Re: Question about the edition of RFC 3280
Russ Housley <housley@vigilsec.com> Mon, 07 April 2003 16:46 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA27039 for <pkix-archive@lists.ietf.org>; Mon, 7 Apr 2003 12:46:05 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.11.6) with ESMTP id h37FHRJM008880 for <ietf-pkix-bks@above.proper.com>; Mon, 7 Apr 2003 08:17:27 -0700 (PDT)
Received: (from majordomo@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h37FHRL3008879 for ietf-pkix-bks; Mon, 7 Apr 2003 08:17:27 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordomo set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [207.228.252.5]) by above.proper.com (8.12.9/8.11.6) with SMTP id h37FHQJM008870 for <ietf-pkix@imc.org>; Mon, 7 Apr 2003 08:17:26 -0700 (PDT)
Received: (qmail 2738 invoked by uid 0); 7 Apr 2003 15:16:55 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.168.151) by woodstock.binhost.com with SMTP; 7 Apr 2003 15:16:55 -0000
Message-Id: <5.2.0.9.2.20030407102225.02666690@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Mon, 07 Apr 2003 11:17:11 -0400
To: Denis Pinkas <Denis.Pinkas@bull.net>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: Question about the edition of RFC 3280
Cc: pkix <ietf-pkix@imc.org>, Jeff Schiller <jis@mit.edu>, Steve Bellovin <smb@research.att.com>, Tim Polk <wpolk@nist.gov>, Stephen Kent <kent@bbn.com>
In-Reply-To: <3E9132DA.7030307@bull.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Denis: >=================================================================== > >A new Request for Comments is now available in online RFC libraries. > > RFC 3280 > > Title: Internet X.509 Public Key Infrastructure > Certificate and Certificate Revocation List (CRL) > Profile > Author(s): R. Housley, W. Polk, W. Ford, D. Solo > Status: Standards Track > Date: April 2002 > Mailbox: rhousley@rsasecurity.com, wford@verisign.com, > wpolk@nist.gov, dsolo@alum.mit.edu > Pages: 129 > Characters: 295556 > Updates/Obsoletes/SeeAlso: None > > I-D Tag: draft-ietf-pkix-new-part1-12.txt > >==================================================================== > >The text that was draft-ietf-pkix-new-part1-12.txt is the following: > > "The digitalSignature bit is asserted when the subject public key > is used with a digital signature mechanism to support security > services other than non-repudiation (bit 1), certificate signing > (bit 5), or CRL signing (bit 6). Digital signature mechanisms are > often used for entity authentication and data origin > authentication with integrity." > >while the text that is in RFC 3280 is the following: > > "The digitalSignature bit is asserted when the subject public key > is used with a digital signature mechanism to support security > services other than certificate signing (bit 5), or CRL signing > (bit 6). Digital signature mechanisms are often used for entity > authentication and data origin authentication with integrity." > >I would like to know, how/when such a change happened. I do not know why you are asking about a change that happened a year ago, but here is the history. This took quite a bit of time to pull together, and it involved searching the archives kept by several different individuals. During IETF Last Call, the authors received a comment regarding the key usage bits. We have been unsuccessful in locating this email message, so you will have to live with the personal recollection of the content of this message. The comment stated that section 4.2.1.3 contained an inconsistency. The comment pointed to the following text from draft-ietf-pkix-new-part1-12.txt: The digitalSignature bit is asserted when the subject public key is used with a digital signature mechanism to support security services other than non-repudiation (bit 1), certificate signing (bit 5), or CRL signing (bit 6). Digital signature mechanisms are often used for entity authentication and data origin authentication with integrity. The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. In the case of later conflict, a reliable third party may determine the authenticity of the signed data. Further distinctions between the digitalSignature and nonRepudiation bits may be provided in specific certificate policies. The crux of the comment was: When the digitalSignature bit is asserted, then the digital signature mechanism supports security services other than non-repudiation. This means that there is no overlap between these two bit settings. This is in conflict with the statement that policy can provide further distinction between digitalSignature and nonRepudiation. In resolving this comment, the authors also considered the vast volumes of messages on the PKIX WG mail list regarding the disputed meaning of these bits. Recall that the third paragraph was added as a result of that very long discussion. The actual changes were made to the document by the RFC Editor, and the request of the authors and concurrence of the Security Area Director. These changes were considered to be clarifications that resolved an internal inconsistency. The following is the note from the authors to the RFC Editor: >Date: Wed, 17 Apr 2002 14:57:50 -0400 >To: rfc-editor@rfc-editor.org >From: Russ Housley <russ.housley@verizon.net> >Subject: Re: draft-ietf-pkix-new-part1-12.txt >Cc: wpolk@nist.gov, jis@mit.edu, smb@research.att.com > >Dear RFC Editor: > >Here are the changes that are needed for draft-ietf-pkix-new-part1-12.txt > >[snip] > >Section 4.2.1.3, 4th Paragraph: Drop "non-repudiation (bit 1)" from the >1st sentence. Otherwise it conflicts with the first and last paragraphs >of the same section. > >OLD: > > Bits in the KeyUsage type are used as follows: > > The digitalSignature bit is asserted when the subject public key > is used with a digital signature mechanism to support security > services other than non-repudiation (bit 1), certificate signing > (bit 5), or CRL signing (bit 6). Digital signature mechanisms are > often used for entity authentication and data origin > authentication with integrity. > >NEW: > > Bits in the KeyUsage type are used as follows: > > The digitalSignature bit is asserted when the subject public key > is used with a digital signature mechanism to support security > services other than certificate signing (bit 5), or CRL signing > (bit 6). Digital signature mechanisms are often used for entity > authentication and data origin authentication with integrity. > >[snip] In response to this request, the RFC Editor contacted the Security Area Directors to confirm that the changes were appropriate. Jeff Schiller responded with the following message: >Date: Wed, 17 Apr 2002 19:37:36 -0400 >From: "Jeffrey I. Schiller" <jis@mit.edu> >To: rfc-editor@rfc-editor.org >Cc: russ.housley@verizon.net, wpolk@nist.gov, smb@research.att.com >Subject: Re: AD response request: Re: draft-ietf-pkix-new-part1-12.txt > >I have reviewed the changes and they look fine to me. > > -Jeff > >On Wed, Apr 17, 2002 at 10:18:22PM +0000, rfc-editor@rfc-editor.org wrote: > > Jeff and Steve, > > > > Could you please verify that the following changes are okay? For the > > most part, they seem editorial in nature, but we wanted to get an okay > > from you guys as there are such a great number of changes. > > > > Thank you. > > > > RFC Editor Denis, this is the history. I think you can see that an appropriate comment resolution process was followed. I am sure you have faced similar comments on documents that you have authored. Russ
- Question about the edition of RFC 3280 Denis Pinkas
- Re: Question about the edition of RFC 3280 Peter Sylvester
- Re: Question about the edition of RFC 3280 Russ Housley
- Re: Question about the edition of RFC 3280 Denis Pinkas
- Re: Question about the edition of RFC 3280 Peter Gutmann
- Re: Question about the edition of RFC 3280 todd glassey
- Re: Question about the edition of RFC 3280 Stefan Santesson
- Re: Question about the edition of RFC 3280 Denis Pinkas
- Re: Question about the edition of RFC 3280 Hoyt L. Kesterson II
- Re: Question about the edition of RFC 3280 Peter Sylvester
- Re: Question about the edition of RFC 3280 Russ Housley
- Re: Question about the edition of RFC 3280 Peter Sylvester
- Re: Question about the edition of RFC 3280 Denis Pinkas
- Re: Question about the edition of RFC 3280 Peter Sylvester
- Re: Question about the edition of RFC 3280 Hoyt L. Kesterson II
- Re: Question about the edition of RFC 3280 Russ Housley