Re: [pkix] Next edition of X.509
Erwann Abalea <eabalea@gmail.com> Sun, 24 January 2016 00:11 UTC
Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE6541ACD41 for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 16:11:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XSkHpVVtg8Qj for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 16:11:30 -0800 (PST)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F0651ACD83 for <pkix@ietf.org>; Sat, 23 Jan 2016 16:11:30 -0800 (PST)
Received: by mail-qk0-x236.google.com with SMTP id o6so42587097qkc.2 for <pkix@ietf.org>; Sat, 23 Jan 2016 16:11:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/WspfIFbDZpByiPH3ACfi7z3dcRjTkVmIee+ozjXw0I=; b=Jy9s93koCfgKUQEbZjk6Zd8u4YHbn7F3bwIP4vulh3izfEzhDSm4keeLVLRDaMku12 OuaK6YnEJzwlzE1Ls/mTnOmnI0/gAZ3HNN5A6+IUvrbNDHe2gBbbZLF9JwePAKKjzncn 2DUPguBb7AhZV4JB+pTQ60sFT6U99+Z25sIL8jebl+FuvlmRZWTcW8gBGLTTaoNSKkmK 4qhceM1BO7kKcBxF4CyCgiBIzAlZw/36s56Sv+HbUxYeexr7K12UgS/1UoQmQtGarMsf mzdcJoNHru9k77MCuECDo1DwQVHVpje0tvTLt/UCVb9yPY3oRZTvvjCEnVELxPbYv8+G o5Sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/WspfIFbDZpByiPH3ACfi7z3dcRjTkVmIee+ozjXw0I=; b=c1gTr+IfMUKhbYDZG0ELHYz0RXzS113+AbZ9WEtbg0m5Eog8OKLsEboXzqMZ4TWwBW a2T+Q+FG6TQSJHEBZ4gR2orilZ47h3RzXcSQVyJbjrRfgflrZWGC4oe8vsB0o7v0yD3U ey236CLPwLTkdVzAjIEB0Q2L7wqdisuTFYXvYyS0uHsIuwjNsny2Qm57AT5/ZdWlLtj9 90Z5AtcgJ9SQDHbXgU6vAvFhyEbSo6Bk2ikN6D80laCjaR3Pd9Fyf+VPpM073QKlZ2PL vnRJeYE+hOeSt5wtb2/HLxHHWkr31RsExt7rtfY2hSwoBbe1R6vj8yQmYreRGa3ifRGu XO/Q==
X-Gm-Message-State: AG10YOSuE/ptvCxm8JpOMEJ3CN9qcFxvV5Pf0UdMhZw6HOdvVprkkpfMSxdHXkgEJMf6Yvn5+snnt4FlkfrdtQ==
MIME-Version: 1.0
X-Received: by 10.55.25.169 with SMTP id 41mr3548119qkz.15.1453594289328; Sat, 23 Jan 2016 16:11:29 -0800 (PST)
Received: by 10.140.38.99 with HTTP; Sat, 23 Jan 2016 16:11:29 -0800 (PST)
In-Reply-To: <052f01d15639$79fa33a0$6dee9ae0$@gmail.com>
References: <000001d130da$b05884d0$11098e70$@x500.eu> <5665633F.7070906@cs.tcd.ie> <000401d130e3$bdf08120$39d18360$@x500.eu> <CAK6vND_=4it-HdN=igWeSsb9Qx2LjastBaJCa-TpObaBuYjNXQ@mail.gmail.com> <000001d155c7$98b64530$ca22cf90$@x500.eu> <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com> <CA+i=0E4d_KKjMmMQ3q=VWRA4iU3=HR2RffE1-P5Xc8aG+VWcGw@mail.gmail.com> <052f01d15639$79fa33a0$6dee9ae0$@gmail.com>
Date: Sun, 24 Jan 2016 01:11:29 +0100
Message-ID: <CA+i=0E4a_wnHbt97QnUOkZPP_=eCXXdkXbZHsXiwGKWQ1_bnnA@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: Santosh Chokhani <santosh.chokhani@gmail.com>
Content-Type: multipart/alternative; boundary="001a1147f95c43597e052a094b52"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/3IfV0BdyrkK5Xksuj4N6oZrGV-A>
Cc: Directory list <x500standard@freelists.org>, PKIX <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 00:11:34 -0000
If you need an EKU used by an end-entity certificate to be present in the CA certificates (=granted), then you'll need the OCSPsigning EKU to be present in the issuing CA certificate. Which makes this issuing CA certificate a designated OCSP responder for its issuer. The problem will arise if you want to constrain a CA for specific key usages, i.e. when you'll want to make use of this redefinition. Le dimanche 24 janvier 2016, Santosh Chokhani <santosh.chokhani@gmail.com> a écrit : > What do you mean by not working? > > > > If one assumes that absence of EKU makes a certificate unconstrained, does > this not work? > > > > May be you mean OCSP clients do not enforce EKU for the path. > > > > *From:* pkix [mailto:pkix-bounces@ietf.org > <javascript:_e(%7B%7D,'cvml','pkix-bounces@ietf.org');>] *On Behalf Of *Erwann > Abalea > *Sent:* Saturday, January 23, 2016 6:43 PM > *To:* Peter Bowen <pzbowen@gmail.com > <javascript:_e(%7B%7D,'cvml','pzbowen@gmail.com');>> > *Cc:* Directory list <x500standard@freelists.org > <javascript:_e(%7B%7D,'cvml','x500standard@freelists.org');>>; PKIX < > pkix@ietf.org <javascript:_e(%7B%7D,'cvml','pkix@ietf.org');>> > *Subject:* Re: [pkix] Next edition of X.509 > > > > It doesn't work with designated OCSP responder certificates, unless you > introduce an exception for this particular extended key usage. > > > > 2016-01-23 13:44 GMT+01:00 Peter Bowen <pzbowen@gmail.com > <javascript:_e(%7B%7D,'cvml','pzbowen@gmail.com');>>: > > In 8.2.2.4, replace the first sentence with: > > The presence of this extension in an end-entity certificate indicates > one or more purposes for which the certified public key may be used, > in addition to, or in place of the basic purposes indicated in the key > usage extension field. The presence of this extension in a certificate > issued by one CA to another CA constrains the key purposes in > subsequent certificates in a certification path. > > If there is support for this addition, then additions will also be > needed in section 10 to include key purposes in the input, output, and > processing. > > Thanks, > Peter > > > On Sat, Jan 23, 2016 at 2:19 AM, Erik Andersen <era@x500.eu > <javascript:_e(%7B%7D,'cvml','era@x500.eu');>> wrote: > > Hi Peter, > > > > I would like to explore whether there is support for such an addition to > X.509. Could I have your comments please? > > > > Regards, > > > > Erik > > > > -----Oprindelig meddelelse----- > > Fra: Peter Bowen [mailto:pzbowen@gmail.com > <javascript:_e(%7B%7D,'cvml','pzbowen@gmail.com');>] > > Sendt: 23 January 2016 02:50 > > Til: Erik Andersen <era@x500.eu > <javascript:_e(%7B%7D,'cvml','era@x500.eu');>> > > Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie > <javascript:_e(%7B%7D,'cvml','stephen.farrell@cs.tcd.ie');>>; Directory > list <x500standard@freelists.org > <javascript:_e(%7B%7D,'cvml','x500standard@freelists.org');>>; PKIX < > pkix@ietf.org <javascript:_e(%7B%7D,'cvml','pkix@ietf.org');>>; > WG15@iectc57.org <javascript:_e(%7B%7D,'cvml','WG15@iectc57.org');> > > Emne: Re: [pkix] Next edition of X.509 > > > > Erik, > > > > While I'm sure this is a contentious proposal, I would proposal that > > X.509 add language allowing usage of Extended Key Usage for constraints, > joining certificate policies, name constraints, basic constraints, etc. > Many widely deployed certificate path validation libraries already > implement this even though it is unclear at best whether such is compliant > with X.509 (10/2012). > > > > Thanks, > > Peter > > > > On Mon, Dec 7, 2015 at 3:38 AM, Erik Andersen <era@x500.eu > <javascript:_e(%7B%7D,'cvml','era@x500.eu');>> wrote: > >> Hi Stephen, > >> > >> I will collect any comment on any list. The goal is to get the best > technical specification. > >> > >> Regards, > >> > >> Erik > >> > >> -----Oprindelig meddelelse----- > >> Fra: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie > <javascript:_e(%7B%7D,'cvml','stephen.farrell@cs.tcd.ie');>] > >> Sendt: 07 December 2015 11:45 > >> Til: Erik Andersen <era@x500.eu > <javascript:_e(%7B%7D,'cvml','era@x500.eu');>>; Directory list > >> <x500standard@freelists.org > <javascript:_e(%7B%7D,'cvml','x500standard@freelists.org');>>; PKIX < > pkix@ietf.org <javascript:_e(%7B%7D,'cvml','pkix@ietf.org');>> > >> Cc: WG15@iectc57.org <javascript:_e(%7B%7D,'cvml','WG15@iectc57.org');> > >> Emne: Re: [pkix] Next edition of X.509 > >> > >> > >> Thank you Erik! Do I understand correctly that comments from this list > that you get before February are useful and that sending comments to the > pkix list works well enough for you? > >> > >> If so, great, and I'd ask folks who care about RFC5280 or other PKIX > >> RFCs to please review this to check for any glitches that might affect > >> interop should new code be written based on the ISO doc. I'm sure > >> other comments are also welcome, > >> > >> Cheers, > >> S. > >> > >> On 07/12/15 10:33, Erik Andersen wrote: > >>> In preparation for the next edition of X.509 (the 2016 edition), I > >>> have forwarded to the ISO/IEC JTC1/SC6 two documents for three months > ballots: > >>> > >>> > >>> > >>> These two documents may be found as: > >>> > >>> > >>> > >>> 1. > http://www.x500standard.com/uploads/extensions/x509-pdam-amd2.pdf, > >>> which is the 3rd PDAM text for an amendment to X.509. > >>> > >>> 2. http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor2.pdf, > which a > >>> second draft technical corrigendum. This technical corrigendum is > >>> based on a set of defects reports, which include the justification > >>> for the changes. The Defect reports may be found on > >>> http://www.x500standard.com/index.php?n=Ig.DefectReports. > >>> > >>> > >>> > >>> An early corrigendum has been approved within ISO and ITU-T and may > >>> be found > >>> as: http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor1.pdf. > >>> > >>> > >>> > >>> These three documents together with the seventh edition will provide > >>> the input to the next edition of X.509. The different > >>> X.recommendations, including X.509, may be found at > >>> http://www.itu.int/rec/T-REC-X/e. This edition of X.509 is freely > available in the PDF version. > >>> > >>> > >>> > >>> Those involved in ISO/IEC JTC1/SC6 can, of course, submit ballot > >>> comments on the two documents out for ballot. Others, which may have > >>> comments on the these document, may post them on the lists and after > >>> consolidation and consensus, they may be issued as ITU-T comments. > >>> > >>> > >>> > >>> It is important to check whether any of the suggested changes affects > >>> running codes. If that is a case, it is a mistake. > >>> > >>> > >>> > >>> The intension behind the changes has been: > >>> > >>> 1. A better separation between public-key certificates and > attribute > >>> certificates. > >>> > >>> 2. Use of a consistent terminology. > >>> > >>> 3. Use of a consistent editing style in accordance with the ITU-T > >>> editing guidelines.. > >>> > >>> 4. A new PKI component called trust broker assists a relying > party > >>> validating a public-key certificate is included. > >>> > >>> 5. IEC TC57 WG15 has identified a requirement for a feature first > >>> called whitelist but now the term is authorization and validation > >>> list is used. A proposal for such a feature is included in the > amendment. > >>> > >>> The main goal has been to position X.509 for new challenges, such > >>> smart grid security and security for Internet of Things with battery > >>> driven devices, very short messages (can we put a 257 octets > >>> signature on a few octets message?) , short reaction time > >>> requirements, many millions of entities, etc. This is all very > different from Web-based systems. > >>> > >>> Kind regards, > >>> > >>> Erik > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> pkix mailing list > >>> pkix@ietf.org <javascript:_e(%7B%7D,'cvml','pkix@ietf.org');> > >>> https://www.ietf.org/mailman/listinfo/pkix > >>> > >> > >> _______________________________________________ > >> pkix mailing list > >> pkix@ietf.org <javascript:_e(%7B%7D,'cvml','pkix@ietf.org');> > >> https://www.ietf.org/mailman/listinfo/pkix > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org <javascript:_e(%7B%7D,'cvml','pkix@ietf.org');> > https://www.ietf.org/mailman/listinfo/pkix > > > > > > -- > > Erwann. > -- Erwann.
- [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Michael StJohns
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Martin Rex
- Re: [pkix] Next edition of X.509 Wei Chuang
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Jeffrey Walton
- Re: [pkix] Next edition of X.509 Erwann Abalea