Thread Links | Date Links | ||||
---|---|---|---|---|---|
Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
Yeah, we could add the DER-encoded certs in the examples – well, a hex dump of the DER encoding – if you think it’s useful. cp From:
Glen Kramer <glen.kramer@xxxxxxxxxxxx> Hi Craig, Thank you for posting.
A question on the CertSize formula below: Our certificate examples in Annex 11A show only PEM format. This is 25% less efficient than BER/DER format, that is, the same certificate is 25% larger in PEM format than in DER. Should we add
DER examples too? Should we mandate a specific certificate encoding for the Install and retrieve OAMPDUs? Thanks, Glen From: Craig Pratt <000025f75ba9ec80-dmarc-request@xxxxxxxxxxxxxxxxx>
Hey all, Sorry – missed the request. Here’s the table: Note that 1 cert will typically have 1 public key and 1 signature – and they don’t have to be from the same algorithm. So the math for cert size is: CertSize = sizeof(public key) + sizeof(signature) + sizeof(ASN.1 BER-encoded x509 cert metadata) My hunch is that there will be very good options that are under 12K total. cp From:
stds-1904-4-tf@xxxxxxxxxxxxxxxxx <stds-1904-4-tf@xxxxxxxxxxxxxxxxx>
on behalf of Glen Kramer <000006d1020766de-dmarc-request@xxxxxxxxxxxxxxxxx> Thank you, JC. I put this suggestion into slides. There are several corner case behaviors we need to agree on. But overall, this seems a workable solution. Let’s discuss this on the reflector, unless someone would prefer another call. Craig – please, post on the reflector the key/signature size table you presented on the last call. Thank you, Glen From: Marion, Jc <jmarion@xxxxxxxxx>
I agree to leave the software download alone. As for the size of incoming cert(s), why don’t we replace the sequence number field with a 4 bytes field that specifies the number of bytes that are to come after this current message?
We would use the high bit (bit [31] to specify that this is the first message). The receiver of the cert(s) allocates a receive buffer upon reception of first message with bit[31] set or deny/abort the request. The receiver can also detect any loss of message during transfer: If first message received does not have bit[31] set. If “number of bytes to come” from message N-1 != (“number of bytes to come” + “certificate length”) from message N Thanks, Jc From:
Glen Kramer <glen.kramer@xxxxxxxxxxxx> Thank you, JC.
Yes, given the sizes of emerging keys and signatures, pacing the transfer by the receiver would be useful. It probably would be a cleaner solution to specify a generic file transfer from the start. But it was specified only for the FW image transfer and the OLT and ONU state
diagrams are very big and combine the download, verification, and activation functionalities all together. Extracting the download portion of the state diagram into a separate generic file transfer sub-clause is a lot of work. Also, as you said, we will need
to specify a reverse process for file retrieval. Unless we have a strong reason to mess with the software download, I’d leave it alone. (But there might be such a reason. I will clarify in a separate email.) Certificate download into ONU: The easiest fix for pacing the transfer is to specify that ONU has to acknowledge every eOAM_Certificate_Request by a separate eOAM_Certificate_Response, and that the
OLT shall not issue a new eOAM_Certificate_Request, until the previous one has been acknowledged. To pace the downstream transfer, the ONU would delay the response for up to 1 second (OAM timeout). However if the pause needs to be even longer, ONU should send
an eOAM_Certificate_Response with code “Busy”. Then to resume transfer, ONU would send another eOAM_Certificate_Response with code “Ready”. When the OLT indicates that it has sent the last segment, the ONU sends a response containing the summary of the whole
operation, i.e., ActionStatus and CertificateStatus. Certificate retrieval from ONU: Pacing the upstream data during the certificate retrieval can be done in a few ways. One way is to burden the DBA with pacing the MLID grants. But it probably would
be better if we make US and DS transfers more or less symmetric. That means the OLT would request each block separately, and the ONU would only send one block (one eOAM_Certificate_Response) per each block request (eOAM_Certificate_Request). The Sequence
field in eOAM_Certificate_Response would tell the OLT if there are more blocks available for retrieval. I still don’t have a good suggestion on how to inform the recipient of the total size of the incoming file. It needs to be done once at the beginning of transfer and
I don’t like the idea of including this field in every message. Making this field present only in the first message in a sequence complicates the parsing.
Should we have a separate message CertificateWriteRequest (similar to FileWriteRequest), where the OLT tells ONU to prepare to receive a file of a given size, and ONU
either ACKs or NACKs that request, based on available memory? For the retrieval, the OLT will start with CertificateReadRequest, and the ONU will respond with CrtificateReadResponse containing the total length of the requested certificate? Glen From: Marion, Jc <000020b191edabf4-dmarc-request@xxxxxxxxxxxxxxxxx>
Dear IEEE chatmates, After our discussion regarding transfer of cert and chain of certs, I realized that we may have an issue with the B1 (or B2) approach. In short, how do we ensure that the receiver of data (ONU for a install and OLT for a retrieve) is not overflowing its receive buffer? While we did not come up with actual size estimates for the cert (or chain of), we certainly talked about hundreds of kB. I believe we need to have a way for the receiver to pace the transmission. Either we introduce a new action code (e.g. transmit ack) or we have another look at the file transfer. During the call, we looked at it and put it aside for 2 reasons: It does not offer the capability to retrieve a file. There is no convention for file name. What file name should we use for NAC, DAC? If we were to revisit the file transfer idea, I believe we would also need to add the indication of total size. So that the receiver of data can prepare a receive buffer or deny the
transfer. Thanks, Jc From:
stds-1904-4-tf@xxxxxxxxxxxxxxxxx <stds-1904-4-tf@xxxxxxxxxxxxxxxxx>
on behalf of Glen Kramer <000006d1020766de-dmarc-request@xxxxxxxxxxxxxxxxx> Attached is a set of slides for tomorrow. There are 4 alternative methods (plus some options) presented, all different in their capabilities, efficiency, and impact on the draft. Each method supports certificate chains that are arbitrarily large. However, these methods differ in allowing the individual certificates to be larger than 1489 bytes. Glen -----Original Appointment----- Glen will have a few slides to go over several alternatives for removing the certificate size constraint, as we discussed under comment #8. Zoom info down below.
Curtis Knittle (CableLabs) is inviting you to a scheduled Zoom meeting. To unsubscribe from the STDS-1904-4-TF list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-1904-4-TF&A=1 To unsubscribe from the STDS-1904-4-TF list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-1904-4-TF&A=1 To unsubscribe from the STDS-1904-4-TF list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-1904-4-TF&A=1 To unsubscribe from the STDS-1904-4-TF list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-1904-4-TF&A=1 To unsubscribe from the STDS-1904-4-TF list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-1904-4-TF&A=1 |