-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extension IPAddrBlocks #187
Comments
Current conclusion: |
+Ask Russ! He provided the initial example. |
I think we may need to support multiple IPAddressFamily, since one may have one IPAddressFamily for the IPv4 addresses, and one for the IPv6 addresses. |
Below is the certificate generated in openssl
with the command
Where openssl.conf has content
The
As shown above, we have to IPAddressFamily elements (one for IPv4, and one for IPv6) --> We need to support multipe IPAddressFamily elements. Look into details with `openssl asn1parse -i -dump -in certfile.pem -strparse 365:
As show above, the IPAddress encoding does not take many bytes. In C509, encoding only the difference as uint needs, in general, also 4 to 8 bytes, this does not save many (or even needs more) bytes, but we need to convert between bytes and int, which is quite complex for the IPAddressPrefix. So I suggest to change Following my suggestion in this comment, the syntax is changed from
to
|
We currently don't have enough input to make a decision. Unless any author has a strong opinion, we need to take it to the WG |
assigned Göran to follow up with Russ |
My current understanding: The proposed change OLD
NEW
contains a necessary extension to IPAddressFamily and an clarifying addition to Addres sRange which both are fine by me. @xipki The other proposed changes are not addressed by this change, which of them are still relevant? |
@xipki Any other changes we should consider? |
Yes. This is the main change. Other changes are not related currently. |
In RFC 3779 (https://datatracker.ietf.org/doc/html/rfc3779#section-2.2.3), the
IPAddressBlocks
is defined as followsAnd the syntax in C509 is as follows
According to the syntax above, only
IPAddrBlocks
with one (ASN.1)IPAddressFamily
can be encoded in C509. The syntax may be changed as follows (I added blank lines between the definitions) to allow also multipleIPAddressFamily
elements.In Page 15 (of -09),
rdi
does not apply here.This text block needs to be re-written. It is difficult to understand.
The condition to encode an IP address as a uint shall be changed from
"if the byte string has the same length as the previous Address"
to"if the byte string has the same length as the previous Address and the difference is less than 2^64"
. For IPv6 address this is relevant.The names
Address
,AddressPrefix
,AddressRange
shall be prepended with the prefixIP
.The text was updated successfully, but these errors were encountered: