Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)
"Santosh Chokhani" <santosh.chokhani@gmail.com> Wed, 17 April 2019 13:53 UTC
Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13506120156 for <curdle@ietfa.amsl.com>; Wed, 17 Apr 2019 06:53:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UO7_29TwoHx2 for <curdle@ietfa.amsl.com>; Wed, 17 Apr 2019 06:53:45 -0700 (PDT)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D49D120104 for <curdle@ietf.org>; Wed, 17 Apr 2019 06:53:45 -0700 (PDT)
Received: by mail-pf1-x42b.google.com with SMTP id b3so12158346pfd.1 for <curdle@ietf.org>; Wed, 17 Apr 2019 06:53:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=3ssBi8xadDhZfMeMJXTn6tIWw7Ynb2NTmBvoB0x45ZE=; b=DC5ur3/73nqJwYPPRnfXDwCv64XS6T2nKBww8q16axf2SV2QdumnKyxPtJBEAWo+q6 GwaY+JW9H+7/VcPZl1t0oaEB9G2vYsrdPAsns6Pok3aqAM4auPgjCZ9UNK1kus8sAcKF QuMcBV+FMfF+PaZ3qCRC+CBeUrdN5+9J9LgRhgHxHT5L6etDm7Y9KVnnueb9iFW2C2Re rlLxiBRIRhU9tsPjGIH1bibLXd4+hsArwA4w4pJnr3Xz7U1e8VTsIISQ4CYtbgXVpa9+ /1r5zkkxoa/UDVWPVAVlNMbow3hfpGIpeIoVCGzWp21mqJoS31Bk2Ooc1e/HAV0wm36C 5Z9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=3ssBi8xadDhZfMeMJXTn6tIWw7Ynb2NTmBvoB0x45ZE=; b=D4lu2r6jPCwXF7RBw7tsbLUYFDbhl27KEDxroEhoZyTNTdJA1f8iJD9X7Op6lDMm8p B7sj/oTcSzzq4PT87fEuK2igyF3/l1F6PwMcTg2jdH91c91ZN58Kqt8B92hKIMfuGeH9 RlR8052FL6sPxKtLvk5+ZNY61TMrnaUVjhElBOgC/jOVbWCe8ijG72w58NTV6Tf8mzvx DGyHh0HKuwq5IzJj1eSUI2dql9INjrOuuNSpPhbJgvPSSDaNA1b+SYcyYJMIaGbGXj70 UlUjXz+1hGrsUJpq7M4pr2yPUHlmllZf6UXykyGO7NNua8wfYvLZ6HmKNJtMwpi0lfd+ 07Sw==
X-Gm-Message-State: APjAAAXUL8l+13Uuz4NuUxRaLirNsxBRsuLKNkphuPLwGLBfbPoz5eaj bULuUvCvC1TcRLuF69fPqDmQvESh
X-Google-Smtp-Source: APXvYqyBnb4urjju6bn1IvPO5KKl9RnFxT0H1XWTzKiXNawFMBEKHTTwy1vDb4/8K3YvlcnWXdrHdg==
X-Received: by 2002:a63:c112:: with SMTP id w18mr84045096pgf.200.1555509224762; Wed, 17 Apr 2019 06:53:44 -0700 (PDT)
Received: from SantoshBrain ([2600:8800:6800:58f0:e47a:b119:647:c981]) by smtp.gmail.com with ESMTPSA id g5sm42046089pfo.53.2019.04.17.06.53.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Apr 2019 06:53:43 -0700 (PDT)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'Russ Housley' <housley@vigilsec.com>
Cc: 'RFC Editor' <rfc-editor@rfc-editor.org>, "'Roman D. Danyliw'" <rdd@cert.org>, 'Simon Josefsson' <simon@josefsson.org>, daniel.migault@ericsson.com, 'Rich Salz' <rsalz@akamai.com>, 'Jim Schaad' <ietf@augustcellars.com>, curdle@ietf.org, "'LIJUN.LIAO@huawei.com'" <LIJUN.LIAO@HUAWEI.COM>, 'Ben Kaduk' <kaduk@mit.edu>
References: <20190417130322.DF98CB82BAF@rfc-editor.org> <CEAF6932-72F1-4BA0-90C9-42B014AA2DAC@vigilsec.com> <022201d4f521$363efad0$a2bcf070$@gmail.com> <A0A0D4DB-9443-432D-8836-5936A77212FC@vigilsec.com>
In-Reply-To: <A0A0D4DB-9443-432D-8836-5936A77212FC@vigilsec.com>
Date: Wed, 17 Apr 2019 09:53:42 -0400
Message-ID: <027801d4f524$f8b11690$ea1343b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQLUA8nUwpstT/Ye8zWBxjlp5t/4tAH7IQXgAXYF7NMAncbPAaQhyN3Q
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/z5tAJ5aUgyXrhtJO8qiWF0L0ehI>
Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2019 13:53:48 -0000
Agree Russ in the sense that I have never seen a CA not issue CRL also. It might delegate CRL issuance to other authorities as well, but I have not seen an implementation where a CA does not generate a CRL and does not provide it to at least one RP, be it OCSP Responder. But if these folks are implementing a CA without CRL issuance, they might want this. On the other hand, I do not see CA having all these other bits as well. There is no security issue if the CA has CRL issuance bit even if it does not issue a CRL. So, I could go either way on this Errata since it does not move the security needle for me. -----Original Message----- From: Russ Housley [mailto:housley@vigilsec.com] Sent: Wednesday, April 17, 2019 9:38 AM To: Santosh Chokhani <santosh.chokhani@gmail.com> Cc: RFC Editor <rfc-editor@rfc-editor.org>; Roman D. Danyliw <rdd@cert.org>; Simon Josefsson <simon@josefsson.org>; daniel.migault@ericsson.com; Rich Salz <rsalz@akamai.com>; Jim Schaad <ietf@augustcellars.com>; curdle@ietf.org; LIJUN.LIAO@huawei.com; Ben Kaduk <kaduk@mit.edu> Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696) Santosh: This is the exact way we have described the appropriate key usage bits since RFC 3279. If this has confused any implementer over the last decade and a half, I have not heard about it. Russ > On Apr 17, 2019, at 9:26 AM, Santosh Chokhani <santosh.chokhani@gmail.com> wrote: > > Russ, > > But if the CA is using a key to sign CRL, in the context of that key > it is not a CA personality but a CRL issuer personality. > > -----Original Message----- > From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Russ > Housley > Sent: Wednesday, April 17, 2019 9:12 AM > To: RFC Editor <rfc-editor@rfc-editor.org> > Cc: Roman D. Danyliw <rdd@cert.org>; Simon Josefsson > <simon@josefsson.org>; daniel.migault@ericsson.com; Rich Salz > <rsalz@akamai.com>; Jim Schaad <ietf@augustcellars.com>; > curdle@ietf.org; LIJUN.LIAO@huawei.com; Ben Kaduk <kaduk@mit.edu> > Subject: Re: [Curdle] [Technical Errata Reported] RFC8410 (5696) > > I do not think this is correct. A CA could, for example, use one key > for signing certificates and a separate key for signing CRLs. > > Russ > > >> On Apr 17, 2019, at 9:03 AM, RFC Errata System >> <rfc-editor@rfc-editor.org> > wrote: >> >> The following errata report has been submitted for RFC8410, >> "Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use >> in the Internet > X.509 Public Key Infrastructure". >> >> -------------------------------------- >> You may review the report below and at: >> http://www.rfc-editor.org/errata/eid5696 >> >> -------------------------------------- >> Type: Technical >> Reported by: Lijun Liao <LIJUN.LIAO@HUAWEI.COM> >> >> Section: 5 >> >> Original Text >> ------------- >> If the keyUsage extension is present in a certification authority >> certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage >> extension MUST contain one or more of the following values: >> >> nonRepudiation; >> digitalSignature; >> keyCertSign; and >> cRLSign. >> >> Corrected Text >> -------------- >> If the keyUsage extension is present in a certification authority >> certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage >> extension MUST contain keyCertSign, and zero, one or more of the >> following values: >> >> nonRepudiation; >> digitalSignature; and >> cRLSign. >> >> Notes >> ----- >> The usage keyCertSign must be set in a CA certificate. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or rejected. >> When a decision is reached, the verifying party can log in to change >> the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC8410 (draft-ietf-curdle-pkix-10) >> -------------------------------------- >> Title : Algorithm Identifiers for Ed25519, Ed448, X25519, > and X448 for Use in the Internet X.509 Public Key Infrastructure >> Publication Date : August 2018 >> Author(s) : S. Josefsson, J. Schaad >> Category : PROPOSED STANDARD >> Source : CURves, Deprecating and a Little more Encryption >> Area : Security >> Stream : IETF >> Verifying Party : IESG >> >> _______________________________________________ >> Curdle mailing list >> Curdle@ietf.org >> https://www.ietf.org/mailman/listinfo/curdle > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle
- [Curdle] [Technical Errata Reported] RFC8410 (569… RFC Errata System
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Russ Housley
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Santosh Chokhani
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Russ Housley
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Santosh Chokhani
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Daniel Migault
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Lijun Liao
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Lijun Liao
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Jim Schaad
- Re: [Curdle] [Technical Errata Reported] RFC8410 … Tim Hollebeek