- From: Christopher Allen <ChristopherA@consensus.com>
- Date: Thu, 17 Oct 1996 12:30:10 -0700
- To: "Certificate Storage Working Group" <CertStorage-WG@consensus.com>
- Cc: ssl-talk@netscape.com, smime-dev@rsa.com, ietf-tls@w3.org, ietf-pkix@tandem.com, Marshall Clow <mclow@owl.csusm.edu>, Eric Gundrum <eric@macgroup.com>
Please do not reply directly to this email (as it has been sent to many lists) -- instead, reply-to: Christopher Allen <ChristopherA@consensus.com> or subscribe to the list below if you are interested. I have set up a mailing list for this working group. Send mail to <certstorage-wg@consensus.com> with the subject "subscribe" or "subscribe digest" to join. Minutes from Conference Call on Cert Storage 10/10/96 Attending: Christopher Allen <ChristopherA@consensus.com> Robert Dickinson <bob@deming.com> Tim Dierks <TimD@consensus.com> Steve Dusse <spock@rsa.com> Laurence Lundblade <lgl@qualcomm.com> Blake Ramsdell <BlakeR@deming.com> This group was brought together to discuss interoperability issues regarding exchange of certificates and private keys between products. A file format is desired which specifies the storage of a certificate, the chain of certificates supporting its authenticity, and a password-protected private key object. This should be suitable for exporting certificates from one application and importing them into another or for native storage for products which choose to adopt it. The call opened with a review of some history and background: There was a draft of PKCS#12 that was loosely based on what was learned from the old Apple PowerTalk signer file, however, it was never distributed. Microsoft has proposed PFX (info at <http://www.microsoft.com/INTDEV/SECURITY/PFX/PFX019SYNTAX.HTM>). PFX attempts to solve more problems than merely certificate transport, but it does propose an ASN.1-encoded format for transporting certificates and keys; this subset of PFX would be a candidate for solving this problem. PFX drew on the unpublished PKCS#12 draft. Steve Dusse at RSA Data Security said that they and Netscape have looked at the PFX proposal and feel there is some value in basing a real PKCS#12 on the bits-on-the-wire portions of PFX, but are not sure about the protocols or trust model specifics of PFX. Microsoft is committed to PFX, and Steve Dusse reported after the meeting that Netscape may actually have some PFX-like interchange code underway. Christopher Allen and Tim Dierks of Consensus Development define the short term problem as "How do you encapsulate single private key, it's cert and cert chain into a single package that we can interchange." They have seen four different "signer" files: the original PowerTalk-compatible signer file (which Mac specific); single file binary file formats; two binary file formats (private key in one and certs in the other); and ASCII armored files similar to what PGP offers. Consensus is open to either some ASN.1 encoded object or some type of ASCII mime-like file, and work with any appropriate standards process, but wants to get things rolling. Deming said that they are willing to support some type of interchange/export file format, adding that this could be in the form of a PKCS#7 mime type that contains the all the different parts. Tim pointed out that VeriSign only provided a certificate (not a PKCS#7 object) for any PCKS#10 requests, and thus Consensus' current ASCII armored format uses those. There was some discussion that whatever approach that was taken needed to fit in with with Netscape and Microsoft's plans. Steve Dusse recommends taking a look at the ASN.1 in the PFX proposal and base an interchange file on that. Ray Sidney says that a new draft PKCS#12 document might be possible in the next 3 or 4 months. Both Deming and Consensus were concerned with this pace as they are preparing to release products now, and only require a least-common-denominator solution right now, i.e. a single private key, certificate, and a certificate chain. Tim Dierks added that there is probably a sub-requirement to specify a better standard for password protected encryption beyond PKCS#5 as it stands because it currently only supports DES encryption. The meeting ended with an agreement to go look at the ASN.1 of the PFX documents, exchange some email, and talk again next week schedule permitting. P.S. Many thanks to Qualcomm for sponsoring the call. FYI: Enclosed is a prototype ASCII armored file for Consensus' SSL Plus beta. The descriptive lines are ignored comments; the format is just block specifiers formatted as below wrapping base64 encoded ASN.1 data. It could easily be adapted to MIME style wrappers, or support other base64 binary encoded formats. ------------------------------------------------------------------------ SSL Plus test certificate -----BEGIN X.509 CERTIFICATE----- MIICqDCCAhECAQIwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlVTMSowKAYD VQQKFCFDb25zZW5zdXMgRGV2ZWxvcG1lbnQgQ29ycG9yYXRpb24xKjAoBgNVBAsU ISoqIFRFU1RJTkcgQU5EIEVWQUxVQVRJT04gT05MWSAqKjE5MDcGA1UEAxQwQ29u c2Vuc3VzIERldmVsb3BtZW50IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTk2MDkyNTAwMDAwMFoXDTk2MTIzMTEyNTk1OVowgZcxCzAJBgNVBAYTAlVTMSow KAYDVQQKFCFDb25zZW5zdXMgRGV2ZWxvcG1lbnQgQ29ycG9yYXRpb24xNzA1BgNV BAsULioqIFNTTCBQTFVTKHRtKSBURVNUSU5HIEFORCBFVkFMVUFUSU9OIE9OTFkg KioxIzAhBgNVBAMUGnNzbHBsdXMtdGVzdC5jb25zZW5zdXMuY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQC8U38V1yaVRIOHpCeMRdGlaa6hn7qU7C61wnkV L+IwBHqkH79CkQS6eNAHc+3SV91BlJxNqLi5pCnpx5j6DXxFUCYnFcg9b3m2L63X bMeqjRwZEH63bP4oEJPdoqUivRv+rAIQuC2S83WkBVw9znmWt2Oy/ohHvbYucUfA WbdMjQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAIwMlJcd0HmHzWo9TVCGdfR8HaPg fjmJHMfRnL/YwuH+8HHMZYwSjIOECKWJ5LmgdWOAT3Wj0AUcqU5RYntYQ1+UNbBN so2qD1h1gVfaVTVdbu+w6CQoZEH/70Dj7cvwvyMBehnYZ5I+B9ct2d0xj35+coM7 n/PIix1nAc5QyccE -----BEGIN X.509 CERTIFICATE----- Consensus Test CA -----BEGIN X.509 CERTIFICATE----- MIICsTCCAhoCAQEwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlVTMSowKAYD VQQKFCFDb25zZW5zdXMgRGV2ZWxvcG1lbnQgQ29ycG9yYXRpb24xKjAoBgNVBAsU ISoqIFRFU1RJTkcgQU5EIEVWQUxVQVRJT04gT05MWSAqKjE5MDcGA1UEAxQwQ29u c2Vuc3VzIERldmVsb3BtZW50IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTk2MDkyNTAwMDAwMFoXDTk2MTIzMTEyNTk1OVowgaAxCzAJBgNVBAYTAlVTMSow KAYDVQQKFCFDb25zZW5zdXMgRGV2ZWxvcG1lbnQgQ29ycG9yYXRpb24xKjAoBgNV BAsUISoqIFRFU1RJTkcgQU5EIEVWQUxVQVRJT04gT05MWSAqKjE5MDcGA1UEAxQw Q29uc2Vuc3VzIERldmVsb3BtZW50IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZfkFsDJsaJ8DpexH00mQbxoZd 2bcbfYrUCYovSQfJkJFse3Bs/ecnsdCZkidNgayPIdpnbxaY/bRMgLOBroLSgo+T Lw8I7Z66DDtfVnulJdsdn5mn2GnOTK7cXDFfRJSa/SFCOEtWsZRk/MPflXHBCZ7U IQGgww0jt9IpBbX+xwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABBduurGQHZm67Hf tG7qIm1POChIXCOx8eGvkj+AWjxXiUmg/Ii/6Qsbu+C5JfBD9Ph9ncvrYRhcl4Ba r4e5N+i7BPU+b64y+AQYu89fd2MSeZtRdgTZw4Y8G9f2g4rjV+Lhd67FH/9hq7xd rrJDmTxuEyxPL/mxKhMdWaMWOHb7 -----BEGIN X.509 CERTIFICATE----- SSL Plus test certificate private key -----BEGIN ENCRYPTED PRIVATE KEY----- MIICmDAaBgkqhkiG9w0BBQMwDQQIP/ADsmtQ2AECAQUEggJ45Dfjfk7M8ra946QY PQ9VvPsN9BID6cO80NA7jwT1vns9bxJHGCVgkXLHcX+33KMJ772hDvs6tSkAP3LE pZBIYXTOYHLRN5EmhpEPE/0raE83+gphfNhhi3WnyHgt3Amk0JUFy//qbs58oCvn XGeFoaqGVXO6qbHAZJhhKGFWJIzf4VfzYYTIfoKDQP8Q4kmr4WG8FXAhs+B6e49M JR/OLVez77RTt/DUrTOhkxx1k4U9+vRVBuNJsoMBPAeVbeK5XEUnGWXAqjQ/slsT E9otfBffjeP9z+6p0Vrn0wBe0VrQ6EVmDy9OXFRCsUTUzM+9k0b9H4wzRdw1U666 rWt96PfkE7xw9uTXay9k4ICbvXb6HazTR7MkUUmSukJnidiAvB9vj27Q0BERO3Ht o9fIE2Jeg7uZD5kqwZ/pWDf+ai9WWW77rb+JVycGt3Cu/doPJLOZMwEoeSWhjSlH 83D7vDaBHu4K1OgGY2c2b7kcM2FdyCGWDAkUAD2A8nn6mJ/LhQtda1nVztYBaDY0 pwlMdIf+v6WLKO2TNT8yhEUtG574Y/Zf5M5vvGIYAB2q+15TneMO8o65eDSACO8g C/WnqED7Cys9AafNj4vmSu8di4vudKBUasFikfGRBZpZbwtr6EhqLBvn+2t2MQ3f 4hF5TUXW/SNiy2aETtsSbg5M+L7Rx4ocYlpgjWa6+2LgFzOhrOgnMru6k9nWWHlH ahUH7PlWGOnsccVhgI6G7IJ6J44+PohvUqbJu+RUR69w++hjMHNJF15vOuXCyDce pF1iLJAwdpM8MBK2/PYtZz1Qj0uinaALiXovFVgFXmCslETn9JZ2ITxafVo= -----END ENCRYPTED PRIVATE KEY----- ------------------------------------------------------------------------ ..Christopher Allen Consensus Development Corporation.. ..<ChristopherA@consensus.com> 1563 Solano Avenue #355.. .. Berkeley, CA 94707-2116.. ..Home of "SSL Plus: o510/559-1500 f510/559-1505.. .. SSL 3.0 Integration Suite(tm)" <http://www.consensus.com/SSLPlus/>.. ------------------------------------------------------------------------ ..Christopher Allen Consensus Development Corporation.. ..<ChristopherA@consensus.com> 1563 Solano Avenue #355.. .. Berkeley, CA 94707-2116.. ..Home of "SSL Plus: o510/559-1500 f510/559-1505.. .. SSL 3.0 Integration Suite(tm)" <http://www.consensus.com/SSLPlus/>..
Received on Thursday, 17 October 1996 15:26:01 UTC