From minfrin at redwax.eu Sun Mar 1 15:22:15 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Sun, 1 Mar 2020 16:22:15 +0200 Subject: [rs-dev] New interop: Certificate sign request / Microsoft CertEnroll Message-ID: Hi all, There is a new interop page at https://interop.redwax.eu/rs/csr/ describing how the mod_csr module can be used to implement the Microsoft CertEnroll mechanism in Internet Explorer 11. This is the only place I am aware of where this is written down as a complete working example. Regards, Graham ? From dirkx at webweaving.org Sun Mar 1 17:45:16 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 1 Mar 2020 16:45:16 +0000 Subject: [rs-dev] New interop: Certificate sign request / Microsoft CertEnroll In-Reply-To: References: Message-ID: <4F8943F6-33C0-4DE6-9A89-35552420DBB3@webweaving.org> > On 1 Mar 2020, at 14:22, Graham Leggett via rs-dev wrote: > > Hi all, > > There is a new interop page at https://interop.redwax.eu/rs/csr/ describing how the mod_csr module can be used to implement the Microsoft CertEnroll mechanism in Internet Explorer 11. > > This is the only place I am aware of where this is written down as a complete working example. Well done ! And yes - it most likely is. Perhaps we should do a very short informational RFC :) Dw. From dirkx at webweaving.org Thu Mar 5 15:13:44 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Thu, 5 Mar 2020 15:13:44 +0100 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> Message-ID: <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> On 5 Mar 2020, at 14:52, Graham Leggett wrote: > On 05 Mar 2020, at 14:47, Dirk-Willem van Gulik > wrote: > >>> I eventually had luck with the OSS Nokalva using a trial license: >> >> Spendid ! >> >>> The updated draft looks like this: >>> >>> https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt > Using the following openssl patch: > > Little-Net:openssl-spkac-md minfrin$ svn diff > Index: apps/spkac.c > =================================================================== > --- apps/spkac.c (revision 40679) > +++ apps/spkac.c (working copy) > @@ -23,7 +23,7 @@ > typedef enum OPTION_choice { > OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, > OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT, > - OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC, > + OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_MD, OPT_PASSIN, OPT_SPKAC, > OPT_SPKSECT, OPT_KEYFORM > } OPTION_CHOICE; > > @@ -42,6 +42,7 @@ > {"keyform", OPT_KEYFORM, 'f', "Private key file format - default PEM (PEM, DER, or ENGINE)"}, > {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, > {"challenge", OPT_CHALLENGE, 's', "Challenge string"}, > + {"md", OPT_MD, 's', "Digest algorithm to use when signing - default MD5, SHA256 recommended"}, > {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"}, > > OPT_SECTION("Output"), > @@ -59,6 +60,7 @@ > ENGINE *e = NULL; > EVP_PKEY *pkey = NULL; > NETSCAPE_SPKI *spki = NULL; > + const EVP_MD *sign_md = EVP_md5(); > char *challenge = NULL, *keyfile = NULL; > char *infile = NULL, *outfile = NULL, *passinarg = NULL, *passin = NULL; > char *spkstr = NULL, *prog; > @@ -107,6 +109,10 @@ > case OPT_CHALLENGE: > challenge = opt_arg(); > break; > + case OPT_MD: > + if (!opt_md(opt_arg(), &sign_md)) > + goto opthelp; > + break; > case OPT_SPKAC: > spkac = opt_arg(); > break; > @@ -139,7 +145,7 @@ > ASN1_STRING_set(spki->spkac->challenge, > challenge, (int)strlen(challenge)); > NETSCAPE_SPKI_set_pubkey(spki, pkey); > - NETSCAPE_SPKI_sign(spki, pkey, EVP_md5()); > + NETSCAPE_SPKI_sign(spki, pkey, sign_md); > spkstr = NETSCAPE_SPKI_b64_encode(spki); > if (spkstr == NULL) > goto end; > Index: doc/man1/openssl-spkac.pod.in > =================================================================== > --- doc/man1/openssl-spkac.pod.in (revision 40679) > +++ doc/man1/openssl-spkac.pod.in (working copy) > @@ -20,6 +20,7 @@ > [B<-passin> I] > [B<-challenge> I] > [B<-pubkey>] > +[B<-md>] > [B<-spkac> I] > [B<-spksect> I
] > [B<-noout>] > @@ -93,6 +94,11 @@ > Output the public key of an SPKAC (not used if an SPKAC is > being created). > > +=item B<-md> > + > +The message digest used for signing. Historically the default value has > +been MD5, but SHA256 is recommended. > + > =item B<-verify> > > Verifies the digital signature on the supplied SPKAC. > > We are able to generate and verify an SPKAC using SHA256 as a digest algorithm: > > Little-Net:openssl-spkac-md minfrin$ /tmp/httpd-trunk/bin/openssl spkac -challenge challenge -key ~/ca/pepperpot/pepperpot.media.key -md sha256 > SPKAC=MIIESTCCAjEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9wmyQidBwnIN308UwRlTX2mB9g1a05IR6l9TOGmSz6BV5YYbavXdq38EA7dw/44U/P9edRNIwFTMPLWIbhkDYMZkuziyovhBji8c5gUb09Flplc1aWO8V4u5kjEY6clusYVSxL+j0GU3NXW2k2AC4+Ts8Y/sE9kfqWb5QzTI2Tz1UqRr6oE2G65LhFhgkg/yafnvOsh+B8nNwdcPwbqzPW8qNFrDqppDg9sm5PbrfGY9xTeBYKq0AVv//qyG5YgqjNZPIPC4mRQfx/IPbcMJXNIf6iRQiLniAxFuBmO3Ohog8rufUezWrA5d3f1sorTozkKxRECwnzgMcKmzcyZtENbkrNuL1BbDqhwDs3xf9ilbwkiRx1BOWrPCEXZneS96iFRkEMkw2AcIQIqiDNSStpOt8jyKX4sRdUO3tfagCZ1QcL2Dmyab5aypTr/eVx/xj3sZsrQCy89BlOsSN9GTBbIQeui97PiA6hmVFUWbGLa2TdZH+Bnjjc8OiZPF5YH9uQo1Z9xD+fxcL6xOQW35/JyJ7AtGa1SIut0q3WQ4S93wAB/DOADc9GWl4mWB/2goLDsCUWXSHYs2czS/2a/Lh9MKQsDKLQbEMncxaq3TVBG7Urq9SRnmemguaWjvoni0o725nWi/j5H6AtOZYoFGmccjxraSAVGWS4r+0X3qSZQIDAQABFgljaGFsbGVuZ2UwDQYJKoZIhvcNAQELBQADggIBAJJgmBFMD+2AqkQpD/2AgCcoKNkRmcD8EkHQY+5WN80+ogaWf5VcDU3ycP2554x95EPLhclqrX9xbzUemuUoNiR/sPyhxl0Pr7OPtKqulW6QvT+YCcyrbILR1jE8lhVSENkT/fL6U9J4NPd7qGB0OFiTv9tAT1huzzuXgx676T8Y5mb9XVk0C6CCGEoDxSKI2n3/nbkdyyXlq1uFphwVCXEBUvrndD8y3vKd8rhtGyvz8cTg2q/mHmSHldwwmfksaRNwh9mxOKerLUQ5pFM68HODOnJHFs/D26GQlwINfVqrVnI+oCA/VFFz/QO4minT7zuDSGa/cFdiPWj3d//Gz02ppUIHk8RVKrdGgTf/efQmbP2zLEfaAfTUlSjVliVDqw5SRG6QJYrvz80pfZcz13BY3pkN5lnAcuA8Ld5Gb/YVfiJkiefvMt9t753pe9Yxv8iU6PKfQO8UbiGbPfEDP5bQ1EJPX0rdmvX7T85hwR7LXC5iUBs2xdahTfDgoZTZ/12fSoNwkdgmYURmy/fAEOnVHIn5Gj/LKu8ii2UOzWktbAnz4f30MeuFeaBx5h9ve/nELQnvsPiZgIDFdKYdXb8yJRTgg9ahYdPhEC/u1RIJFxs4sRmRfZwY7qATssLhnL9ZDtDuuZxJft+sn5swpiepSiekGvw20fsP6tRD4nu0 > Little-Net:openssl-spkac-md minfrin$ /tmp/httpd-trunk/bin/openssl spkac -challenge challenge -key ~/ca/pepperpot/pepperpot.media.key -md sha256 | /tmp/httpd-trunk/bin/openssl spkac -challenge challenge -verify > Netscape SPKI: > Public Key Algorithm: rsaEncryption > RSA Public-Key: (4096 bit) > Modulus: > 00:bd:c2:6c:90:89:d0:70:9c:83:77:d3:c5:30:46: > 54:d7:da:60:7d:83:56:b4:e4:84:7a:97:d4:ce:1a: > 64:b3:e8:15:79:61:86:da:bd:77:6a:df:c1:00:ed: > dc:3f:e3:85:3f:3f:d7:9d:44:d2:30:15:33:0f:2d: > 62:1b:86:40:d8:31:99:2e:ce:2c:a8:be:10:63:8b: > c7:39:81:46:f4:f4:59:69:95:cd:5a:58:ef:15:e2: > ee:64:8c:46:3a:72:5b:ac:61:54:b1:2f:e8:f4:19: > 4d:cd:5d:6d:a4:d8:00:b8:f9:3b:3c:63:fb:04:f6: > 47:ea:59:be:50:cd:32:36:4f:3d:54:a9:1a:fa:a0: > 4d:86:eb:92:e1:16:18:24:83:fc:9a:7e:7b:ce:b2: > 1f:81:f2:73:70:75:c3:f0:6e:ac:cf:5b:ca:8d:16: > b0:ea:a6:90:e0:f6:c9:b9:3d:ba:df:19:8f:71:4d: > e0:58:2a:ad:00:56:ff:ff:ab:21:b9:62:0a:a3:35: > 93:c8:3c:2e:26:45:07:f1:fc:83:db:70:c2:57:34: > 87:fa:89:14:22:2e:78:80:c4:5b:81:98:ed:ce:86: > 88:3c:ae:e7:d4:7b:35:ab:03:97:77:7f:5b:28:ad: > 3a:33:90:ac:51:10:2c:27:ce:03:1c:2a:6c:dc:c9: > 9b:44:35:b9:2b:36:e2:f5:05:b0:ea:87:00:ec:df: > 17:fd:8a:56:f0:92:24:71:d4:13:96:ac:f0:84:5d: > 99:de:4b:de:a2:15:19:04:32:4c:36:01:c2:10:22: > a8:83:35:24:ad:a4:eb:7c:8f:22:97:e2:c4:5d:50: > ed:ed:7d:a8:02:67:54:1c:2f:60:e6:c9:a6:f9:6b: > 2a:53:af:f7:95:c7:fc:63:de:c6:6c:ad:00:b2:f3: > d0:65:3a:c4:8d:f4:64:c1:6c:84:1e:ba:2f:7b:3e: > 20:3a:86:65:45:51:66:c6:2d:ad:93:75:91:fe:06: > 78:e3:73:c3:a2:64:f1:79:60:7f:6e:42:8d:59:f7: > 10:fe:7f:17:0b:eb:13:90:5b:7e:7f:27:22:7b:02: > d1:9a:d5:22:2e:b7:4a:b7:59:0e:12:f7:7c:00:07: > f0:ce:00:37:3d:19:69:78:99:60:7f:da:0a:0b:0e: > c0:94:59:74:87:62:cd:9c:cd:2f:f6:6b:f2:e1:f4: > c2:90:b0:32:8b:41:b1:0c:9d:cc:5a:ab:74:d5:04: > 6e:d4:ae:af:52:46:79:9e:9a:0b:9a:5a:3b:e8:9e: > 2d:28:ef:6e:67:5a:2f:e3:e4:7e:80:b4:e6:58:a0: > 51:a6:71:c8:f1:ad:a4:80:54:65:92:e2:bf:b4:5f: > 7a:92:65 > Exponent: 65537 (0x10001) > Challenge String: challenge > Signature Algorithm: sha256WithRSAEncryption > 92:60:98:11:4c:0f:ed:80:aa:44:29:0f:fd:80:80:27:28:28: > d9:11:99:c0:fc:12:41:d0:63:ee:56:37:cd:3e:a2:06:96:7f: > 95:5c:0d:4d:f2:70:fd:b9:e7:8c:7d:e4:43:cb:85:c9:6a:ad: > 7f:71:6f:35:1e:9a:e5:28:36:24:7f:b0:fc:a1:c6:5d:0f:af: > b3:8f:b4:aa:ae:95:6e:90:bd:3f:98:09:cc:ab:6c:82:d1:d6: > 31:3c:96:15:52:10:d9:13:fd:f2:fa:53:d2:78:34:f7:7b:a8: > 60:74:38:58:93:bf:db:40:4f:58:6e:cf:3b:97:83:1e:bb:e9: > 3f:18:e6:66:fd:5d:59:34:0b:a0:82:18:4a:03:c5:22:88:da: > 7d:ff:9d:b9:1d:cb:25:e5:ab:5b:85:a6:1c:15:09:71:01:52: > fa:e7:74:3f:32:de:f2:9d:f2:b8:6d:1b:2b:f3:f1:c4:e0:da: > af:e6:1e:64:87:95:dc:30:99:f9:2c:69:13:70:87:d9:b1:38: > a7:ab:2d:44:39:a4:53:3a:f0:73:83:3a:72:47:16:cf:c3:db: > a1:90:97:02:0d:7d:5a:ab:56:72:3e:a0:20:3f:54:51:73:fd: > 03:b8:9a:29:d3:ef:3b:83:48:66:bf:70:57:62:3d:68:f7:77: > ff:c6:cf:4d:a9:a5:42:07:93:c4:55:2a:b7:46:81:37:ff:79: > f4:26:6c:fd:b3:2c:47:da:01:f4:d4:95:28:d5:96:25:43:ab: > 0e:52:44:6e:90:25:8a:ef:cf:cd:29:7d:97:33:d7:70:58:de: > 99:0d:e6:59:c0:72:e0:3c:2d:de:46:6f:f6:15:7e:22:64:89: > e7:ef:32:df:6d:ef:9d:e9:7b:d6:31:bf:c8:94:e8:f2:9f:40: > ef:14:6e:21:9b:3d:f1:03:3f:96:d0:d4:42:4f:5f:4a:dd:9a: > f5:fb:4f:ce:61:c1:1e:cb:5c:2e:62:50:1b:36:c5:d6:a1:4d: > f0:e0:a1:94:d9:ff:5d:9f:4a:83:70:91:d8:26:61:44:66:cb: > f7:c0:10:e9:d5:1c:89:f9:1a:3f:cb:2a:ef:22:8b:65:0e:cd: > 69:2d:6c:09:f3:e1:fd:f4:31:eb:85:79:a0:71:e6:1f:6f:7b: > f9:c4:2d:09:ef:b0:f8:99:80:80:c5:74:a6:1d:5d:bf:32:25: > 14:e0:83:d6:a1:61:d3:e1:10:2f:ee:d5:12:09:17:1b:38:b1: > 19:91:7d:9c:18:ee:a0:13:b2:c2:e1:9c:bf:59:0e:d0:ee:b9: > 9c:49:7e:df:ac:9f:9b:30:a6:27:a9:4a:27:a4:1a:fc:36:d1: > fb:0f:ea:d4:43:e2:7b:b4 > Signature OK Nice ! You push this to openssl ? Happy to do that too (their process is fairly simple). Dw. From minfrin at redwax.eu Thu Mar 5 15:38:05 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Thu, 5 Mar 2020 16:38:05 +0200 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> Message-ID: <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> On 05 Mar 2020, at 16:13, Dirk-Willem van Gulik via rs-dev wrote: > Nice ! > > You push this to openssl ? Happy to do that too (their process is fairly simple). Just signed their iCLA, it?s in this PR: https://github.com/openssl/openssl/pull/11260 Should I mention anything else in the PR, or is what?s there ok? Regards, Graham ? From dirkx at webweaving.org Thu Mar 5 15:53:49 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Thu, 5 Mar 2020 15:53:49 +0100 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> Message-ID: <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> Looks OK. Dw. > On 5 Mar 2020, at 15:38, Graham Leggett wrote: > > On 05 Mar 2020, at 16:13, Dirk-Willem van Gulik via rs-dev wrote: > >> Nice ! >> >> You push this to openssl ? Happy to do that too (their process is fairly simple). > > Just signed their iCLA, it?s in this PR: > > https://github.com/openssl/openssl/pull/11260 > > Should I mention anything else in the PR, or is what?s there ok? > > Regards, > Graham > ? > > From minfrin at redwax.eu Thu Mar 5 15:56:44 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Thu, 5 Mar 2020 16:56:44 +0200 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> Message-ID: On 05 Mar 2020, at 16:53, Dirk-Willem van Gulik wrote: > Looks OK. Example has been added: https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt Just need to add references for RSA, etc. Regards, Graham ? From minfrin at redwax.eu Thu Mar 5 16:16:26 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Thu, 5 Mar 2020 17:16:26 +0200 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> Message-ID: <82EA6B6B-05BD-4249-A06E-4E996822BA82@redwax.eu> On 05 Mar 2020, at 16:56, Graham Leggett via rs-dev wrote: > Example has been added: > > https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt > > Just need to add references for RSA, etc. References have been added, do we need anything else? https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt Regards, Graham ? From dirkx at webweaving.org Thu Mar 5 16:21:38 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Thu, 5 Mar 2020 16:21:38 +0100 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: <82EA6B6B-05BD-4249-A06E-4E996822BA82@redwax.eu> References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> <82EA6B6B-05BD-4249-A06E-4E996822BA82@redwax.eu> Message-ID: > On 5 Mar 2020, at 16:16, Graham Leggett wrote: > > On 05 Mar 2020, at 16:56, Graham Leggett via rs-dev wrote: > >> Example has been added: >> >> https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt >> >> Just need to add references for RSA, etc. > > References have been added, do we need anything else? I was in de middle of writing below. But have not had the chance to finish it. Dw. > https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt Index: draft-leggett-spkac-00.xml =================================================================== --- draft-leggett-spkac-00.xml (revision 5) +++ draft-leggett-spkac-00.xml (working copy) @@ -76,7 +76,7 @@ This memo describes the Signed Public Key and Challenge (SPKAC), a syntax to provide - Proof-of-Possession of a Public Key. + Proof-of-Possession of a Public Key to support federated (client) certificate enrolment. @@ -100,10 +100,10 @@ The SPKAC protocol was originally used by the Netscape web browser as part of their implementation of what eventually became the HTML5 keygen - tag. The keygen tag allowed a web browser to request a certificate from + tag. The keygen tag allowed a web browser to request a (client) certificate from a certificate authority over the world wide web, and the SPKAC protocol ensured the web browser possessed the key being signed by the certificate - authority. + authority. For a long time the Signed Public Key and Challenge was a de facto @@ -111,9 +111,22 @@ document the existing use of the protocol, and formalise the protocol into a standard. + + Note that, on XX, Google/Mozilla unilaterally decided to retire keygen + tag support from the XX engine. + + Prior to this; this defacto, interoperable, protocol was widely used by both + centralised certificate certificate authorities (that would issue personal digital + x509 certificates) as well as in more local enterprise & federated settings. +
+XX mention that historically hardware tokens and softtokens were used in those browsers +XX no (federated or peer2peer) replacement left once google removed this - due to CORS/single-origin/etc limtis java script. +XX example of typical enterprise use - often AD intergrated (like at the Beeb) +XX pointer to MS world Enroll to illustrate that this coverded the whoel gammut interoperable +
ASN.1 Module SPKAC This appendix includes all of the ASN.1 type and value definitions @@ -192,6 +205,24 @@ additional steps SHOULD be taken to ensure that SPKAC message is delivered over a secure transport, such as TLS.
+
+ UI/UX Denial of Service design issues + User interfaces in the browser should take care to not allow (rogue) webpages + or javascript generate very large number of keygen requests; as this is not only + somewhat resource intensive; but may also deplete cryptographic quality random + generator pools (historically a concern). Especially as most implementations + will generally keep the cryptographic code and (private) key storage outside + the sandbox in which the DOM and Javascript is handled. + + Likewise - browsers should be particularly careful when handling solicited (and + unsolicited & maliciously repeated/high-volume) responses to a keygen/spkac + submission when storing (and recombining) these in the key store. + + Especially has (historically) it was common for such + request to be handled asynchronously; with the user receiving an email after, for example + human approval, to pick up the signed certificate at a certain URL. + +
From minfrin at redwax.eu Thu Mar 5 18:13:14 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Thu, 5 Mar 2020 19:13:14 +0200 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> <82EA6B6B-05BD-4249-A06E-4E996822BA82@redwax.eu> Message-ID: <7F6D0012-2B56-45A7-B050-B93143563233@redwax.eu> On 05 Mar 2020, at 17:21, Dirk-Willem van Gulik wrote: > I was in de middle of writing below. But have not had the chance to finish it. I've added it to https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt, can you take a look? Regards, Graham ? From dirkx at webweaving.org Thu Mar 5 18:18:22 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Thu, 5 Mar 2020 18:18:22 +0100 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: <7F6D0012-2B56-45A7-B050-B93143563233@redwax.eu> References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> <82EA6B6B-05BD-4249-A06E-4E996822BA82@redwax.eu> <7F6D0012-2B56-45A7-B050-B93143563233@redwax.eu> Message-ID: > On 5 Mar 2020, at 18:13, Graham Leggett wrote: > > On 05 Mar 2020, at 17:21, Dirk-Willem van Gulik wrote: > >> I was in de middle of writing below. But have not had the chance to finish it. > > I've added it to https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt, can you take a look? Made a small tweak. Think we're done. Dw. From minfrin at redwax.eu Fri Mar 6 02:01:36 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Fri, 6 Mar 2020 03:01:36 +0200 Subject: [rs-dev] Draft RFC: Signed Public Key and Challenge In-Reply-To: References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> <82EA6B6B-05BD-4249-A06E-4E996822BA82@redwax.eu> <7F6D0012-2B56-45A7-B050-B93143563233@redwax.eu> Message-ID: <1EE7F5AE-2F9B-4F6C-9877-8AD961D57235@redwax.eu> On 05 Mar 2020, at 19:18, Dirk-Willem van Gulik wrote: >> I've added it to https://source.redwax.eu/svn/redwax/std/spkac/trunk/draft-leggett-spkac-00.txt, can you take a look? > > Made a small tweak. Think we're done. I have submitted it: https://datatracker.ietf.org/doc/draft-leggett-spkac/ Next up is certenroll, the repo is set up and ready to go: https://source.redwax.eu/projects/STD/repos/certenroll/browse https://source.redwax.eu/svn/redwax/std/certenroll/trunk Regards, Graham ? From minfrin at sharp.fm Sat Mar 7 00:54:57 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 7 Mar 2020 01:54:57 +0200 Subject: [rs-dev] Draft RFC: Certificate Enrollment API (Microsoft CertEnroll) In-Reply-To: <1EE7F5AE-2F9B-4F6C-9877-8AD961D57235@redwax.eu> References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> <82EA6B6B-05BD-4249-A06E-4E996822BA82@redwax.eu> <7F6D0012-2B56-45A7-B050-B93143563233@redwax.eu> <1EE7F5AE-2F9B-4F6C-9877-8AD961D57235@redwax.eu> Message-ID: On 06 Mar 2020, at 03:01, Graham Leggett via rs-dev wrote: > Next up is certenroll, the repo is set up and ready to go: > > https://source.redwax.eu/projects/STD/repos/certenroll/browse > https://source.redwax.eu/svn/redwax/std/certenroll/trunk To write an RFC to cover Microsoft Certenroll, how much would be need to cover in the RFC? The certenroll C/C++ API itself is extensively documented here: https://docs.microsoft.com/en-us/windows/win32/seccertenroll/certenroll-portal The piece that?s missing in their docs is how Microsoft gets this C/C++ API and exposes it inside the web browser. Most specifically: - They declare an tag with classid 884e2049-217d-11da-b2a4-000e7bbb2b09 - this is undocumented anywhere sensible. - This object has a method called CreateObject, documented here: https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nf-certenroll-ix509enrollmentwebclassfactory-createobject - Each C/C++ object that can be created by CreateObject, is also a javascript object that can be created by CreateObject. This is undocumented anywhere sensible So the problem is the code is mostly documented, the part that?s missing is telling people it?s exposed as javascript, and available as an object. We don?t want to boil the ocean and produce a 1000 page RFC containing the whole Microsoft API, how much do you recommend should be covered? Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From minfrin at sharp.fm Sat Mar 7 00:57:58 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 7 Mar 2020 01:57:58 +0200 Subject: [rs-dev] Draft RFC: Certificate Enrollment API (Microsoft CertEnroll) In-Reply-To: References: <8DAA99B2-BE96-48F6-9193-EBF984366F53@redwax.eu> <7DB05485-D6F8-4E3B-AAC3-0CD9F80744B7@webweaving.org> <7E5961CD-9F16-4A0D-B644-73D199F17A57@redwax.eu> <00C70EE7-53B1-412A-B06B-E6D9FFD6951A@webweaving.org> <35AFD806-E3EA-4AF2-A3A1-E41E46718BCA@redwax.eu> <9F8397A3-D810-456A-A1BD-61D29362554A@webweaving.org> <82EA6B6B-05BD-4249-A06E-4E996822BA82@redwax.eu> <7F6D0012-2B56-45A7-B050-B93143563233@redwax.eu> <1EE7F5AE-2F9B-4F6C-9877-8AD961D57235@redwax.eu> Message-ID: <24E0F384-97FA-4D95-91B3-01D4710963C5@sharp.fm> On 07 Mar 2020, at 01:54, Graham Leggett via rs-dev wrote: > - Each C/C++ object that can be created by CreateObject, is also a javascript object that can be created by CreateObject. This is undocumented anywhere sensible Not strictly true - this is documented here: https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nn-certenroll-ix509enrollmentwebclassfactory Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From dirkx at webweaving.org Thu Mar 26 10:51:07 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Thu, 26 Mar 2020 10:51:07 +0100 Subject: [rs-dev] MacOSX gone through -- mod_cert et.al. Message-ID: <04823A61-0D03-4FCF-89CF-D94F98ECD477@webweaving.org> So MacOSX (ports) has gone through. Am wondering if we should do a release of the new modules (mod_cert, _pkcs7) - so we can see if we can automate the process better for getting it into distributions. Mainly as the move of the various communities to git means a lot of private / non-public comms. So it is better to have this early & code in scripts to capture knowledge. Also wondering if we should temporarily add the _bearer modules to redwax -- so we can have these in NixOS earlier/too. Dw From minfrin at sharp.fm Thu Mar 26 12:23:14 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 26 Mar 2020 13:23:14 +0200 Subject: [rs-dev] MacOSX gone through -- mod_cert et.al. In-Reply-To: <04823A61-0D03-4FCF-89CF-D94F98ECD477@webweaving.org> References: <04823A61-0D03-4FCF-89CF-D94F98ECD477@webweaving.org> Message-ID: On 26 Mar 2020, at 11:51, Dirk-Willem van Gulik via rs-dev wrote: > So MacOSX (ports) has gone through. > > Am wondering if we should do a release of the new modules (mod_cert, _pkcs7) - so we can see if we can automate the process better for getting it into distributions. > > Mainly as the move of the various communities to git means a lot of private / non-public comms. So it is better to have this early & code in scripts to capture knowledge. Jira supports a ?release? button that integrates with Bamboo, my plan is to automate the ?release prepare? part (cut release, make dist, upload to dev directory ready for approval and signing), and then ?release perform? part (kick COPR, kick NixOS, automate everything). If we can create some discrete scripts to do discrete things like ?given dist/release URL, update NixOS? I can bake them into Bamboo when the time comes. > Also wondering if we should temporarily add the _bearer modules to redwax -- so we can have these in NixOS earlier/too. I need to finish the docs for the bearer modules, which should be quick to do because the modules are simple, then they go into trunk. mod_auth_bearer can be released anytime, but mod_autht_jwt depends on the as-yet-unreleased apr-util v1.7, which in turn has been blocked behind a half finished implementation of apr_crypto_prng that one of the Redhat people created, and only works with openssl and doesn?t work on a Mac out the box because openssl is deprecated (and was veto?d by me over a year ago after it utterly broke apr-util modules support, which was ignored, so I tried to fix all of it, which I mostly did, sigh). Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: