Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)
Russ Housley <housley@vigilsec.com> Wed, 17 April 2019 13:38 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ACD912008D for <curdle@ietfa.amsl.com>; Wed, 17 Apr 2019 06:38:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0HojZcONgt73 for <curdle@ietfa.amsl.com>; Wed, 17 Apr 2019 06:38:07 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E114E120364 for <curdle@ietf.org>; Wed, 17 Apr 2019 06:38:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 70276300AEA for <curdle@ietf.org>; Wed, 17 Apr 2019 09:19:48 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LVomNAJoUkBE for <curdle@ietf.org>; Wed, 17 Apr 2019 09:19:43 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id 9D7363004E7; Wed, 17 Apr 2019 09:19:42 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <022201d4f521$363efad0$a2bcf070$@gmail.com>
Date: Wed, 17 Apr 2019 09:37:59 -0400
Cc: RFC Editor <rfc-editor@rfc-editor.org>, "Roman D. Danyliw" <rdd@cert.org>, Simon Josefsson <simon@josefsson.org>, daniel.migault@ericsson.com, Rich Salz <rsalz@akamai.com>, Jim Schaad <ietf@augustcellars.com>, curdle@ietf.org, "LIJUN.LIAO@huawei.com" <LIJUN.LIAO@HUAWEI.COM>, Ben Kaduk <kaduk@mit.edu>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A0A0D4DB-9443-432D-8836-5936A77212FC@vigilsec.com>
References: <20190417130322.DF98CB82BAF@rfc-editor.org> <CEAF6932-72F1-4BA0-90C9-42B014AA2DAC@vigilsec.com> <022201d4f521$363efad0$a2bcf070$@gmail.com>
To: Santosh Chokhani <santosh.chokhani@gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Ktzcvp1JJ8HRj2MB4bSqW8msMpk>
Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2019 13:38:09 -0000
Santosh: This is the exact way we have described the appropriate key usage bits since RFC 3279. If this has confused any implementer over the last decade and a half, I have not heard about it. Russ > On Apr 17, 2019, at 9:26 AM, Santosh Chokhani <santosh.chokhani@gmail.com> wrote: > > Russ, > > But if the CA is using a key to sign CRL, in the context of that key it is > not a CA personality but a CRL issuer personality. > > -----Original Message----- > From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Russ Housley > Sent: Wednesday, April 17, 2019 9:12 AM > To: RFC Editor <rfc-editor@rfc-editor.org> > Cc: Roman D. Danyliw <rdd@cert.org>; Simon Josefsson <simon@josefsson.org>; > daniel.migault@ericsson.com; Rich Salz <rsalz@akamai.com>; Jim Schaad > <ietf@augustcellars.com>; curdle@ietf.org; LIJUN.LIAO@huawei.com; Ben Kaduk > <kaduk@mit.edu> > Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696) > > I do not think this is correct. A CA could, for example, use one key for > signing certificates and a separate key for signing CRLs. > > Russ > > >> On Apr 17, 2019, at 9:03 AM, RFC Errata System <rfc-editor@rfc-editor.org> > wrote: >> >> The following errata report has been submitted for RFC8410, "Algorithm >> Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet > X.509 Public Key Infrastructure". >> >> -------------------------------------- >> You may review the report below and at: >> http://www.rfc-editor.org/errata/eid5696 >> >> -------------------------------------- >> Type: Technical >> Reported by: Lijun Liao <LIJUN.LIAO@HUAWEI.COM> >> >> Section: 5 >> >> Original Text >> ------------- >> If the keyUsage extension is present in a certification authority >> certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage >> extension MUST contain one or more of the following values: >> >> nonRepudiation; >> digitalSignature; >> keyCertSign; and >> cRLSign. >> >> Corrected Text >> -------------- >> If the keyUsage extension is present in a certification authority >> certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage >> extension MUST contain keyCertSign, and zero, one or more of the >> following values: >> >> nonRepudiation; >> digitalSignature; and >> cRLSign. >> >> Notes >> ----- >> The usage keyCertSign must be set in a CA certificate. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or rejected. >> When a decision is reached, the verifying party can log in to change >> the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC8410 (draft-ietf-curdle-pkix-10) >> -------------------------------------- >> Title : Algorithm Identifiers for Ed25519, Ed448, X25519, > and X448 for Use in the Internet X.509 Public Key Infrastructure >> Publication Date : August 2018 >> Author(s) : S. Josefsson, J. Schaad >> Category : PROPOSED STANDARD >> Source : CURves, Deprecating and a Little more Encryption >> Area : Security >> Stream : IETF >> Verifying Party : IESG >> >> _______________________________________________ >> Curdle mailing list >> Curdle@ietf.org >> https://www.ietf.org/mailman/listinfo/curdle > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle
- [Curdle] [Technical Errata Reported] RFC8410 (569… RFC Errata System
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Russ Housley
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Santosh Chokhani
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Russ Housley
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Santosh Chokhani
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Daniel Migault
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Lijun Liao
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Lijun Liao
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Jim Schaad
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Tim Hollebeek