IETF Logo Mail Archive

Re: [pkix] Next edition of X.509

mrex@sap.com (Martin Rex) Mon, 01 February 2016 15:34 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB3C1ACEA8 for <pkix@ietfa.amsl.com>; Mon, 1 Feb 2016 07:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydBN1ft2nEeB for <pkix@ietfa.amsl.com>; Mon, 1 Feb 2016 07:34:31 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CB701ACEA5 for <pkix@ietf.org>; Mon, 1 Feb 2016 07:34:31 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id E5D5D447C9; Mon, 1 Feb 2016 16:34:28 +0100 (CET)
X-purgate-ID: 152705::1454340868-00001C04-FEE84C9E/0/0
X-purgate-size: 2472
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id BEBD5401A3; Mon, 1 Feb 2016 16:34:28 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 6B41D1A400; Mon, 1 Feb 2016 16:34:28 +0100 (CET)
In-Reply-To: <CAK6vND9AKua0fG9nyUjF4NyDYqCgRCv+Gya1-z3L+eg4eN1gag@mail.gmail.com>
To: Peter Bowen <pzbowen@gmail.com>
Date: Mon, 01 Feb 2016 16:34:28 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20160201153428.6B41D1A400@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/4NW-aRF-5y636ohMy5TDkwUspL4>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2016 15:34:33 -0000

Peter Bowen wrote:
> On Sat, Jan 23, 2016 at 4:24 PM, Stephen Farrell
> <stephen.farrell@cs.tcd.ie> wrote:
>> On 23/01/16 23:58, Peter Bowen wrote:
>>> Until it is clear that using
>>> EKU in the way I described in covered by X.509, it is not possible to
>>> have a strict profile (e.g. PKIX) include it in the profile.
>>
>> I don't know what you mean by that, can you elaborate?
>>
>> My guess is that almost nobody does new implementations of X.509
>> code nowadays, and those that might would go to 5280 and not the
>> latest version of X.509, but I'd be very interested if either of
>> those assumptions is wrong.

You guess is a pretty accurate description of the installed base, Stephen.  :)


> 
> 5280 clearly states that "This memo profiles the X.509 v3 certificate
> and X.509 v2 certificate revocation list (CRL) for use in the
> Internet."  I'm assuming (possibly incorrectly) that a profile is a
> subset.  It add restrictions but anything that is compliant to the
> profile is also compliant to the more general spec.

Peter, you're misreading rfc5280.  PKIX (rfc5280) is *NOT* a profile
of X.509v3 in general, but of X.509v3 08/2005 in particular.

When I asked PKIX CRL processing to adopt a fix for a defect that 
exists in X.509v3 08/2005, but has already been fixed in X.509v3 11/2008,
I faced pretty violent opposition from folks on the IETF PKIX mailing list
(likely because it would make behaviour of some of the installed base
 non-compliant if a certain approach to CRL validation would be changed
 (fixed) retroactively (no matter how obvious the defect is in 08/2005).

So adding a recursive EKU processing into certificate path validation
of X.509v3 xx/201x will have exactly *NO* relevance for the behaviour
of "PKIX-compliant" implementations.


Whether or not some PKIX implementations of the installed base
reject certificates that are not "properly EKU chained" is an entirely
different question.  PKIX implementation are allowed to reject
certificates for all kinds of local policy issues.

The reason why I believe this is an extremely dumb idea, is because
it completely breaks the original concept behind EKU.  Instead, it
hugely impairs new apps to define new EKUs (because this now requires
rolling CA certificates).  It doesn't provide any security benefits,
but it does create additional pricing models for public CAs for
issuing subCA certificates to organizations.


-Martin

v2.23.0 | Report a Bug | By Email