Re: [Isms] fingerprint TCs and hash types

[Wes Hardaker <wjhns1 at hardakers.net>]

>>>>> On Thu, 10 Sep 2009 15:22:36 -0700, "Joseph Salowey (jsalowey)" <jsalowey at cisco.com> said:

JS> If you are just looking for hashes there probably are already OIDs
JS> for this defined for PKIX,PKCS,X509 etc.

True, but we need to be able to point to a common list that's agreed
upon for this particular usage.  It wouldn't be hard to create an
"a list of externally defined OIDs" though, you're right.

Many of those other OIDs will fall outside of the standard SNMP OID
tree which I could see confusing some poorly written software, but I'm
not sure that we should worry about them.

JS> If you are looking for something that is specifying hash and
JS> encoding then I'm not sure there is anything formally defined.  It
JS> would be nice if things lined up in some useful way with RFC 5425.

Actually, I think 4.2.2 of RFC 5425 does define a standardized string
for encoding fingerprints and maybe it would be easiest to reduce our 2
object pair (type/value) to a single ascii string that exactly
references that string format.

For those that don't want to pull up 4.2.2 of 5425, I'll reproduce it
below:

  4.2.2.  Certificate Fingerprints

     Both client and server implementations MUST make the certificate
     fingerprints for their certificate available through a management
     interface.  The labels for the algorithms are taken from the textual
     names of the hash functions as defined in the IANA registry "Hash
     Function Textual Names" allocated in [RFC4572].

     The mechanism to generate a fingerprint is to take the hash of the
     DER-encoded certificate using a cryptographically strong algorithm,
     and convert the result into colon-separated, hexadecimal bytes, each
     represented by 2 uppercase ASCII characters.  When a fingerprint
     value is displayed or configured, the fingerprint is prepended with
     an ASCII label identifying the hash function followed by a colon.
     Implementations MUST support SHA-1 as the hash algorithm and use the
     ASCII label "sha-1" to identify the SHA-1 algorithm.  The length of a
     SHA-1 hash is 20 bytes and the length of the corresponding
     fingerprint string is 65 characters.  An example certificate
     fingerprint is:

        sha-1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D

     During validation the hash is extracted from the fingerprint and
     compared against the hash calculated over the received certificate.

If we go this route, it makes the most sense to copy the format but
still allow it to be used generically (IE, not just for certificate
fingerprints).

-- 
Wes Hardaker
Cobham Analytic Solutions