Hi Max, I think what you're trying to say is that the x5c header is not under the signature and therefore can be added after the fact using any text- editing tool. Is that right?
Actually, for that matter, I imagine that the entire thing could be constructed without the use of a JWT library - simple openssl/shell script may work? - what do you think? For instance, here's a script for base64url: https://raw.githubusercontent.com/Moodstocks/moodstocks-api-clients/master/bash/base64url.sh K. -----ORIGINAL MESSAGE----- Kent, > On Apr 20, 2017, at 6:55 PM, Max Pritikin (pritikin) <[email protected]> > wrote: > >> >> On Apr 20, 2017, at 6:51 PM, Kent Watsen <[email protected]> wrote: >> >> >> Hi Max, >> >> I'd like to reproduce your experiment, but I can't find a library >> that supports the 'x5c' header. What do you mean that you added >> it (the x5c header) to the JWS? > > > The x5c header is defined in JWT but the library I used off github (libjwt) > didn’t support it. After looking at the code more closely I’m not sure a jwt > abstraction layer is really even needed; JWS is pretty simple to use > directly. I’ve forked libjwt and will upload my diff to github tomorrow so > you can see what i mean. Here is a diff that shows what I mean: https://github.com/pritikin/libjwt/commit/da7b8b9b59c26f4af6edefaeafb34ffc1f207cca In summary: JWS defines a {header}.{payload}.signature method. You don’t really need a JWT library to do that. I was new to the space and wanted a quick ramp up so I used the libjwt library to experiment and found that it hardcoded the {header} information and thus couldn’t support the x5c header we were discussing. With normal, simple, JWS via a JSON library, you’d just add this element like any other normal JSON but because I was using a jwt abstraction I had to update the library’s abstraction layer to support arbitrary JSON additions to the header. - max > >> >> Separately, I don't think "-----BEGIN CERTIFICATE-----" is valid >> for the 'domain-cert-trusted-ca' field, for which the YANG in >> the voucher-02 draft says is a "binary" type field called >> 'trusted-ca-certificate'. If it's type binary, then it's >> encoded as just the base64 of the DER, with no PEM header/footer >> ceremony. See here: >> >> https://tools.ietf.org/html/draft-ietf-netmod-yang-json-10#section-6.6. > > Totally true. This was discovered at the hackathon too … I just didn’t fix it > before looking at the JWT stuff. > > - max > > >> >> Kent >> >> >> -----ORIGINAL MESSAGE----- >> >> Folks, in Chicago we discussed the signing method for vouchers. >> >> Because the voucher is JSON, and there is expectation of a CBOR encoding for >> future work, there is an open discussion point about using the JWS/COSE >> signing methods; if not JWT/CWT. There was brief discussion of this at >> IETF98 and one person indicated they liked PKCS7, others indicates JWT and >> others did not speak up. Fully meeting minutes might provide more >> information but my recollection was that we’d move the discussion to the >> list. This thread is for that discussion. >> >> The current text of draft-ietf-anima-voucher-02 is: >> >>> The voucher is signed a PKCS#7 SignedData structure, as specified by >>> Section 9.1 >>> of [RFC2315], encoded using ASN.1 distinguished encoding rules (DER), as >>> specified in ITU-T X.690. >> >> >> For concrete discussion, the proposed change is: >> >>> The voucher is a JWT [RFC7519] signed token. >> >> >> I’ve updated my tooling that was used during the IETF98 hackathon to support >> a JWT token format; I did this as homework to be informed for the >> discussion. >> >> MY POSITION: is that I appreciate the simplicity of the JWS signing and feel >> it is a good match for us. It was easy enough to implement, was a refreshing >> change from the ASN1 complexity of PKCS7, and seems to provide a good path >> toward CBOR/COSE in a future document without maintaining PKCS7/CMS >> technical debt or revisiting/rewriting too much. >> >> QUESTION FOR THE WORKING GROUP: What is your position? Why? >> >> What follows is a dump of the raw JWS before signing (the equivalent >> PKCS7/CMS structure would be the SignedData asn1 structures which is hard to >> capture). After that is an encoded and signed voucher. Further below is an >> example of a PKCS7 signed voucher. >> >> Please note these characteristics: >> >> a) From JWT RFC7519 "JWTs are always represented using the JWS Compact >> Serialization”. There are some JWT headers that overlap with voucher fields. >> I’m using JWT here; but the distinction between JWS/JWT is not fundamental >> to our discussion. The important point is JWS vs PKCS7. >> >> b) I’ve added the x5c header to the JWS. This is used to carry the >> certificate chain of the signer. Our current voucher format indicates PKCS7 >> which supports an equivalent field called “CertificateSet structure”. Its in >> the BRSKI document that we specify "The entire certificate chain, up to and >> including the Domain CA, MUST be included in the CertificateSet structure”. >> With the transition to JWT we’d be specifying that the x5c header be fully >> populated up to an including the Domain CA etc. >> >> c) From these examples we can’t directly compare size encodings. I don’t >> think this is a significant aspect of the conversation but can create >> comparable examples if folks feel that is necessary. >> >> The dumps: >> >> A debug dump of the JWT form before encoding: >> { >> "typ": "JWT", >> "alg": "ES256", >> "x5c": >> ["MIIBdjCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjArMRYwFAYDVQQKDA1DaXNjbyBTeXN0ZW1zMREwDwYDVQQDDAhWZW5kb3JDQTAeFw0xNzA0MDMxNTE1NDVaFw0xODA0MDMxNTE1NDVaMC0xFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxEzARBgNVBAMMClZlbmRvck1BU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT9GTrDd0GWgwcuSy8LCn0waMeknpLznajZzqWlLhrPwshgIPIPvbyY6IyCo4uBYU/e4OO6TQD9UVLlyU5R6cA6ozAwLjALBgNVHQ8EBAMCBaAwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwCgYIKoZIzj0EAwIDRwAwRAIgAQ8YR2IdLodEE8k+JxpBOIAGuzCeT9BmFOVhFUb8eJMCIC23Goss6manRjNSmh6+2oB9tsRbjmnnwuMlDXR8fzug", >> >> "MIIBnTCCAUOgAwIBAgIJAK9Pd5G+/r0UMAoGCCqGSM49BAMCMCsxFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxETAPBgNVBAMMCFZlbmRvckNBMB4XDTE3MDQwMzE0MTAwNVoXDTE4MDQwMzE0MTAwNVowKzEWMBQGA1UECgwNQ2lzY28gU3lzdGVtczERMA8GA1UEAwwIVmVuZG9yQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASunsQL2PVOSFWWp0oCjlqF8iVPPpEgJct931CZQ6assp07otmfgZqXsk1JYRTlKCGjROxrAiVRQsB54ioA0yu0o1AwTjAdBgNVHQ4EFgQUR4oEpb4YFuelkMrQjlnKtM01ovEwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEA+SSOhiNQ23RWA76kZ/2u70FCpU8OsU7X9IRiWGDgIAgCIFLu8FnJuqPx10sgHvIzqI5BgOcwCa5vFQZdCDBHIx18"] >> } >> . >> { >> "ietf-voucher:voucher": { >> "assertion": "logging", >> "domain-cert-trusted-ca": "-----BEGIN >> CERTIFICATE-----\nMIIBUjCB+qADAgECAgkAwP4qKsGyQlYwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAwwM\nZXN0RXhhbXBsZUNBMB4XDTE3MDMyNTIyMTc1MFoXDTE4MDMyNTIyMTc1MFowFzEV\nMBMGA1UEAwwMZXN0RXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nRVrNlEN2ocYscAILBU7NggABo0JgA1rEGdYdCQj1nHKL6xKONJIUfBibe6iMVYd3\nRUmPwaPiHNZJ98kRwHIwnKMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU+dVX\naXoucU1godNF0bycS1U5W54wCgYIKoZIzj0EAwIDRwAwRAIgNsCGjpEjuvz6OKJ/\n3rOvMc2ZfDhD02K+0PCVFJGCQGwCIAzf3BS6x9kKSROJJvxDSpg0QK9+b9LSFkbZ\nM1PW98AN\n-----END >> CERTIFICATE-----\n", >> "nonce": "ea7102e8e88f119e", >> "serial-number": "PID:1 SN:widget1", >> "serial-number-issuer": "36097E3DEA39316EA4CE5C695BE905E78AF2FB5A", >> "version": "1" >> } >> } >> . >> [signature goes here] >> >> As per JWT RFC7519 this is what it looks like after URL-safe encoding. You >> can see that now the signature is included (look to the second to last line >> to see the second “.” followed by a valid signature): >> >> eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsICAgICJ4NWMiOlsiTUlJQmRqQ0NBUjJnQXdJQkFnSUJBVEFLQmdncWhrak9QUVFEQWpBck1SWXdGQVlEVlFRS0RBMURhWE5qYnlCVGVYTjBaVzF6TVJFd0R3WURWUVFEREFoV1pXNWtiM0pEUVRBZUZ3MHhOekEwTURNeE5URTFORFZhRncweE9EQTBNRE14TlRFMU5EVmFNQzB4RmpBVUJnTlZCQW9NRFVOcGMyTnZJRk41YzNSbGJYTXhFekFSQmdOVkJBTU1DbFpsYm1SdmNrMUJVMEV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVQ5R1RyRGQwR1dnd2N1U3k4TENuMHdhTWVrbnBMem5halp6cVdsTGhyUHdzaGdJUElQdmJ5WTZJeUNvNHVCWVUvZTRPTzZUUUQ5VVZMbHlVNVI2Y0E2b3pBd0xqQUxCZ05WSFE4RUJBTUNCYUF3SHdZRFZSMGpCQmd3Rm9BVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdBUThZUjJJZExvZEVFOGsrSnhwQk9JQUd1ekNlVDlCbUZPVmhGVWI4ZUpNQ0lDMjNHb3NzNm1hblJqTlNtaDYrMm9COXRzUmJqbW5ud3VNbERYUjhmenVnIiwiTUlJQm5UQ0NBVU9nQXdJQkFnSUpBSzlQZDVHKy9yMFVNQW9HQ0NxR1NNNDlCQU1DTUNzeEZqQVVCZ05WQkFvTURVTnBjMk52SUZONWMzUmxiWE14RVRBUEJnTlZCQU1NQ0ZabGJtUnZja05CTUI0WERURTNNRFF3TXpFME1UQXdOVm9YRFRFNE1EUXdNekUwTVRBd05Wb3dLekVXTUJRR0ExVUVDZ3dOUTJselkyOGdVM2x6ZEdWdGN6RVJNQThHQTFVRUF3d0lWbVZ1Wkc5eVEwRXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBU3Vuc1FMMlBWT1NGV1dwMG9DamxxRjhpVlBQcEVnSmN0OTMxQ1pRNmFzc3AwN290bWZnWnFYc2sxSllSVGxLQ0dqUk94ckFpVlJRc0I1NGlvQTB5dTBvMUF3VGpBZEJnTlZIUTRFRmdRVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdId1lEVlIwakJCZ3dGb0FVUjRvRXBiNFlGdWVsa01yUWpsbkt0TTAxb3ZFd0RBWURWUjBUQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUVBK1NTT2hpTlEyM1JXQTc2a1ovMnU3MEZDcFU4T3NVN1g5SVJpV0dEZ0lBZ0NJRkx1OEZuSnVxUHgxMHNnSHZJenFJNUJnT2N3Q2E1dkZRWmRDREJISXgxOCJdfQ.eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJsb2dnaW5nIiwiZG9tYWluLWNlcnQtdHJ1c3RlZC1jYSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJQlVqQ0IrcUFEQWdFQ0Fna0F3UDRxS3NHeVFsWXdDZ1lJS29aSXpqMEVBd0l3RnpFVk1CTUdBMVVFQXd3TVxuWlhOMFJYaGhiWEJzWlVOQk1CNFhEVEUzTURNeU5USXlNVGMxTUZvWERURTRNRE15TlRJeU1UYzFNRm93RnpFVlxuTUJNR0ExVUVBd3dNWlhOMFJYaGhiWEJzWlVOQk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVxuUlZyTmxFTjJvY1lzY0FJTEJVN05nZ0FCbzBKZ0ExckVHZFlkQ1FqMW5IS0w2eEtPTkpJVWZCaWJlNmlNVllkM1xuUlVtUHdhUGlITlpKOThrUndISXduS012TUMwd0RBWURWUjBUQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVK2RWWFxuYVhvdWNVMWdvZE5GMGJ5Y1MxVTVXNTR3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnTnNDR2pwRWp1dno2T0tKL1xuM3JPdk1jMlpmRGhEMDJLKzBQQ1ZGSkdDUUd3Q0lBemYzQlM2eDlrS1NST0pKdnhEU3BnMFFLOStiOUxTRmtiWlxuTTFQVzk4QU5cbi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS1cbiIsIm5vbmNlIjoiZWE3MTAyZThlODhmMTE5ZSIsInNlcmlhbC1udW1iZXIiOiJQSUQ6MSBTTjp3aWRnZXQxIiwic2VyaWFsLW51bWJlci1pc3N1ZXIiOiIzNjA5N0UzREVBMzkzMTZFQTRDRTVDNjk1QkU5MDVFNzhBRjJGQjVBIiwidmVyc2lvbiI6IjEifX0.QkTUpcxv6Ng6ylyWYnlqun-5SFhD1XwLIW1kD7Y9dNwioheNMcVnowkELl_EMClyOWuLvvWuoCHAcWz_UA0IGw >> >> >> Here is an equivalent PKCS7 voucher via asn1 dump. You’d have to look at the >> binary if you really want to decode it. This voucher was generated by MCR >> during the hackathon: >> >> pritikin@ubuntu:~/src/brski-project/brski_msgs$ openssl asn1parse -in >> mcr.voucher.txt.pkcs7 >> 0:d=0 hl=4 l=2706 cons: SEQUENCE >> 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData >> 15:d=1 hl=4 l=2691 cons: cont [ 0 ] >> 19:d=2 hl=4 l=2687 cons: SEQUENCE >> 23:d=3 hl=2 l= 1 prim: INTEGER :01 >> 26:d=3 hl=2 l= 15 cons: SET >> 28:d=4 hl=2 l= 13 cons: SEQUENCE >> 30:d=5 hl=2 l= 9 prim: OBJECT :sha256 >> 41:d=5 hl=2 l= 0 prim: NULL >> 43:d=3 hl=4 l=1644 cons: SEQUENCE >> 47:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data >> 58:d=4 hl=4 l=1629 cons: cont [ 0 ] >> 62:d=5 hl=4 l=1625 prim: OCTET STRING >> :{"ietf-voucher:voucher":{"nonce":"62a2e7693d82fcda2624de58fb6722e5","created-on":"2017-01-01T00:00:00.000Z","device-identifier":"00-d0-e5-f2-00-01","assertion":"logged","owner":"MIIEEzCCAvugAwIBAgIJAK6rFouvk+7YMA0GCSqGSIb3DQEBCwUAMIGfMQsw\nCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdh\nMRowGAYDVQQKDBFPd25lciBFeGFtcGxlIE9uZTERMA8GA1UECwwITm90IFZl\ncnkxGzAZBgNVBAMMEm93bmVyMS5leGFtcGxlLmNvbTEhMB8GCSqGSIb3DQEJ\nARYSb3duZXIxQGV4YW1wbGUuY29tMB4XDTE3MDMyNTE2MjkzNFoXDTE3MDQy\nNDE2MjkzNFowgZ8xCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8w\nDQYDVQQHDAZPdHRhd2ExGjAYBgNVBAoMEU93bmVyIEV4YW1wbGUgT25lMREw\nDwYDVQQLDAhOb3QgVmVyeTEbMBkGA1UEAwwSb3duZXIxLmV4YW1wbGUuY29t\nMSEwHwYJKoZIhvcNAQkBFhJvd25lcjFAZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4QYAEnTtXgiKqsfSVYkgkHddFcP34\nOU3YP7ibrsgx0i9cyj7xOzWHOF2PsoKBgTRH75MSMhTl5UidrCszlluK+qp4\nd3Zg31oQM/HDmyRJyRpY+PC1n5Vx/Mj5VagRQbqG7XTDQCfCrhqIKrKBTuPQ\n4vYKeL0tQk4UJlPIoZXEmBk5dkn/Fzl9AfIZSvUzQ1QAhQ9oaLz5Nf5MWHPK\nUY+6b2zA/yQaXduPrVuxp7xCj11C/Ljlhl1/Hx16MJrV33MCbd+RKW711D/3\n0XlWSqEprdbKbqw8WMPjuJ1aoX8aQEWoL+xbomRQQJJoFaMPlzgdDcfoAHDU\nTsxd0+FN8pFHAgMBAAGjUDBOMB0GA1UdDgQWBBSqp5TwQtHsQy9oYLZb0D5W\n+licHDAfBgNVHSMEGDAWgBSqp5TwQtHsQy9oYLZb0D5W+licHDAMBgNVHRME\nBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBgSQGacjwxmbRrrBhW63gY5KaW\nim76rG45p3uh9A8WUfMWryCUufrFOm/QEJnlUUK3QX4KEVj2eywb9gsfkiCE\nyaJzxe665Q2BrWwe3rGVkAhO/fn8upec4E1ASc31ASaF8m+pYqCCPSflL5kV\nMefHG4lEs3XJkHceClRzyXvjb5Kj/u02C5YCjcALYd8/kcSbf4joe1GufvKF\n5wvPBPkRVfbW2KagL+jw62j+8U6oB7FbxtFyqQP1YoZGia9MkPKnK+yg5o/0\ncZ57hgk4mQmM1i82RrUZQVoBP3CD5LdBJZfJoXstRlXe6dX7+TisdSAspp5e\nhNm0BcqdLK+z8ntt\n"}} >> 1691:d=3 hl=4 l= 557 cons: cont [ 0 ] >> 1695:d=4 hl=4 l= 553 cons: SEQUENCE >> 1699:d=5 hl=4 l= 431 cons: SEQUENCE >> 1703:d=6 hl=2 l= 3 cons: cont [ 0 ] >> 1705:d=7 hl=2 l= 1 prim: INTEGER :02 >> 1708:d=6 hl=2 l= 1 prim: INTEGER :01 >> 1711:d=6 hl=2 l= 10 cons: SEQUENCE >> 1713:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 >> 1723:d=6 hl=2 l= 77 cons: SEQUENCE >> 1725:d=7 hl=2 l= 18 cons: SET >> 1727:d=8 hl=2 l= 16 cons: SEQUENCE >> 1729:d=9 hl=2 l= 10 prim: OBJECT :domainComponent >> 1741:d=9 hl=2 l= 2 prim: IA5STRING :ca >> 1745:d=7 hl=2 l= 25 cons: SET >> 1747:d=8 hl=2 l= 23 cons: SEQUENCE >> 1749:d=9 hl=2 l= 10 prim: OBJECT :domainComponent >> 1761:d=9 hl=2 l= 9 prim: IA5STRING :sandelman >> 1772:d=7 hl=2 l= 28 cons: SET >> 1774:d=8 hl=2 l= 26 cons: SEQUENCE >> 1776:d=9 hl=2 l= 3 prim: OBJECT :commonName >> 1781:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA >> 1802:d=6 hl=2 l= 30 cons: SEQUENCE >> 1804:d=7 hl=2 l= 13 prim: UTCTIME :160507023655Z >> 1819:d=7 hl=2 l= 13 prim: UTCTIME :180507023655Z >> 1834:d=6 hl=2 l= 77 cons: SEQUENCE >> 1836:d=7 hl=2 l= 18 cons: SET >> 1838:d=8 hl=2 l= 16 cons: SEQUENCE >> 1840:d=9 hl=2 l= 10 prim: OBJECT :domainComponent >> 1852:d=9 hl=2 l= 2 prim: IA5STRING :ca >> 1856:d=7 hl=2 l= 25 cons: SET >> 1858:d=8 hl=2 l= 23 cons: SEQUENCE >> 1860:d=9 hl=2 l= 10 prim: OBJECT :domainComponent >> 1872:d=9 hl=2 l= 9 prim: IA5STRING :sandelman >> 1883:d=7 hl=2 l= 28 cons: SET >> 1885:d=8 hl=2 l= 26 cons: SEQUENCE >> 1887:d=9 hl=2 l= 3 prim: OBJECT :commonName >> 1892:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA >> 1913:d=6 hl=2 l= 118 cons: SEQUENCE >> 1915:d=7 hl=2 l= 16 cons: SEQUENCE >> 1917:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey >> 1926:d=8 hl=2 l= 5 prim: OBJECT :secp384r1 >> 1933:d=7 hl=2 l= 98 prim: BIT STRING >> 2033:d=6 hl=2 l= 99 cons: cont [ 3 ] >> 2035:d=7 hl=2 l= 97 cons: SEQUENCE >> 2037:d=8 hl=2 l= 15 cons: SEQUENCE >> 2039:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints >> 2044:d=9 hl=2 l= 1 prim: BOOLEAN :255 >> 2047:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF >> 2054:d=8 hl=2 l= 14 cons: SEQUENCE >> 2056:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage >> 2061:d=9 hl=2 l= 1 prim: BOOLEAN :255 >> 2064:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106 >> 2070:d=8 hl=2 l= 29 cons: SEQUENCE >> 2072:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier >> 2077:d=9 hl=2 l= 22 prim: OCTET STRING [HEX >> DUMP]:0414258EDF2D51788F0CEC872A22FBD4FEBE0676EB07 >> 2101:d=8 hl=2 l= 31 cons: SEQUENCE >> 2103:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key >> Identifier >> 2108:d=9 hl=2 l= 24 prim: OCTET STRING [HEX >> DUMP]:30168014258EDF2D51788F0CEC872A22FBD4FEBE0676EB07 >> 2134:d=5 hl=2 l= 10 cons: SEQUENCE >> 2136:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 >> 2146:d=5 hl=2 l= 104 prim: BIT STRING >> 2252:d=3 hl=4 l= 454 cons: SET >> 2256:d=4 hl=4 l= 450 cons: SEQUENCE >> 2260:d=5 hl=2 l= 1 prim: INTEGER :01 >> 2263:d=5 hl=2 l= 82 cons: SEQUENCE >> 2265:d=6 hl=2 l= 77 cons: SEQUENCE >> 2267:d=7 hl=2 l= 18 cons: SET >> 2269:d=8 hl=2 l= 16 cons: SEQUENCE >> 2271:d=9 hl=2 l= 10 prim: OBJECT :domainComponent >> 2283:d=9 hl=2 l= 2 prim: IA5STRING :ca >> 2287:d=7 hl=2 l= 25 cons: SET >> 2289:d=8 hl=2 l= 23 cons: SEQUENCE >> 2291:d=9 hl=2 l= 10 prim: OBJECT :domainComponent >> 2303:d=9 hl=2 l= 9 prim: IA5STRING :sandelman >> 2314:d=7 hl=2 l= 28 cons: SET >> 2316:d=8 hl=2 l= 26 cons: SEQUENCE >> 2318:d=9 hl=2 l= 3 prim: OBJECT :commonName >> 2323:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA >> 2344:d=6 hl=2 l= 1 prim: INTEGER :01 >> 2347:d=5 hl=2 l= 13 cons: SEQUENCE >> 2349:d=6 hl=2 l= 9 prim: OBJECT :sha256 >> 2360:d=6 hl=2 l= 0 prim: NULL >> 2362:d=5 hl=3 l= 228 cons: cont [ 0 ] >> 2365:d=6 hl=2 l= 24 cons: SEQUENCE >> 2367:d=7 hl=2 l= 9 prim: OBJECT :contentType >> 2378:d=7 hl=2 l= 11 cons: SET >> 2380:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data >> 2391:d=6 hl=2 l= 28 cons: SEQUENCE >> 2393:d=7 hl=2 l= 9 prim: OBJECT :signingTime >> 2404:d=7 hl=2 l= 15 cons: SET >> 2406:d=8 hl=2 l= 13 prim: UTCTIME :170325220308Z >> 2421:d=6 hl=2 l= 47 cons: SEQUENCE >> 2423:d=7 hl=2 l= 9 prim: OBJECT :messageDigest >> 2434:d=7 hl=2 l= 34 cons: SET >> 2436:d=8 hl=2 l= 32 prim: OCTET STRING [HEX >> DUMP]:552DD2EE5CBC4C7C4D207F98A2519F031EE10074D674265A7DD0CA73E68BE57D >> 2470:d=6 hl=2 l= 121 cons: SEQUENCE >> 2472:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities >> 2483:d=7 hl=2 l= 108 cons: SET >> 2485:d=8 hl=2 l= 106 cons: SEQUENCE >> 2487:d=9 hl=2 l= 11 cons: SEQUENCE >> 2489:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc >> 2500:d=9 hl=2 l= 11 cons: SEQUENCE >> 2502:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc >> 2513:d=9 hl=2 l= 11 cons: SEQUENCE >> 2515:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc >> 2526:d=9 hl=2 l= 10 cons: SEQUENCE >> 2528:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc >> 2538:d=9 hl=2 l= 14 cons: SEQUENCE >> 2540:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> 2550:d=10 hl=2 l= 2 prim: INTEGER :80 >> 2554:d=9 hl=2 l= 13 cons: SEQUENCE >> 2556:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> 2566:d=10 hl=2 l= 1 prim: INTEGER :40 >> 2569:d=9 hl=2 l= 7 cons: SEQUENCE >> 2571:d=10 hl=2 l= 5 prim: OBJECT :des-cbc >> 2578:d=9 hl=2 l= 13 cons: SEQUENCE >> 2580:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> 2590:d=10 hl=2 l= 1 prim: INTEGER :28 >> 2593:d=5 hl=2 l= 10 cons: SEQUENCE >> 2595:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 >> 2605:d=5 hl=2 l= 103 prim: OCTET STRING [HEX >> DUMP]:3065023100E60EAF73A69826077CF6B760AF9BD1C9BF723D0E84812B06B5A8B7C252362394D98E1B5B4C02D8ACD8DA5BD2248D51EA02306B5BDBDFFBB022A1E039A1847259D2E0AA332E12D24053B3E7ECA6D18EA821E29A53D93EE3BA4DE7D8C594C51736511C >> >> And this is the “encoded” form: >> -----BEGIN PKCS7----- >> MIIKkgYJKoZIhvcNAQcCoIIKgzCCCn8CAQExDzANBglghkgBZQMEAgEFADCCBmwG >> CSqGSIb3DQEHAaCCBl0EggZZeyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJub25j >> ZSI6IjYyYTJlNzY5M2Q4MmZjZGEyNjI0ZGU1OGZiNjcyMmU1IiwiY3JlYXRlZC1v >> biI6IjIwMTctMDEtMDFUMDA6MDA6MDAuMDAwWiIsImRldmljZS1pZGVudGlmaWVy >> IjoiMDAtZDAtZTUtZjItMDAtMDEiLCJhc3NlcnRpb24iOiJsb2dnZWQiLCJvd25l >> ciI6Ik1JSUVFekNDQXZ1Z0F3SUJBZ0lKQUs2ckZvdXZrKzdZTUEwR0NTcUdTSWIz >> RFFFQkN3VUFNSUdmTVFzd1xuQ1FZRFZRUUdFd0pEUVRFUU1BNEdBMVVFQ0F3SFQy >> NTBZWEpwYnpFUE1BMEdBMVVFQnd3R1QzUjBZWGRoXG5NUm93R0FZRFZRUUtEQkZQ >> ZDI1bGNpQkZlR0Z0Y0d4bElFOXVaVEVSTUE4R0ExVUVDd3dJVG05MElGWmxcbmNu >> a3hHekFaQmdOVkJBTU1FbTkzYm1WeU1TNWxlR0Z0Y0d4bExtTnZiVEVoTUI4R0NT >> cUdTSWIzRFFFSlxuQVJZU2IzZHVaWEl4UUdWNFlXMXdiR1V1WTI5dE1CNFhEVEUz >> TURNeU5URTJNamt6TkZvWERURTNNRFF5XG5OREUyTWprek5Gb3dnWjh4Q3pBSkJn >> TlZCQVlUQWtOQk1SQXdEZ1lEVlFRSURBZFBiblJoY21sdk1ROHdcbkRRWURWUVFI >> REFaUGRIUmhkMkV4R2pBWUJnTlZCQW9NRVU5M2JtVnlJRVY0WVcxd2JHVWdUMjVs >> TVJFd1xuRHdZRFZRUUxEQWhPYjNRZ1ZtVnllVEViTUJrR0ExVUVBd3dTYjNkdVpY >> SXhMbVY0WVcxd2JHVXVZMjl0XG5NU0V3SHdZSktvWklodmNOQVFrQkZoSnZkMjVs >> Y2pGQVpYaGhiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdcblNJYjNEUUVCQVFVQUE0 >> SUJEd0F3Z2dFS0FvSUJBUUM0UVlBRW5UdFhnaUtxc2ZTVllrZ2tIZGRGY1AzNFxu >> T1UzWVA3aWJyc2d4MGk5Y3lqN3hPeldIT0YyUHNvS0JnVFJINzVNU01oVGw1VWlk >> ckNzemxsdUsrcXA0XG5kM1pnMzFvUU0vSERteVJKeVJwWStQQzFuNVZ4L01qNVZh >> Z1JRYnFHN1hURFFDZkNyaHFJS3JLQlR1UFFcbjR2WUtlTDB0UWs0VUpsUElvWlhF >> bUJrNWRrbi9Gemw5QWZJWlN2VXpRMVFBaFE5b2FMejVOZjVNV0hQS1xuVVkrNmIy >> ekEveVFhWGR1UHJWdXhwN3hDajExQy9MamxobDEvSHgxNk1KclYzM01DYmQrUktX >> NzExRC8zXG4wWGxXU3FFcHJkYkticXc4V01QanVKMWFvWDhhUUVXb0wreGJvbVJR >> UUpKb0ZhTVBsemdkRGNmb0FIRFVcblRzeGQwK0ZOOHBGSEFnTUJBQUdqVURCT01C >> MEdBMVVkRGdRV0JCU3FwNVR3UXRIc1F5OW9ZTFpiMEQ1V1xuK2xpY0hEQWZCZ05W >> SFNNRUdEQVdnQlNxcDVUd1F0SHNReTlvWUxaYjBENVcrbGljSERBTUJnTlZIUk1F >> XG5CVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmdTUUdhY2p3eG1i >> UnJyQmhXNjNnWTVLYVdcbmltNzZyRzQ1cDN1aDlBOFdVZk1XcnlDVXVmckZPbS9R >> RUpubFVVSzNRWDRLRVZqMmV5d2I5Z3Nma2lDRVxueWFKenhlNjY1UTJCcld3ZTNy >> R1ZrQWhPL2ZuOHVwZWM0RTFBU2MzMUFTYUY4bStwWXFDQ1BTZmxMNWtWXG5NZWZI >> RzRsRXMzWEprSGNlQ2xSenlYdmpiNUtqL3UwMkM1WUNqY0FMWWQ4L2tjU2JmNGpv >> ZTFHdWZ2S0ZcbjV3dlBCUGtSVmZiVzJLYWdMK2p3NjJqKzhVNm9CN0ZieHRGeXFR >> UDFZb1pHaWE5TWtQS25LK3lnNW8vMFxuY1o1N2hnazRtUW1NMWk4MlJyVVpRVm9C >> UDNDRDVMZEJKWmZKb1hzdFJsWGU2ZFg3K1Rpc2RTQXNwcDVlXG5oTm0wQmNxZExL >> K3o4bnR0XG4ifX2gggItMIICKTCCAa+gAwIBAgIBATAKBggqhkjOPQQDAjBNMRIw >> EAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAa >> BgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwHhcNMTYwNTA3MDIzNjU1WhcNMTgw >> NTA3MDIzNjU1WjBNMRIwEAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZ >> FglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwdjAQBgcq >> hkjOPQIBBgUrgQQAIgNiAASqSixrp/Zj0Omnzho8bLONYgrPsxrL3DTmJkqiyZ4T >> we/LK3+/iwBgWnohKrOVvO1POtaDHdBuiUjX2CBM66Fg18NSyvwzEJEtFLutFL7S >> cjDYA8JzPLClw0zt/YBad+CjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ >> BAQDAgEGMB0GA1UdDgQWBBQljt8tUXiPDOyHKiL71P6+BnbrBzAfBgNVHSMEGDAW >> gBQljt8tUXiPDOyHKiL71P6+BnbrBzAKBggqhkjOPQQDAgNoADBlAjB6dhfujag2 >> xQEgOUr19iWwAyOhu9nHUfcqXhGb6i3nDuKfeIU7Am/WzvAAmqAWXyQCMQDTLKaN >> vf2k//JcW+4+xapVhW83t8UdlMk0+Eoe/YnKPj/a1WIOuzzh6zJtCYjlimYxggHG >> MIIBwgIBATBSME0xEjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkW >> CXNhbmRlbG1hbjEcMBoGA1UEAwwTVW5zdHJ1bmcgSGlnaHdheSBDQQIBATANBglg >> hkgBZQMEAgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 >> DQEJBTEPFw0xNzAzMjUyMjAzMDhaMC8GCSqGSIb3DQEJBDEiBCBVLdLuXLxMfE0g >> f5iiUZ8DHuEAdNZ0Jlp90Mpz5ovlfTB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFl >> AwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqG >> SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB >> KDAKBggqhkjOPQQDAgRnMGUCMQDmDq9zppgmB3z2t2Cvm9HJv3I9DoSBKwa1qLfC >> UjYjlNmOG1tMAtis2Npb0iSNUeoCMGtb29/7sCKh4DmhhHJZ0uCqMy4S0kBTs+fs >> ptGOqCHimlPZPuO6TefYxZTFFzZRHA== >> -----END PKCS7----- >> >> >> _______________________________________________ >> Anima-bootstrap mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/anima-bootstrap >> >> >> >> >> _______________________________________________ >> Anima mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/anima > > _______________________________________________ > Anima-bootstrap mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/anima-bootstrap _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
