Dear Randy, working group, It appears to me you really wanted to ask 'how the heck did you do it???'
*** warning: operating a CA is real work, do NOT follow the below *** I declared my signing operation 'proprietary' because I can't recommend it as a 'recipe'. I prefer to promote man pages over howtos; especially when signing operators need to walk the path towards production environment. My objective in sharing a real-world example @ 2001:67c:208c::/48 is to facilitate the 'draft-ietf-opsawg-finding-geofeeds' effort. I imagine publishing a publicly verifable real-world example helps validator implementers. Validators ofcourse should assume extreme hostile input. My show case was generated without any assistance or communication with the authors of the draft. In doing so, hopefully proving (or disproving) the draft is readable and understandable, so that implementers can produce similar results. As you asked how exactly the 'kroket' is made.... On Tue, Feb 02, 2021 at 02:33:54PM -0800, Randy Bush wrote: > > The signature was produced through proprietary means, but for the > > purpose of validating the signature & interopability testing that > > shouldn't matter... right? > > unless you are a security person and lived through trojans such as > dual-ec. extension of kerckhoffs's principle. I used modern versions of libressl and openssl to generate the EE cert and the signature. $ openssl cms -sign \ -econtent_type 1.2.840.113549.1.9.16.1.47 \ -nosmimecap \ -md sha256 \ -signer ee.cert \ -inkey ee.key \ -in geofeed.csv \ -outform DER \ -out signature.der The EE cert was created with a CSR and a lengthy .cnf file. The '1.2.840.113549.1.9.16.1.47' string can be replaced with a text string after OpenSSL merges in https://github.com/openssl/openssl/pull/14050 The 'free, functional, secure, and mostly compatible public-API' LibreSSL project appears comfortable adding the OID based on just the IANA registry. Kind regards, Job _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg