IETF Logo Mail Archive

Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)

Lijun Liao <lijun.liao@huawei.com> Wed, 17 April 2019 13:41 UTC

Return-Path: <lijun.liao@huawei.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BC86120364 for <curdle@ietfa.amsl.com>; Wed, 17 Apr 2019 06:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id deug6EyNfGX0 for <curdle@ietfa.amsl.com>; Wed, 17 Apr 2019 06:41:40 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39A2512034A for <curdle@ietf.org>; Wed, 17 Apr 2019 06:41:40 -0700 (PDT)
Received: from LHREML710-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 175959D9722345854B3B; Wed, 17 Apr 2019 14:41:38 +0100 (IST)
Received: from LHREML505-MBX.china.huawei.com ([169.254.10.69]) by LHREML710-CAH.china.huawei.com ([10.201.108.33]) with mapi id 14.03.0415.000; Wed, 17 Apr 2019 14:41:35 +0100
From: Lijun Liao <lijun.liao@huawei.com>
To: Russ Housley <housley@vigilsec.com>, Santosh Chokhani <santosh.chokhani@gmail.com>
CC: RFC Editor <rfc-editor@rfc-editor.org>, "Roman D. Danyliw" <rdd@cert.org>, Simon Josefsson <simon@josefsson.org>, "daniel.migault@ericsson.com" <daniel.migault@ericsson.com>, Rich Salz <rsalz@akamai.com>, Jim Schaad <ietf@augustcellars.com>, "curdle@ietf.org" <curdle@ietf.org>, Ben Kaduk <kaduk@mit.edu>
Thread-Topic: [Curdle] [Technical Errata Reported] RFC8410 (5696)
Thread-Index: AQHU9R4EeHgZB3LN3kmX7XL5F2yT2KZAQ1+AgAAEC4CAAAMhgIAAEPRV
Date: Wed, 17 Apr 2019 13:41:34 +0000
Message-ID: <B318B2234F15F54D9A56986389A4C939B8F19E@lhreml505-mbx.china.huawei.com>
References: <20190417130322.DF98CB82BAF@rfc-editor.org> <CEAF6932-72F1-4BA0-90C9-42B014AA2DAC@vigilsec.com> <022201d4f521$363efad0$a2bcf070$@gmail.com>, <A0A0D4DB-9443-432D-8836-5936A77212FC@vigilsec.com>
In-Reply-To: <A0A0D4DB-9443-432D-8836-5936A77212FC@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.203.161.198]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/S-xAoGoGYlWhPubYp2Qoa4MrYis>
X-Mailman-Approved-At: Wed, 17 Apr 2019 07:46:32 -0700
Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2019 13:43:50 -0000

I am with Santosh.

As the definition of RFC 5280 Section 5:

"   CRL issuers issue CRLs.  The CRL issuer is either the CA or an entity
   that has been authorized by the CA to issue CRLs.  CAs publish CRLs
   to provide status information about the certificates they issued.
   However, a CA may delegate this responsibility to another trusted
   authority.
"

If a CA only issues CRL, then 
"CAs publish CRLs
   to provide status information about the --certificates they issued---."
conflicts itself.

Lijun
________________________________________
From: Russ Housley [housley@vigilsec.com]
Sent: Wednesday, April 17, 2019 1:37 PM
To: Santosh Chokhani
Cc: RFC Editor; Roman D. Danyliw; Simon Josefsson; daniel.migault@ericsson.com; Rich Salz; Jim Schaad; curdle@ietf.org; Lijun Liao; Ben Kaduk
Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)

Santosh:

This is the exact way we have described the appropriate key usage bits since RFC 3279.  If this has confused any implementer over the last decade and a half, I have not heard about it.

Russ


> On Apr 17, 2019, at 9:26 AM, Santosh Chokhani <santosh.chokhani@gmail.com> wrote:
>
> Russ,
>
> But if the CA is using a key to sign CRL, in the context of that key it is
> not a CA personality but a CRL issuer personality.
>
> -----Original Message-----
> From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Russ Housley
> Sent: Wednesday, April 17, 2019 9:12 AM
> To: RFC Editor <rfc-editor@rfc-editor.org>
> Cc: Roman D. Danyliw <rdd@cert.org>; Simon Josefsson <simon@josefsson.org>;
> daniel.migault@ericsson.com; Rich Salz <rsalz@akamai.com>; Jim Schaad
> <ietf@augustcellars.com>; curdle@ietf.org; LIJUN.LIAO@huawei.com; Ben Kaduk
> <kaduk@mit.edu>
> Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)
>
> I do not think this is correct.  A CA could, for example, use one key for
> signing certificates and a separate key for signing CRLs.
>
> Russ
>
>
>> On Apr 17, 2019, at 9:03 AM, RFC Errata System <rfc-editor@rfc-editor.org>
> wrote:
>>
>> The following errata report has been submitted for RFC8410, "Algorithm
>> Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet
> X.509 Public Key Infrastructure".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata/eid5696
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Lijun Liao <LIJUN.LIAO@HUAWEI.COM>
>>
>> Section: 5
>>
>> Original Text
>> -------------
>>  If the keyUsage extension is present in a certification authority
>>  certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage
>>  extension MUST contain one or more of the following values:
>>
>>         nonRepudiation;
>>         digitalSignature;
>>         keyCertSign; and
>>         cRLSign.
>>
>> Corrected Text
>> --------------
>>  If the keyUsage extension is present in a certification authority
>>  certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage
>>  extension MUST contain keyCertSign, and zero, one or more of the
>>  following values:
>>
>>         nonRepudiation;
>>         digitalSignature; and
>>         cRLSign.
>>
>> Notes
>> -----
>> The usage keyCertSign must be set in a CA certificate.
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or rejected.
>> When a decision is reached, the verifying party can log in to change
>> the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC8410 (draft-ietf-curdle-pkix-10)
>> --------------------------------------
>> Title               : Algorithm Identifiers for Ed25519, Ed448, X25519,
> and X448 for Use in the Internet X.509 Public Key Infrastructure
>> Publication Date    : August 2018
>> Author(s)           : S. Josefsson, J. Schaad
>> Category            : PROPOSED STANDARD
>> Source              : CURves, Deprecating and a Little more Encryption
>> Area                : Security
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>> _______________________________________________
>> Curdle mailing list
>> Curdle@ietf.org
>> https://www.ietf.org/mailman/listinfo/curdle
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle

v2.23.0 | Report a Bug | By Email