Format and standard for CSR

Robert Moskowitz rgm at htt-consult.com
Wed Aug 28 23:13:15 UTC 2019 

Uri, Greetings!

On 8/28/19 6:09 PM, Blumenthal, Uri - 0553 - MITLL wrote:
> Do you have an ASN.1 definition fit the content of CSR, or are you 
> willing to create one?

For now working with ASN.1.

> IMHO, DER would be a pretty good choice, fat better than something 
> home-brewed and non-standard.

take a look at rfc 7049.  This is the standard for data objects over 
constrained networks.  Then look at

draft-birkholz-core-coid

For work being done to define by a good team to meld x.509 stuff with CBOR.

"The wonderful thing about standards is there are so many to choose from."

There was a reference point to Grace Hopper saying this in '58.

>
> Regards,
> Uri
>
> Sent from my iPhone
>
> On Aug 28, 2019, at 17:49, Robert Moskowitz <rgm at htt-consult.com 
> <mailto:rgm at htt-consult.com>> wrote:
>
>> CSR is an object in a container that goes over a 'wire'. Sometimes 
>> the wire is very small (BT4) so the container needs to be tightly 
>> designed.
>>
>> It should be a standard, not something totally off the wall.  Well I 
>> could do it in CBOR, and probably will at some point, but for now 
>> something more common in PKIX world should work.
>>
>> Mangle it, stuff it down the wire, de-mangle it and use it. For now I 
>> am referencing RFC 2986.
>>
>> What do you suggest.  Please reference documents that can be 
>> referenced in the document.
>>
>> Thanks
>>
>>
>> On 8/28/19 5:23 PM, Michael Sierchio wrote:
>>>
>>> I don't see the point in DER encoding for a CSR – The RA and CA 
>>> decide the composition of the cert, based on the rules and CPA that 
>>> they follow, and of course any cert issued will be in DER format, 
>>> and may include reordering or modified/expanded extensions and key 
>>> use restrictions.  A CSR is basically an assertion that includes 
>>> pubkey, proof of possession of the private key, and any request 
>>> elements required by policy.  It's a one-time document that needs to 
>>> be validated precisely once.
>>>
>>>
>>> On Wed, Aug 28, 2019 at 6:49 AM Robert Moskowitz 
>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
>>>
>>>     I am writing an Internet Draft that will include transmission of
>>>     a CSR,
>>>     so I need to reference the proper source.  No more sloppy, "well it
>>>     works...".
>>>
>>>     Some digging said it is in PKCS#10 - CSR.  But I did not stop
>>>     with that.
>>>
>>>     A bit more googling lead me to RFC 4211...
>>>
>>>     When I create a CSR with:
>>>
>>>         openssl req -config openssl-intermediate.cnf\
>>>             -key ./private/client.key.pem \
>>>             -subj "$DN" -new -out ./csr/client.csr.pem
>>>
>>>     What format is this?  Are there better, more concise formats
>>>     (e.g. DER?)
>>>     for transmission over constrained networks?
>>>
>>>     I can dump it with
>>>
>>>         openssl req -text -noout -verify -in ./csr/client.csr.pem
>>>
>>>     But that does not really tell me the format, only what is in the
>>>     cert.
>>>
>>>     Thanks
>>>
>>>
>>>
>>> -- 
>>>
>>> "Well," Brahmā said, "even after ten thousand explanations, a fool 
>>> is no wiser, but an intelligent person requires only two thousand 
>>> five hundred."
>>>
>>> - The Mahābhārata
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190828/fbb26b0e/attachment-0001.html>

More information about the openssl-users mailing list