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg
