From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Cc: trousers-tech@lists.sourceforge.net,
tpmdd-devel@lists.sourceforge.net, openssl-dev@openssl.org,
GnuTLS development list <gnutls-devel@lists.gnutls.org>
Subject: Re: [gnutls-devel] Proposal for the ASN.1 form of TPM1.2 and TPM2 keys
Date: Sun, 25 Dec 2016 10:44:51 -0800 [thread overview]
Message-ID: <1482691491.3394.8.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAJU7za+PdjfKqtrEoJMhUK6Mm9Hsa98G8RGNRx-qMFwenMG9yg@mail.gmail.com>
On Sun, 2016-12-25 at 10:18 +0100, Nikos Mavrogiannopoulos wrote:
> On Sat, Dec 24, 2016 at 5:13 PM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
>
> > I think, since it's a key format, the two above are the potential
> > ones. It would be TCG if they want to take it into their standard,
> > otherwise PKCS is RSA Inc.
>
> I wouldn't expect RSA inc to be involved into this as part of PKCS.
> They are dead long time ago and have moved to IETF.
I think I should give TCG first crack at wanting to own the OID. The
IETF ones are easy: once you codify it in an RFC, the oid registry auto
extracts it.
> > > However, I'm not sure how expandable is ASN.1 using version
> > > fields (I've seen no structure being able to be re-used using a
> > > different version). An alternative approach would to allow for
> > > future extensions, i.e., something like the PKIX Extension field,
> > > which is an OID+data.
> >
> > As long as the expansion fields are optional, it works nicely.
> > X509 and X509v3 are examples of version expanded ASN.1
>
> Only if they are defined in the structure early. Otherwise the early
> versions of the implementations wouldn't cope with extensions. To
> make it early extendable you'd have to use something lilke
>
> TPMKey ::= SEQUENCE {
> type OBJECT IDENTIFIER
> version [0] IMPLICIT INTEGER OPTIONAL
> emptyAuth [1] IMPLICIT BOOLEAN OPTIONAL
> parent [2] IMPLICIT INTEGER OPTIONAL
> publicKey [3] IMPLICIT OCTET STRING OPTIONAL
> privateKey OCTET STRING
> extensions [4] EXPLICIT Extensions OPTIONAL
> }
Actually, that's the utility of ASN.1, once you use tagging, you don't
have to do this. The structure above is identical to:
TPMKey ::= SEQUENCE {
type OBJECT IDENTIFIER
version [0] IMPLICIT INTEGER OPTIONAL
emptyAuth [1] IMPLICIT BOOLEAN OPTIONAL
parent [2] IMPLICIT INTEGER OPTIONAL
publicKey [3] IMPLICIT OCTET STRING OPTIONAL
privateKey OCTET STRING
}
If tag 4 isn't present because optional tags are not coded when not
present, so you can expand any ASN.1 structure as long as you have a
clue from the version number that you should be looking for the
optional extras. The point being I don't have to specify the expansion
now, I can wait until we need it.
I'm pretty certain the next expansion is actually SEQUENCE OF
TPM2Policy but I'm still playing with the format.
James
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
next prev parent reply other threads:[~2016-12-25 18:44 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-23 18:06 Proposal for the ASN.1 form of TPM1.2 and TPM2 keys James Bottomley
2016-12-23 20:12 ` Richard Levitte
[not found] ` <20161223.211218.817856866219152234.levitte-MCmKBN63+BlAfugRpC6u6w@public.gmane.org>
2016-12-23 20:22 ` [openssl-dev] " James Bottomley
2016-12-24 13:25 ` Nikos Mavrogiannopoulos
[not found] ` <CAJU7zaKjXhKJ-3PJD6XrLW2hTixEqL0B56epbqG3trw3jmXjVg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-24 16:13 ` [gnutls-devel] " James Bottomley
2016-12-25 9:18 ` Nikos Mavrogiannopoulos
2016-12-25 18:44 ` James Bottomley [this message]
2016-12-25 21:08 ` Nikos Mavrogiannopoulos
2016-12-25 23:47 ` [gnutls-devel] " James Bottomley
2016-12-26 7:18 ` Nikos Mavrogianopoulos
[not found] ` <F37418F5-0ECC-4F8B-981A-2ED74FAADA51-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-12-26 18:13 ` [gnutls-devel] " James Bottomley
2016-12-26 20:13 ` Nikos Mavrogianopoulos
[not found] ` <671CBF50-E114-4FD1-995A-523C7B63F8D5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-12-29 23:57 ` [gnutls-devel] " James Bottomley
2016-12-27 15:35 ` Erwann Abalea
2016-12-30 15:40 ` Ken Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1482691491.3394.8.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=gnutls-devel@lists.gnutls.org \
--cc=nmav@gnutls.org \
--cc=openssl-dev@openssl.org \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=trousers-tech@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.