IETF Logo Mail Archive

Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)

"Santosh Chokhani" <santosh.chokhani@gmail.com> Wed, 17 April 2019 13:26 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2207A120104 for <curdle@ietfa.amsl.com>; Wed, 17 Apr 2019 06:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C_1UgZYUOkFs for <curdle@ietfa.amsl.com>; Wed, 17 Apr 2019 06:26:51 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B1C512008D for <curdle@ietf.org>; Wed, 17 Apr 2019 06:26:51 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id f36so12052898plb.5 for <curdle@ietf.org>; Wed, 17 Apr 2019 06:26:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=OzXUw8oB/wHabVtGi6oXyW4QF45qisMNg/3X+ys4F0I=; b=PB3XnQnjD6cBmGYz3v2LDb2JVGdRXQJiww08PmS0URLKMs9LuVOX9nu+HfpQ7Io1Vi Xkzq4qrtjrsKV7HBFV/XcoA0Y7yQU8b6BnX/8fjptZDmFSOrEMjX1SfCLjTHfV/nEBQ8 s/7N+P9KnETOtY2GVBYtawMgIOMt/5edAfvZo3PxGSFsZMx4DPKS7/x3sNEGQgOFrMN3 R2EuoeyytUepNI8BGtjl1Ewpl/NwlZxgpjp9eyP1IsFqFjmBqGgsaB2DHp+7q2gUzBMS VNWirEJrqj8HRROonUJEfyFHfa69mIeupot7hvIJOaWqS4Y+2ouLLEGkJiMYHXtUOcVP Uqbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=OzXUw8oB/wHabVtGi6oXyW4QF45qisMNg/3X+ys4F0I=; b=tBZbzp1eu4y+oa2o9XlQrp32G3mi09q9iojj1mnfLtCM2yXHEO67/0SDtPxkHgQtgK M+cWWwMzYsxUQIkCC2Hj9WijmhGqycbQI+4FdPEGOx5Q7Y9z9B9MxT0sYZQ/aW7ODFJ6 dIM6lWVdXHZ9X8m957vujovMNza80+eni+tblvx0XbxNrYKGrG/uSZhS7Nq7NcU1HLsL BcDW2rzqH6Yerosk565BUe06BB+WB/ZIjmbSrlOLsllHv9QfBy42ALHup4Alzw7+/PYY MJZZl6gyFPAiNHyzPJ0MDQWpFki3MQ2JRokWG4fF5WGQ/GajQvcRjI8xLTzi7zuzuY0W WE7w==
X-Gm-Message-State: APjAAAVE29JKgNGn9h52iwnV2cdaOpVih9cs6/Y+zQm0YA8re0iyUWi2 PXr3UFTV0RnnPvi2+THO0KBKmsDQ
X-Google-Smtp-Source: APXvYqx12fQmM/2Fna3zpIsWkgXvz6PFQjKDpnAbstRYksx741yrcuiwEXjU24SfOSChxSM+HGy3lg==
X-Received: by 2002:a17:902:20c6:: with SMTP id v6mr3006126plg.276.1555507609992; Wed, 17 Apr 2019 06:26:49 -0700 (PDT)
Received: from SantoshBrain ([2600:8800:6800:58f0:e47a:b119:647:c981]) by smtp.gmail.com with ESMTPSA id h4sm50050283pgv.61.2019.04.17.06.26.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Apr 2019 06:26:49 -0700 (PDT)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'Russ Housley' <housley@vigilsec.com>, 'RFC Editor' <rfc-editor@rfc-editor.org>
Cc: "'Roman D. Danyliw'" <rdd@cert.org>, 'Simon Josefsson' <simon@josefsson.org>, daniel.migault@ericsson.com, 'Rich Salz' <rsalz@akamai.com>, 'Jim Schaad' <ietf@augustcellars.com>, curdle@ietf.org, "'LIJUN.LIAO@huawei.com'" <LIJUN.LIAO@HUAWEI.COM>, 'Ben Kaduk' <kaduk@mit.edu>
References: <20190417130322.DF98CB82BAF@rfc-editor.org> <CEAF6932-72F1-4BA0-90C9-42B014AA2DAC@vigilsec.com>
In-Reply-To: <CEAF6932-72F1-4BA0-90C9-42B014AA2DAC@vigilsec.com>
Date: Wed, 17 Apr 2019 09:26:47 -0400
Message-ID: <022201d4f521$363efad0$a2bcf070$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQLUA8nUwpstT/Ye8zWBxjlp5t/4tAH7IQXgpDJerhA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/3ppLmEwYtn4hhnz4VhAo6UeVZgA>
Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2019 13:26:54 -0000

Russ,

But if the CA is using a key to sign CRL, in the context of that key it is
not a CA personality but a CRL issuer personality.  

-----Original Message-----
From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Russ Housley
Sent: Wednesday, April 17, 2019 9:12 AM
To: RFC Editor <rfc-editor@rfc-editor.org>
Cc: Roman D. Danyliw <rdd@cert.org>; Simon Josefsson <simon@josefsson.org>;
daniel.migault@ericsson.com; Rich Salz <rsalz@akamai.com>; Jim Schaad
<ietf@augustcellars.com>; curdle@ietf.org; LIJUN.LIAO@huawei.com; Ben Kaduk
<kaduk@mit.edu>
Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)

I do not think this is correct.  A CA could, for example, use one key for
signing certificates and a separate key for signing CRLs.

Russ


> On Apr 17, 2019, at 9:03 AM, RFC Errata System <rfc-editor@rfc-editor.org>
wrote:
> 
> The following errata report has been submitted for RFC8410, "Algorithm 
> Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet
X.509 Public Key Infrastructure".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5696
> 
> --------------------------------------
> Type: Technical
> Reported by: Lijun Liao <LIJUN.LIAO@HUAWEI.COM>
> 
> Section: 5
> 
> Original Text
> -------------
>   If the keyUsage extension is present in a certification authority
>   certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage
>   extension MUST contain one or more of the following values:
> 
>          nonRepudiation;
>          digitalSignature;
>          keyCertSign; and
>          cRLSign.
> 
> Corrected Text
> --------------
>   If the keyUsage extension is present in a certification authority
>   certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage
>   extension MUST contain keyCertSign, and zero, one or more of the
>   following values:
> 
>          nonRepudiation;
>          digitalSignature; and
>          cRLSign.
> 
> Notes
> -----
> The usage keyCertSign must be set in a CA certificate.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please 
> use "Reply All" to discuss whether it should be verified or rejected. 
> When a decision is reached, the verifying party can log in to change 
> the status and edit the report, if necessary.
> 
> --------------------------------------
> RFC8410 (draft-ietf-curdle-pkix-10)
> --------------------------------------
> Title               : Algorithm Identifiers for Ed25519, Ed448, X25519,
and X448 for Use in the Internet X.509 Public Key Infrastructure
> Publication Date    : August 2018
> Author(s)           : S. Josefsson, J. Schaad
> Category            : PROPOSED STANDARD
> Source              : CURves, Deprecating and a Little more Encryption
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
> 
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle

_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

v2.23.0 | Report a Bug | By Email