Re: [pkix] Managing Long-Lived CA certs

Carl Wallace <> Wed, 19 July 2017 18:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E92AE131DA0 for <>; Wed, 19 Jul 2017 11:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Rmzx5XIeQue6 for <>; Wed, 19 Jul 2017 11:06:49 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DC86E131B76 for <>; Wed, 19 Jul 2017 11:06:48 -0700 (PDT)
Received: by with SMTP id b40so7956396qtb.2 for <>; Wed, 19 Jul 2017 11:06:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version; bh=gvQJRPnkLrg57A3aAUultiUdeTiZJqA2xQgc96HiWc0=; b=1P8B9anASoM2NckocRbSS0Jstr+qNk4TfIkPG224OWWGg5uvwiI97ETJex+aJgkPtF ZUZ29SqJCfnig4N90KCZJdK3FZ3SefpdjaNuYD+Ps42Gnv/q17/n1Bo7a6Pv2RpN1UIm HKZRQpCTeCCqScQ0rhCAwHv3v9yaFwFzDebgM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version; bh=gvQJRPnkLrg57A3aAUultiUdeTiZJqA2xQgc96HiWc0=; b=QGQc4QOwrojuom/S55d2xamDlbMpVPZuDHabU/wZR/bwVJD16Y0dhWvqrZCyADAhvF 7FT5hdjSco1B5yWVLafmOe4jbDHyiJk6Af/hpeteHxIMfyS7vQMyR6QDPRUPyP/EEndC p9UsSOrxRd4u/MdTedMkLgtxIUlg0/C51sYQUyvRfUy0NxrPpp1nlBj20FT6FRt12Cc4 W9pyXtYAdg7swCGFbGRB4rC1UNR9ORz1+n922OzNDJTP6gkXN1VZavVLTvlNY6N/k7S0 h1WshpQCZXBODwv/UEr5kZfIrsrbQD2ckg1cDcKCrVNGOfmFobqwR1SubcGlpCaXV0IH ZMeg==
X-Gm-Message-State: AIVw1116sOHFJKILwU18C+7CkIHLngnpgaJwCv2WRZuwFBO45IX0yfdz qZ7Iz+UTsvycSz2Wa1s=
X-Received: by with SMTP id q32mr1411923qtc.39.1500487607813; Wed, 19 Jul 2017 11:06:47 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id i8sm414638qtb.40.2017. (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 19 Jul 2017 11:06:47 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/
Date: Wed, 19 Jul 2017 14:06:44 -0400
From: Carl Wallace <>
To: "Dr. Pala" <>, <>
Message-ID: <>
Thread-Topic: [pkix] Managing Long-Lived CA certs
References: <> <001501d2ff0e$00eddfa0$02c99ee0$> <> <> <003d01d2ffdd$35d67c70$a1837550$> <>
In-Reply-To: <>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3583318007_21969861"
Archived-At: <>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Jul 2017 18:06:51 -0000

From:  pkix <> on behalf of "Dr. Pala"
Organization:  OpenCA Labs
Date:  Wednesday, July 19, 2017 at 1:33 PM
To:  <>
Subject:  Re: [pkix] Managing Long-Lived CA certs

> Hi all,
> I just want to point out that the extension that is mentioned is NOT the same
> as I wanted try to propose (if this is highly controversial, it can just be an
> informational RFC). The only correct answer to my question actually is:
> nothing like that exists, something similar was deprecated in RFC5280 but it
> is still used in other environments.

[CW] Re: your proposal (politics aside), it's not clear that a mechanism to
allow a CA key to live for CRL generation but not certificate signing is
necessary to serve a community that doesn't check revocation status (i.e.,
lightbulbs, in your example). An alternative that does not require new ASN.1
would be to reuse the PrivateKeyUsagePeriod syntax, define a new OID, and
declare the semantics for extensions with the OID and structure to be for CA
keys only with the caveat that CRLs and OCSP responder certificates can be
signed after the date in the extension.
> <very large snip>