[pkix] Re: [Errata Held for Document Update] RFC5280 (8789)
Corey Bonnell <Corey.Bonnell@digicert.com> Tue, 03 March 2026 19:38 UTC
Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: pkix@mail2.ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 19F0DC3A87AA; Tue, 3 Mar 2026 11:38:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D34U6z57yNNs; Tue, 3 Mar 2026 11:38:33 -0800 (PST)
Received: from DM5PR21CU001.outbound.protection.outlook.com (mail-centralusazon11021089.outbound.protection.outlook.com [52.101.62.89]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 811A7C3A879C; Tue, 3 Mar 2026 11:38:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QOQiMFqmRAoIt9/sro9Xaaxq9nbFIJ8/4Tw8mtlqC9mV5tpOSjIXlPuvM8r20ITBRQphcaa+BLXHvu/TMV7AJ38tTg/RQk24ZzMvWR2mESLLYjcXPSlr6GwSeSWIBvTXww7rJ3uWlllmzxBvQfl/QBYFDcpNMo7B/utn6Hs1l3cWvRiNKLinkGr4g8PduP69naF4Jz2WljW4xhNxLtKCJVeC3AusomrprGe1iavArYwnDEJWVI+lPmQ6JyXJBbdmp68ezoQIbyx3LAm0/BXGBYeqUizGE/ywJWfe7LSCDca8Xwu7G3w7pQlZk/n8LZyD8LTA/IUhfoj3/xCjCtSRfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=u5DJtMrRjw7VeynfMqTLlLDqkW6+OWlUGD5dG89+zog=; b=tySjA7r4It3bo2dTFF8PZ9xdVcXC8iksCxv/otppZPYIgdPvRQ1BeTpqfMN7H7mbSwz/jvEyj8a4yehqCV9sozQLxSKmiN9B62YFfPR1oE3Ym5HdQKw2kS+SnxnIty++Y+MtgIU907KUEjGPJvAr0a81qKCa4OJ8EVc/ITz4l5ZTAhT/Qhlp8CswqFVURX3gVOIVAGFhiWJPXml5vTY3j5cdSO3MnLogZjHF80Zf4XEgxsclC4f2aABbjbs4pgAfN1yQtt8n+4sV9SQf3uuSPT8iKY3nqgQFiMu4eEYBN6z8a8siufRo+PLAGUDiEas2ZvM8IPSxGbvGbVMpBOUaSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u5DJtMrRjw7VeynfMqTLlLDqkW6+OWlUGD5dG89+zog=; b=qTpJ7Ld40TdkFBfO3in838GcBl4kdClGdcL8fbuMOXkipofZvcmQFDW1SbDXAu5KlUqpX63cO1dbCYv1FTVOpnt0WH2Opuzb4oZZcGQae4/Wwkw/HZnM7QozK+2k9mupUyTQzhMyYMCS31lTS5xuPGR6P3/2Vc8L/VlQSw8ZeZu/DDCmBCnA7Tz2PPFxRdEa8u+JGAPU4n4tHB4oy5yC7h/D35ctuZnES/Dz74PYelAK2CA4woDOW6tBBO7XcrucOdObJX8M4H7eX9ni3mqAwHR+KPDo+FFGJoE4crQE25EHYWys1B6zYT1/83Chrs/0MNXr021XYuflJm80QpJP9Q==
Received: from DS0PR14MB6216.namprd14.prod.outlook.com (2603:10b6:8:11c::19) by DS3PR14MB958056.namprd14.prod.outlook.com (2603:10b6:8:344::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9542.9; Tue, 3 Mar 2026 19:38:24 +0000
Received: from DS0PR14MB6216.namprd14.prod.outlook.com ([fe80::a000:907d:4eb1:8703]) by DS0PR14MB6216.namprd14.prod.outlook.com ([fe80::a000:907d:4eb1:8703%6]) with mapi id 15.20.9654.022; Tue, 3 Mar 2026 19:38:23 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>, "elizabethpslator@gmail.com" <elizabethpslator@gmail.com>, "david.cooper@nist.gov" <david.cooper@nist.gov>, "stefans@microsoft.com" <stefans@microsoft.com>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "sharon.boeyen@entrust.com" <sharon.boeyen@entrust.com>, "housley@vigilsec.com" <housley@vigilsec.com>, "wpolk@nist.gov" <wpolk@nist.gov>
Thread-Topic: [pkix] [Errata Held for Document Update] RFC5280 (8789)
Thread-Index: AQHcqzQISHBIx1HUSEWn76B09NgufbWdM/1A
Date: Tue, 03 Mar 2026 19:38:23 +0000
Message-ID: <DS0PR14MB6216DE834E8A5A373EFAD9A4927FA@DS0PR14MB6216.namprd14.prod.outlook.com>
References: <20260303173345.DAFE82B457C@rfcpa.rfc-editor.org>
In-Reply-To: <20260303173345.DAFE82B457C@rfcpa.rfc-editor.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS0PR14MB6216:EE_|DS3PR14MB958056:EE_
x-ms-office365-filtering-correlation-id: 5a0e21db-4ec8-4403-7454-08de795c6eaa
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|7416014|366016|1800799024|4022899009|6049299003|4053099003|4013099003|13003099007|7053199007|38070700021;
x-microsoft-antispam-message-info: hOt1G74DU8HtkGaZr2VLefNAPAKE6VfROEjrNnsBzGHm7F2Zm/lbRWejZUUWZ7X1m3P/EJR5fVzXwrabfGTMYU7ZTdHQPVeqjWZAdM+oaC5tp/VCbXYpuZgN2NA0jwdLqLR2GaJuyKASG+c58P4MNRM9aqs+1axeY/u8/58mJdANPdDtKR/AbIelQux+EQs0KFr1vjrf5J2jUu+n7Egcn7o9m9uyfC/yVnJcrhqAhF5VtpqlkAQA0RxVi6c/A2mj4NoBAtV8lOulDJNkW11/VLbxkWZQ6LS2vDkslV131x3Mb0Ts/KJNeyA46NV9TpAHhx2+IbW1soacnQ+hFk5yr9cBiF2CMypoz3335KEpLn6c50TY7KFelgQiiJGNufta+6Zdd+utMY3t44IIgvNgwX4b/byI5nTv7TGMuflJqinwuhhpJRjfCWWkLyWcJdql51o3VTfPXEY3ob8hzqU+PuNH/xu510oRUjxV3w5VqnSbNRys2LAw921cqvhH/GCdacPl1seVknO1WLEtN80tP1e1pZYd/mPwlHe+C/ij6A4MdHDvSbJ6wqqjDfDvtGX1GUaILYodMNQn0IlSqKRYKKT3dW0AoKrBqITwGOMwTOcAJWFQIoNsJqtkOSIWpEJ4bmKivoeY2/l38REQlYsxcQqrqWQ0v2As2XT6pJrU+OYO+ua7ANlXxOhnaomcYgeluD9IA2O20i8kk45wbrNhn/+u3pWvtB4wnc6mGWvA0gW+PuLR2401Gcx32CbcqyoT
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR14MB6216.namprd14.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(7416014)(366016)(1800799024)(4022899009)(6049299003)(4053099003)(4013099003)(13003099007)(7053199007)(38070700021);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TYL6NLzTos3PLo9Ojg/6QAnqEavScyBk+NabrYf/FyA02yXcEBoYXDx5tOFHm8RHzwvd70LSCfTJdwaeFoCGKcP9I8gDRnV/Offt2bbDvAO8VaWxqDTds3OpO5RedzuOP7PU1MtZ/h6K3zylwP+QeSOfWuAUekkjnEbm7DIKd1yOSp5IOXrLlQZv7emJDVmeth1dHjW9F9/O2P/5TdLPmHN8YoVgn8+TyScsjGXWFeeKDTvfTITdAbNOD1jUhQuGPXj3mYx6ZzFJa5DGzQGgV1E68W84agsPXxHtDOvqKGO5d+Q6N3UF/UYjNiGLPUNwSHNGJMqFaUfx32B/hg3HKFyEq1wJekpTrE9L9EPJwWsC7a8kyGtihfxyHo9TdciLiOLuI4X9jiQJXWD9gh9zwBEr8LtqeGOWHVasD60CAy9vOkdjX7QHfB4iIC4vv5TyWVY83GMERljhoE7+3LHxitsTjzrpHTdzQxpLo79098MiidO4hylNnegm8CN8BQDuwbM7vwK2+E3gvuRrChnUQyd/oHWIH9qJS6y1306PZ5TJMQdRxyFR2pJcm7yM7vTZlHIHVV7aEwSWRGkY2vgXw7oLCMqnI2zsBavT8NP2mb5xkGygrU3Rkug0ftplbaga2ht+Lb3TQSbop2Cph5wt1WzHXlVCOQUfQstr6v8mxGbI9kjluEDqE72PrLySFaBEhZNAoKIqEEfBylQSL2N30T5E35f4cDm1eKhlFtaS+J3vKG1xrIuqDrAlKjl76CAcdx8s/aPHeVDy6G/1W/oQMdcMDkRxyhEU5AadMAkpgmSf8giS7bNB/E6UeqY/BjIk+BVcSlflAW6sCapMdNyIcedj7FVbgCdwb+TNKRkuFDQvRnwWnBLMXv93JwxDLvZbxftKiDYxVA82SoBi70/wFzKI/LV6x69b+jsa5exZ7u1100fHKLcS1SxTHFoiTiLFBhF8X4rf7bCEWHUHOQubrIuaYN05/DVCWKFpb21rSFBw7ZOKwUzu3/qZD2bWYIUyZeAecbXEdTFFhg+ByXguIQcnGVnQqQyJxtn10TN2+Je2L1l6kC4IJbtq3LuXnnsxGCG6l18bGGWLiQEilKyfdpK0tCLfHtDSj+EXqOk1428XFUqZE5zPtH6+Z5o+/1LvJHBt/wsBF3qp3gQ1O8n1f8eQo+qwgGpFTxd+Re1Xml4sJWayeCS1Hzj+fdnMiqsMbHwqPzSwZV8C8UvWa+yvoJB2bPfyZelKfF6bt/aId9P0r5svvintlZBhGn6jkbT3OeYn0WC52K/aMolpgoRgv5N/dlDbeZj544GRPq5khZDBLKhvrQs969COnnL6Y3S7UPbvLdJumZK6h2G1OzhJqQXwlVOacT63SCnVKGRqHRRxk267hVLW2EJIuszcKM+fZOn8BwssklI8bpp2AotzHmY/+6sEEFqF30577a1dMQs5UjdGiEx8ex7WkoNsoGLECbajX0Qi82lKrBmGuSDm7fvk5vvU2uEj+4IBsff9SYac9JI3bJa6AuHG+0m0hOXDzq/78+et4sXp6O21eYTTWI+M6M4JWsZyrZhlPbkL/pqVy4pSmjLeJ7MiobyLUxMQY52nSFTakYn1WQinqY+G4MeQHqltUDuDxo1e0PoYTrBNqqoJtk9yvPaZVyKuWeHtt6NbL+9D11zah+deqU4Xaku7kfEFTgkyhMfgZOl0EJpVtA38PmcD6Ah7kb14sccjT0TriLoTxr9G8ny/OzmoYA==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0046_01DCAB1B.628F56E0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS0PR14MB6216.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a0e21db-4ec8-4403-7454-08de795c6eaa
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2026 19:38:23.3167 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X2McspRn1zGACfyUpHVN7ooPjzmut/+WS56Wp2mmfPXUkuLwdzr+na376Lxh838mGZv6jp8sxLeyG7niXbZAswi6C8p6EuU4h5PpdTuHy0g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS3PR14MB958056
Message-ID-Hash: 5PAT4JHB3INC2CAJP3D6A5SGG27QRCLL
X-Message-ID-Hash: 5PAT4JHB3INC2CAJP3D6A5SGG27QRCLL
X-MailFrom: Corey.Bonnell@digicert.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "iesg@ietf.org" <iesg@ietf.org>, "pkix@ietf.org" <pkix@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] Re: [Errata Held for Document Update] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/6zkpFDUnVcyTmBvRwat_YxK6W04>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>
I'm confused. Isn't this erratum a duplicate of the verified, technical erratum https://www.rfc-editor.org/errata/eid5802? -----Original Message----- From: RFC Errata System <rfc-editor@rfc-editor.org> Sent: Tuesday, March 3, 2026 12:34 PM To: elizabethpslator@gmail.com; david.cooper@nist.gov; stefans@microsoft.com; stephen.farrell@cs.tcd.ie; sharon.boeyen@entrust.com; housley@vigilsec.com; wpolk@nist.gov Cc: paul.wouters@aiven.io; iesg@ietf.org; pkix@ietf.org; rfc-editor@rfc-editor.org Subject: [pkix] [Errata Held for Document Update] RFC5280 (8789) The following errata report has been held for document update for RFC5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid8789 -------------------------------------- Status: Held for Document Update Type: Editorial Reported by: Elizabeth Peraza Slator <elizabethpslator@gmail.com> Date Reported: 2026-02-28 Held by: Paul Wouters (IESG) Section: GLOBAL Original Text ------------- Section 4.2.1.12 says: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS WWW server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS WWW client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement It should say: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement Notes: The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular: - openssl verification considers them unconditionally even if the server is not a web server or the client a web client - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW - Standards like common criteria assume that these object identifiers are for generic server and clients [0]. [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1 Report New Errata Corrected Text -------------- Section 4.2.1.12 says: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS WWW server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS WWW client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement It should say: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement Notes: The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular: - openssl verification considers them unconditionally even if the server is not a web server or the client a web client - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW - Standards like common criteria assume that these object identifiers are for generic server and clients [0]. [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1 Report New Errata Notes ----- Sec AD (Paul Wouters): Changed to Editorial, as the suggested changes are in an ASN.1 comment -------------------------------------- RFC5280 (draft-ietf-pkix-rfc3280bis-11) -------------------------------------- Title : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Publication Date : May 2008 Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk Category : PROPOSED STANDARD Source : Public-Key Infrastructure (X.509) Stream : IETF Verifying Party : IESG _______________________________________________ pkix mailing list -- pkix@ietf.org To unsubscribe send an email to pkix-leave@ietf.org
- [pkix] [Errata Held for Document Update] RFC5280 … RFC Errata System
- [pkix] Re: [Errata Held for Document Update] RFC5… Corey Bonnell
- [pkix] Re: [Errata Held for Document Update] RFC5… Deb Cooley