Re: [pkix] Private key usage period extension
Peter Rybár <peter.rybar@nbusr.sk> Fri, 06 May 2016 13:01 UTC
Return-Path: <prvs=09344e319b=peter.rybar@nbusr.sk>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C04CC12D150 for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 06:01:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.051
X-Spam-Level:
X-Spam-Status: No, score=-0.051 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSRUp7yKIEgB for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 06:01:21 -0700 (PDT)
Received: from mail.nbusr.sk (mail.nbusr.sk [84.245.65.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C20612D1BE for <pkix@ietf.org>; Fri, 6 May 2016 06:01:20 -0700 (PDT)
From: Peter Rybár <peter.rybar@nbusr.sk>
To: 'Erik Andersen' <era@x500.eu>, 'Directory list' <x500standard@freelists.org>, 'PKIX' <pkix@ietf.org>
References: <000901d1a773$379e1680$a6da4380$@x500.eu> <572C6980.8000808@cs.tcd.ie> <CA+i=0E6oo1hZSbyN_xYM1oB4-gKiuxCx-OotqAVz+G6Z7S6uJA@mail.gmail.com> <005501d1a792$626cdb20$27469160$@x500.eu>
In-Reply-To: <005501d1a792$626cdb20$27469160$@x500.eu>
Date: Fri, 06 May 2016 15:01:05 +0200
Message-ID: <201605061301.u46D1H0a018382@mail.nbusr.sk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_004B_01D1A7A8.1D3B60B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJYEc9fvtVi9SNiQE1fwP6vqYjwqAK1ra7zAi9++poB/9jKa55n4Nuw
Content-Language: sk
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 6
X-NAI-Spam-Score: 0.4
X-NAI-Spam-Version: 2.3.0.9418 : core <5664> : inlines <4770> : streams <1630939> : uri <2204347>
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/-yxoTNLMf8B0kBlomElyNha2OJE>
Subject: Re: [pkix] Private key usage period extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2016 13:01:24 -0000
You can see many certificates with the same key and with different validity period e.g. in Austria trusted list: http://tlbrowser.tsl.website/tools/index.jsp - AT Rundfunk und Telekom Regulierungs-GmbH -- Trust Service Providers --- A-Trust Gesellschaft für Sicherheitssysteme im elektronischen Datenverkehr GmbH --- Trust Services ---- a-sign-Premium-Sig-01 (key no. 1) Certificate (1) Serial number: 6164 Subject: CN=a-sign-Premium-Sig-01,OU=a-sign-Premium-Sig-01,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT Valid not before: Thu Jan 23 00:00:00 CET 2003 not after: Mon Jan 23 00:00:00 CET 2006 SubjectKeyIdentifier 40:D7:F3:9E:1B:87:3A:CC Certificate (2) Serial number: 57998 Subject: CN=a-sign-Premium-Sig-01,OU=a-sign-Premium-Sig-01,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT Valid not before: Mon Dec 06 00:00:00 CET 2004 not after: Mon Dec 01 00:00:00 CET 2008 SubjectKeyIdentifier 40:D7:F3:9E:1B:87:3A:CC Certificate (3) Serial number: 307164 Subject: CN=a-sign-Premium-Sig-01,OU=a-sign-Premium-Sig-01,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT Valid not before: Mon Dec 01 00:00:00 CET 2008 not after: Sat Dec 01 00:00:00 CET 2012 SubjectKeyIdentifier 40:D7:F3:9E:1B:87:3A:CC ... Peter From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erik Andersen Sent: Friday, May 6, 2016 2:26 PM To: Directory list; PKIX Subject: Re: [pkix] Private key usage period extension OK, it is being used. I have seen no reason so far that the private key use period starts before and/or ends after the certificates validity period. If I get a message together with a certificate and the message is signed after the certificate validity period, but before the notAfter for the private key usage period, what do I do? Consider the certificate invalid and discard the message or do I validate the signature with the public key I am not supposed to use anymore. It is of no help to me that there may be another certificates with the same key pair, where the certificate validity period is different. I might not know those certificates. Regards, Erik Fra: Erwann Abalea [mailto:eabalea@gmail.com] Sendt: 06 May 2016 12:30 Til: Stephen Farrell <stephen.farrell@cs.tcd.ie> Cc: Erik Andersen <era@x500.eu>; Directory list <x500standard@freelists.org>; PKIX <pkix@ietf.org> Emne: Re: [pkix] Private key usage period extension Bonjour, This extension is heavily used in electronic passports. ICAO has set it to be mandatory for Root CA and Document Signer certificates (subscriber certs used to verify data in passports), and optional for MasterList signers. See ICAO MRTD 9303 part 12 document (http://www.icao.int/publications/Documents/9303_p12_cons_en.pdf). ICAO did a bad job here; this extension already hurt them in the past (preventing some Roots to issue a fresh CRL), and their "solution" was to change the Name comparison rule for CRL checking, so that CAs that don't have the same Name but have the countryName in common are to be considered the same CAs, except for China. Yes, it's that bad. This extension was already deprecated in RFC2459. 2016-05-06 11:53 GMT+02:00 Stephen Farrell <stephen.farrell@cs.tcd.ie>: Hi Erik, I've a separate question: does anyone use this extension or should we put it on a virtual/mental list of stuff to be deprecated when/if someone has the energy? S. On 06/05/16 09:42, Erik Andersen wrote: > X.509 has a specification of the Private key usage period extension > (8.2.2.5). This extension is a little confusing. It has notBefore and > notAfter specification. However, the text says: > > The notBefore component indicates the earliest date and time at which the > private key could be used for signing. If the notBefore component is not > present, then no information is provided as to when the period of valid use > of the private key commences. The notAfter component indicates the latest > date and time at which the private key could be used for signing. If the > notAfter component is not present then no information is provided as to when > the period of valid use of the private key concludes. > > With a little ill will, this can be read as the private key validation > period may extend beyond the validity of the public key. Note 1 adds to the > confusing, as it says: > > NOTE 1 - The period of valid use of the private key may be different from > the certified validity of the public key as indicated by the certificate > validity period. With digital signature keys, the usage period for the > signing private key is typically shorter than that for the verifying public > key. > > It is the word "typical" that confuses me. It implies it could be different. > > This extension was included in RFC 3280 with a heavy health warning. It was > omitted from RFC 5280 (except for A.2). > > In my mind, the validity of the private key should not spread outside the > validity period of the certificate. > > Have I misunderstood something? -- Erwann.
- [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] Private key usage period extension Peter Rybár
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Erwann Abalea
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] [x500standard] Private key usage perio… Stefan Santesson
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Peter Rybár
- Re: [pkix] [x500standard] SV: Private key usage p… Stefan Santesson
- Re: [pkix] [x500standard] Re: SV: Private key usa… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Private key… Stefan Santesson
- Re: [pkix] Private key usage period extension Russ Housley
- Re: [pkix] Private key usage period extension Peter Gutmann
- Re: [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] Private key usage period extension Martin Rex