IETF Logo Mail Archive

[pkix] Re: [Technical Errata Reported] RFC5280 (8789)

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 03 March 2026 20:02 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: pkix@mail2.ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7E27AC3AD09E for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 12:02:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LH1XXvYav6q for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 12:02:21 -0800 (PST)
Received: from SN4PR0501CU005.outbound.protection.outlook.com (mail-southcentralusazon11021109.outbound.protection.outlook.com [40.93.194.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 16BF4C3AD097 for <pkix@ietf.org>; Tue, 3 Mar 2026 12:02:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HutuUWnEMtTKIXPApvtr7mDCCN7yqcM9timuQT3QVFhrg1coO/G4/ZMLMJmDBmfNtNtOrCrIj9vWeZPb4qJASghzvanlAPcS8MQJcgffyLvJeTNUpawSS9qzD6BOR4B0U4XS/dPcLCeg4HY7kBZ+xOBkPg554lz7ZUQAo57mEWHiLDAYSLTXGb8ucKFfxU33vu3G5+Lfy/Lm++EIhTWpCJ5pYFPs2BjqfMxeupshg17meiG2cZe0KnbZn28vFEGfTPbRqdo0On9/ia3jfQq2fR2ztV+gVv4q+PbwTbynE6B7kO3LF8Be5KOIPghH/a+t7cW0wDjwOa+o37zQTQoQXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MHDo5VLHS8YrIA1Os9zI745Q8DKLlSjHb91xwoV108o=; b=h2c0pqC2/leyGyCwM+u6ENzQkiPzg7p5CW6j6yQ/FY386E2pZW6H9Vq0nOKnJDqhk6akMljMxh/vjM1o8Y6PEk3OUOmTjXgIq7KALL+JefNAvzovfnJwZ3Zj4UlxbIB/sSccIFxsiGb7fGZznpZkFpGRSvhF7wRtRF3UboAQLCyktqfngFJ6K7BgGjxIz7+o5ubKfCehatZ+O88IjX4ZMS6tsQ897UZ0zUPY3KQLEvJMs0gxNTak9BzdjapZJbQ++EBSDzQ0+FFQreOf3VckxGqGBOfvrQ1razmuUxB1gvUgd74jAScqCKetxN3ifbTc2YkxoH+dpiI0vlBi7MutIQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MHDo5VLHS8YrIA1Os9zI745Q8DKLlSjHb91xwoV108o=; b=Mt7q52I9TiUa4mSojnUc7jYRCElXvlOH/GiR+NLO4T/dVcv5ivhjg4y4O0eAbE8qLl4De1JL/N/lkBO+AqvqF8Ez3fCug7xV52Q1WoTnE+kzVW+/TgxWfm27d9mWD49Ztb/gcwo+ab9DjTlLiNYWldi4weAHtCWkbkqn1KN5UINTUfRLaSDwP1izehCfHRxWApE4j3cQTFpHtG953I+kMdFibGk1AWI+ZPrM8KRwXUAGEde8WU41DhY8ukTFayU2B71vhJANqmpa/UBbPwiDIpkzObVQZugvujX1Slca5VZRc9ngS2vpD3FiiKhoVl+CH2rmuc9qVEczILGvsXSMlg==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by BY5PR14MB3703.namprd14.prod.outlook.com (2603:10b6:a03:1db::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9654.22; Tue, 3 Mar 2026 20:02:12 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::e9cb:cd7b:d129:34e3]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::e9cb:cd7b:d129:34e3%3]) with mapi id 15.20.9654.022; Tue, 3 Mar 2026 20:02:11 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Paul Hoffman <phoffman@proper.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)
Thread-Index: AQHcqFlFAgjDP7yDwkGl06X5ZFjBwbWdCgmAgAAL4wCAACI0HIAAA4OAgAADd1o=
Date: Tue, 03 Mar 2026 20:02:11 +0000
Message-ID: <SN7PR14MB64921CE6FA13887EEB080F75837FA@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <20260228012810.26368C000CC4@rfcpa.rfc-editor.org> <8946F689-00A0-4ED7-8570-E4A9A907B954@proper.com> <AB8DC100-40AF-43BF-BC66-B3EBDD95C3E9@sn3rd.com> <d6728fcc-52a2-4db0-9023-e8e95d645597@nthpermutation.com> <SN7PR14MB649277FF0B9F8D7824393895837FA@SN7PR14MB6492.namprd14.prod.outlook.com> <A401E4EB-3DEC-4BE4-9EC3-C62989C073C1@proper.com>
In-Reply-To: <A401E4EB-3DEC-4BE4-9EC3-C62989C073C1@proper.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|BY5PR14MB3703:EE_
x-ms-office365-filtering-correlation-id: 10c1fa08-4d07-469e-d062-08de795fc204
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|376014|1800799024|366016|38070700021|8096899003|7053199007;
x-microsoft-antispam-message-info: xmPLgxP0I8UMi2CnyWXzSHU0H1cBXWiLUBnK7YQcAslc5XRK3FEklGVei4eYhb/RCfLCY1jZAhPP6gY50YBIPXVeKQEWL1pCJ5IO22Zs7nm4UBOoWVOLj0QdjUKNJHkZ9kwuT0sp7cKSK3xg1WtDYXELXnRT2A8X5zGqOtb93X+bEiqkXJaOIU4vt5iiBiW5+L/HU5YV+0XcfHERjultwfdEKn4G/M3Bu0Q/Quw5WO26XTSIJlHgowsD32NzyeEjGpBSyOqJJh3MainvPxjdvTvfSlbdP/BOnz/4dFeVjKsSD0MSD78XYQAMNE7PBaVebpY6YUeu7etl6sf+k0poydF1kG/V0ZhGc2jRu19CANB17+fzIcuhxr8ozsZPLi9jxyYEGzqPUoKJ6bi4V2ZQFnEqNncfb23OGwBqvL8NHUwYcCUUwKKE39ho3c/hSnaQBfV2TeyrDeBcdzU3SHe6wcMWqSicwokS6+z58q10XzC9GwVfsp9FwCnbnn8fPqWCuiQCndg4pafU/EJN6Lo/Z21+u6MJ5z5b5eLYeyexPF5Yr7Y7fs2H4DdMZLC6DFyeKtSozGBljA1i7MsYY6UKDuZ2n6R0UojMC84RTtxMOsr1fvi+e0reZ2QkdQS8p89hvKvK8I0EXIynL6lIIvwoX0jU0Q5u5PP2tltVPIuG8DO6tengN8tUfwlBN094Vcc5KoQcMfbN4io/wt31wT0h69Bi3eP8AFNWjPT3uJYZzr2W7TWoZ1CZ8lYkDUUFaLmrsnSlttX4CisEGKj1ibTt2E91t/gl2CHtcVzQqGfbevE=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN7PR14MB6492.namprd14.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(376014)(1800799024)(366016)(38070700021)(8096899003)(7053199007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +YA2NecNGomqyGULc511j17ZFVru8lOS5UoZPpFuisoMnmSlCCjer/kfV2kyw6RYM3fgXiE25lxnvvaYsLxq8j2db0jl3X15lw2dMlPtNKtF1KneNZkJQKvIBF7a1BS3auzaBXwfBotPzFZdgA81x/Y+kxgKYGPmc6x6vT3s5HbgY0/P5xfWyrctl0bL7kWnEgPriCE8WAsJhqwWvVICDdMs0lYjB4jt87jrNNt17bCzFUGV+boU1eSXGpn8oAniAeUtU5WwhkmS9JCFNxlqswNNg81NthFDJXTwQiE+6XdOfDxtuM0QIkYjspPTnN4JJruIdXj740PAFMlNRkL+pnH0ca3GJ/XkTCzOow8QKhaUVek3qipOPnVpkZtivNhk2Puj0oblJNRrCfvNy7lhavwK8g87E/QZR64codhpo4++hn5LHnNLd72364PaA6VelQ8v6vSyNyN5qkvt4tNQ6sG3HzEKyRLAdFM9yy/LnoNUIMofmsApd5PT/naAjToAvqqd3ZNI4zEgOBPqEI5uN9lwdGLn8tRVmKP2ldDd2h1DkVLN+HFYrgflTDYQC80HwKN55kH3PDlh/5XQ19e9pBu0g0kil77rCkvOEXZb7R6I+eAl05jlBUhBBy30tjFl9WUX4TOREDUiPRmTKwNphS5uCI9EbhleJG1HaAFJHdBDYKDOZpDk+QAQ3WSUMaWiKhL6vXl0DaiP/HDhKW8Eb5Z1swS8qtIFqQZnNaZTfpWL7hK4rG2bzzP37dqyKutOQ5WY9CiL6WjlpXsFFj88/RSvJBz0RQVDlbsAWkJtxnu6aN5QCgHBDhdryQfxYIKcBzidFmGEFSKNdZUgogJZ98k1oBR/srbq+mnOP0H5g6MFmbn5sVPK6T96Kp+iIV2lDQuOKY5CEVJPDswNUT4qU5IXSekklIwky/U1mBoT64tzlWe1aQnuapA0U32iS4KmBloQlUtDQhk0I5xKeFHJZu7ssTtrcbthRoCZfVMrRXSvZmsWjjGB1NsgAkbJuXyw1GyrtgiCekgpFljT36rLVjC1YUvT2fBf1FSkFOxBz734ia7VgvdEGeLTeaKvIwRYEeOz6MigNgsfk2LcNkc2k8c8ItrgpsA9MSlJ9mMhGfI61QaWVDeBkwpokMtRVsrLQFHuKQMXBy9d7bvsxSIHgFtauPCNtvV3/p46eRx0USvKdbzOupRpRSE7V0sxdqrkkCa7G08lRQrC4jF96jA7V1x05d+yLbXPJqyMgr84NAiMuJvGseY6XVzBkHY/ZSIiKK0ECESLFkDEiyYHLFAN2ikTRwWJx2XCwIXZKXNi46Bin1f9rM5y56hBatsL2WRrwP2Y1nD6fv3UVaFPVB+hOgK12PKTQYOBTMfx9f/wgrd3z/kALg5jrF6Gftsfspq+zz/ZNL2Kx270khSBqV3reffL/NvTtuy9Goha82sPNjEXrZ5wGJOjziJZ0p4nb8h1Ody0gqg+55IYb/MD2dDNS/O7Zf/uYTXY0hm/YxXxWXLHEn+5s/2mU9OC0eVk7lyPVhbFOfr/R5LJw4fG+PHoc4+9jrVMV+/+LND53OpIIT3AkmW1nG3B58OtULJrElxd0y7Qw0cDopI/Wu607FcyC790aoJXl6AhoOMJ4zzA6c9haBmRFYtvzk/hS49ihbuPjmkg4vjAnLgF15RFWro4VMfVb7ffxkyb3HXkp18WKcjq7FeVSx6KxeqoOKb5eTwAJ6qUI+4WcKDmQSwHcx8Npw==
Content-Type: multipart/alternative; boundary="_000_SN7PR14MB64921CE6FA13887EEB080F75837FASN7PR14MB6492namp_"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10c1fa08-4d07-469e-d062-08de795fc204
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2026 20:02:11.6060 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IsETj1VG5fBcGnyGhseICsuVScmzkclI/7BYofVC517YZkv4eWir1JRSE2wiV6nkyqjPXnd4eRsYtrBBCszgzX4BHXlz9+KoNPKC4ZdbrF8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR14MB3703
Message-ID-Hash: JHOMJOQUWJLUCGYVYZGSK52JM6B4EAEJ
X-Message-ID-Hash: JHOMJOQUWJLUCGYVYZGSK52JM6B4EAEJ
X-MailFrom: tim.hollebeek@digicert.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/1C2WPuWqMRVQmDaMFVO8k4RBtQc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>

Right, but for an errata to be appropriate, the original text has to actually be "in error", not just that "some of us would write something different if we were writing it today". I actually find the comment very useful, as it correctly indicates that these EKUs were in fact intended primarily for web usage at the time the document was written.

I've actually suggested a few times that we should fix the situation by having two new EKUs (one for WebPKI and one for non-web), but there are drawbacks to that approach, and it should be a new RFC draft, not an errata.

-Tim
________________________________
From: Paul Hoffman <phoffman@proper.com>
Sent: Tuesday, March 3, 2026 2:44 PM
To: pkix@ietf.org <pkix@ietf.org>
Subject: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)

On 3 Mar 2026, at 11:32, Tim Hollebeek wrote:

> I think it should be rejected as well. I actually have lots of strong feelings on this issue, but the original text is not wrong.

So, some people think it is a comment and thus just editorial, others think it is technical but wrong.

We have a long history of people reading 5280 and 3280 literally, including the comments, particularly comments about key usage. To me, the fact that those arguments exist among readers indicates that the comments are in fact part of the spec.

We also know that many CAs will write certificates with id-kp-serverAuth that are not intended for the (undefined) WWW.

--Paul Hoffman

_______________________________________________
pkix mailing list -- pkix@ietf.org
To unsubscribe send an email to pkix-leave@ietf.org

v2.40.3 | Report a Bug | By Email | System Status