IETF Logo Mail Archive

Re: Question about the edition of RFC 3280

Russ Housley <housley@vigilsec.com> Mon, 07 April 2003 16:46 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA27039 for <pkix-archive@lists.ietf.org>; Mon, 7 Apr 2003 12:46:05 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.11.6) with ESMTP id h37FHRJM008880 for <ietf-pkix-bks@above.proper.com>; Mon, 7 Apr 2003 08:17:27 -0700 (PDT)
Received: (from majordomo@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h37FHRL3008879 for ietf-pkix-bks; Mon, 7 Apr 2003 08:17:27 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordomo set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [207.228.252.5]) by above.proper.com (8.12.9/8.11.6) with SMTP id h37FHQJM008870 for <ietf-pkix@imc.org>; Mon, 7 Apr 2003 08:17:26 -0700 (PDT)
Received: (qmail 2738 invoked by uid 0); 7 Apr 2003 15:16:55 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.168.151) by woodstock.binhost.com with SMTP; 7 Apr 2003 15:16:55 -0000
Message-Id: <5.2.0.9.2.20030407102225.02666690@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Mon, 07 Apr 2003 11:17:11 -0400
To: Denis Pinkas <Denis.Pinkas@bull.net>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: Question about the edition of RFC 3280
Cc: pkix <ietf-pkix@imc.org>, Jeff Schiller <jis@mit.edu>, Steve Bellovin <smb@research.att.com>, Tim Polk <wpolk@nist.gov>, Stephen Kent <kent@bbn.com>
In-Reply-To: <3E9132DA.7030307@bull.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Denis:

>===================================================================
>
>A new Request for Comments is now available in online RFC libraries.
>
>         RFC 3280
>
>         Title:      Internet X.509 Public Key Infrastructure
>                     Certificate and Certificate Revocation List (CRL)
>                     Profile
>         Author(s):  R. Housley, W. Polk, W. Ford, D. Solo
>         Status:     Standards Track
>         Date:       April 2002
>         Mailbox:    rhousley@rsasecurity.com, wford@verisign.com,
>                     wpolk@nist.gov, dsolo@alum.mit.edu
>         Pages:      129
>         Characters: 295556
>         Updates/Obsoletes/SeeAlso:    None
>
>         I-D Tag:    draft-ietf-pkix-new-part1-12.txt
>
>====================================================================
>
>The text that was draft-ietf-pkix-new-part1-12.txt is the following:
>
>       "The digitalSignature bit is asserted when the subject public key
>       is used with a digital signature mechanism to support security
>       services other than non-repudiation (bit 1), certificate signing
>       (bit 5), or CRL signing (bit 6).  Digital signature mechanisms are
>       often used for entity authentication and data origin
>       authentication with integrity."
>
>while the text that is in RFC 3280 is the following:
>
>       "The digitalSignature bit is asserted when the subject public key
>       is used with a digital signature mechanism to support security
>       services other than certificate signing (bit 5), or CRL signing
>       (bit 6).  Digital signature mechanisms are often used for entity
>       authentication and data origin authentication with integrity."
>
>I would like to know, how/when such a change happened.

I do not know why you are asking about a change that happened a year ago, 
but here is the history.  This took quite a bit of time to pull together, 
and it involved searching the archives kept by several different individuals.

During IETF Last Call, the authors received a comment regarding the key 
usage bits.  We have been unsuccessful in locating this email message, so 
you will have to live with the personal recollection of the content of this 
message.  The comment stated that section 4.2.1.3 contained an 
inconsistency.  The comment pointed to the following text from 
draft-ietf-pkix-new-part1-12.txt:

       The digitalSignature bit is asserted when the subject public key
       is used with a digital signature mechanism to support security
       services other than non-repudiation (bit 1), certificate signing
       (bit 5), or CRL signing (bit 6).  Digital signature mechanisms are
       often used for entity authentication and data origin
       authentication with integrity.

       The nonRepudiation bit is asserted when the subject public key is
       used to verify digital signatures used to provide a non-
       repudiation service which protects against the signing entity
       falsely denying some action, excluding certificate or CRL signing.
       In the case of later conflict, a reliable third party may
       determine the authenticity of the signed data.

       Further distinctions between the digitalSignature and
       nonRepudiation bits may be provided in specific certificate
       policies.

The crux of the comment was: When the digitalSignature bit is asserted, 
then the digital signature mechanism supports security services other than 
non-repudiation.  This means that there is no overlap between these two bit 
settings.  This is in conflict with the statement that policy can provide 
further distinction between digitalSignature and nonRepudiation.

In resolving this comment, the authors also considered the vast volumes of 
messages on the PKIX WG mail list regarding the disputed meaning of these 
bits.  Recall that the third paragraph was added as a result of that very 
long discussion.

The actual changes were made to the document by the RFC Editor, and the 
request of the authors and concurrence of the Security Area 
Director.  These changes were considered to be clarifications that resolved 
an internal inconsistency.

The following is the note from the authors to the RFC Editor:

>Date: Wed, 17 Apr 2002 14:57:50 -0400
>To: rfc-editor@rfc-editor.org
>From: Russ Housley <russ.housley@verizon.net>
>Subject: Re: draft-ietf-pkix-new-part1-12.txt
>Cc: wpolk@nist.gov, jis@mit.edu, smb@research.att.com
>
>Dear RFC Editor:
>
>Here are the changes that are needed for draft-ietf-pkix-new-part1-12.txt
>
>[snip]
>
>Section 4.2.1.3, 4th Paragraph: Drop "non-repudiation (bit 1)" from the
>1st sentence.  Otherwise it conflicts with the first and last paragraphs
>of the same section.
>
>OLD:
>
>    Bits in the KeyUsage type are used as follows:
>
>        The digitalSignature bit is asserted when the subject public key
>        is used with a digital signature mechanism to support security
>        services other than non-repudiation (bit 1), certificate signing
>        (bit 5), or CRL signing (bit 6).  Digital signature mechanisms are
>        often used for entity authentication and data origin
>        authentication with integrity.
>
>NEW:
>
>     Bits in the KeyUsage type are used as follows:
>
>        The digitalSignature bit is asserted when the subject public key
>        is used with a digital signature mechanism to support security
>        services other than certificate signing (bit 5), or CRL signing
>        (bit 6).  Digital signature mechanisms are often used for entity
>        authentication and data origin authentication with integrity.
>
>[snip]

In response to this request, the RFC Editor contacted the Security Area 
Directors to confirm that the changes were appropriate.  Jeff Schiller 
responded with the following message:

>Date: Wed, 17 Apr 2002 19:37:36 -0400
>From: "Jeffrey I. Schiller" <jis@mit.edu>
>To: rfc-editor@rfc-editor.org
>Cc: russ.housley@verizon.net, wpolk@nist.gov, smb@research.att.com
>Subject: Re: AD response request: Re: draft-ietf-pkix-new-part1-12.txt
>
>I have reviewed the changes and they look fine to me.
>
>                         -Jeff
>
>On Wed, Apr 17, 2002 at 10:18:22PM +0000, rfc-editor@rfc-editor.org wrote:
> > Jeff and Steve,
> >
> > Could you please verify that the following changes are okay?  For the
> > most part, they seem editorial in nature, but we wanted to get an okay
> > from you guys as there are such a great number of changes.
> >
> > Thank you.
> >
> > RFC Editor

Denis, this is the history.  I think you can see that an appropriate 
comment resolution process was followed.  I am sure you have faced similar 
comments on documents that you have authored.

Russ

v2.23.0 | Report a Bug | By Email