[pkix] Re: [Errata Held for Document Update] RFC5280 (8789)
Deb Cooley <debcooley1@gmail.com> Tue, 03 March 2026 19:44 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: pkix@mail2.ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C90B4C3AA03E for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 11:44:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Ng4wDIhkIdp for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 11:44:24 -0800 (PST)
Received: from mail-dy1-x1335.google.com (mail-dy1-x1335.google.com [IPv6:2607:f8b0:4864:20::1335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 80586C3AA02F for <pkix@ietf.org>; Tue, 3 Mar 2026 11:44:24 -0800 (PST)
Received: by mail-dy1-x1335.google.com with SMTP id 5a478bee46e88-2bded9bf7a7so4244992eec.1 for <pkix@ietf.org>; Tue, 03 Mar 2026 11:44:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1772567063; cv=none; d=google.com; s=arc-20240605; b=hC9ImLkYGFY9dznlD+WvVXxAxGI5K2a7CEQtPb4+lrKA3OG1euDfuEqSjwKqkEKN8X uPhUHRX2eS+Ydwvq495A5/YJ/W0Gkum7QADkVlVB4LMoFX5Vu6LRnm8Wswma+4/zhUwN lhHZ4hBgGQtQXeMrNHaXvPg68HM9EUMl7SeCBVhKK5Lfj3KwSkzd2zf9rOBgkpBVY5bC Fqw4h4A87dJfrFoObsY+xihPrBSNpRzk8FuvI6TbmxNSVmzpzHdr/WYndBZmc98LfEi0 qTk6clBwVWdJeaUKtiaIB4tC3KfwwqOmkykPAqz/4Ra2td/EqyfMysDnM0E/h3hfy05o sh6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=3OpEbACzpG7WspcvihVXRebzYIi8wv0X1TGW1DjKhcs=; fh=r/FGCuuuQGCCRinKa1c+vSxX8/OtqCjengBpKrl3COw=; b=IayapC5cHxU/rWp1BKbg2Cq2X4MsWYfxCHk+JiN/4+q84SJ/I3J+dEAkIqTinM/qF4 D+ltlUFAjQWKIIR3+jvEGNbmG4nyicDJHWpnF22BhNhqiogel3CSlMMod+2gEkNDs53p y5pWvdYnddTkN6fbyWbKOyNyewDHuv2baqKd6gxiAPM5NJsP+uAMz40EAxVuSTm8SeWt DYUWt8H87TYYiO25/WVhwdz3eLXqCFQUJp1nye4p5TdLkfoCGpGumYT+Yr1L9HHokLju /2F2UrSrju/zwWmYNjr1W2uhETYW84oi/jsIytfa4l1erdxox3CH6DQaKae8/SOOnvbT PUbQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772567063; x=1773171863; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3OpEbACzpG7WspcvihVXRebzYIi8wv0X1TGW1DjKhcs=; b=MsL5M/mjUNFM9rjgqUp3HgYdex7ji2+oaTotD6jchlFI2V8vVUuwSRf1K+bn1zs1KQ Ic1PNGOb5HknEJClfxJq6SbqQjdpTm+OO5z9qkW7COA1Y+6ppLPG9AcFPbq/JBlM6ght 5L3BOPy+jUP5iyxMwHDiCjWOyeUxONG0225TKNem/sTBJi1K+0OtqLz0z2P9nPzI+hXA XJ0VT+yQWDSxtmvDjaJA+c+qj4cSvFWaJuDQNHIcUSDCfPr9cSFW8pu3H7FGkR8AlTBL UzJSQq2OOQgaFu9nBeVTEe+SFnBlUaNjMZWs5cMumnykJvLkyk+Y8BCrVeGuCnPCSmcQ E/tA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772567063; x=1773171863; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=3OpEbACzpG7WspcvihVXRebzYIi8wv0X1TGW1DjKhcs=; b=BwwsQm2RtdgnZh+9I/18NK0bK4YBwNkBqF0zIxqNwN3C9MUwwHEjmeup37u+iBxI5r +7wySPYYX6QiTVGblSfN0KP0XQbeLNIQagvk3Nh+hEHSs+blOSRskb5D3XqegJZSv7Yd fE5WdQVXizVFthW4fL7vd7I2mTIrT6QbYzVeievSXqJTPsKsBRx2VN4f4/ZkUGw3jGkp C/uQQjfzmR2WpLLODm2plNjol5Suf2MP/Uzh0Vsz4RUaQ/4bgCuaUuMPoHRdlbA+m6J5 9DkTrYXbznGQlw0vo20uvgyVbP149cWdqfV3/AkAPdSCr60wrNJaMR/6iLtpelxqUJa3 Q4Mw==
X-Forwarded-Encrypted: i=1; AJvYcCVsY40S1suiZqL/zLBfEGTwu5B6eBqlL1rrgkqX5KrXscqLupDPASDHGLxMh1oPzodkdG4Y@ietf.org
X-Gm-Message-State: AOJu0YxwSQX7FEZoN1jd3Tc7HOhZ+I8sMDTmxfRW/QpClMcpmOxJ2SgP qxLXZbU4AV9g4HLNH0Ta6zdsqSZFjtnnJ9t9c34MgwgU+bztjqmlrc4bXmD0DH0wIXItbbzfH6o IzPh7sURVJdwNmfmE2+mj2ONm5SXazg==
X-Gm-Gg: ATEYQzyaGYja9DFXAAlV6JLgWGGbmZ1kHVYhQ9yj2vQ3ieOEJuPa69mL0s5moAkhais 0zBwaru4f6KprPaHo/c88MyFJ5taDXippoemAj/VOdnF5UYDVPkUX0FOQtXHJFfj/bTpmS9MsoF eG48z1bAFx3H/lEcSLLMu83lMjl+Vca4T27A/GYt87+Qvs4yIzSGLVXNU3OGrq5SZEN73DLapU1 O4TJJq6TMBPxU2vZSz96864qgoxZtbYhnM5IsdBol+KiG4YE39FOAicJLiMkYpWfO0vtxbM44u2 cpfaG6lTaIe9+ITscfE2dssLuzHVCAkS2mr+Mbt/Ux3sT16R1a2QXwzsoPvQzoKyI0cG0WTPkeX CGXr0rMKbmxsEQ0aLMgK3JYwa
X-Received: by 2002:a05:7300:d519:b0:2be:1946:8587 with SMTP id 5a478bee46e88-2be19468938mr2474271eec.9.1772567063331; Tue, 03 Mar 2026 11:44:23 -0800 (PST)
MIME-Version: 1.0
References: <20260303173345.DAFE82B457C@rfcpa.rfc-editor.org> <DS0PR14MB6216DE834E8A5A373EFAD9A4927FA@DS0PR14MB6216.namprd14.prod.outlook.com>
In-Reply-To: <DS0PR14MB6216DE834E8A5A373EFAD9A4927FA@DS0PR14MB6216.namprd14.prod.outlook.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Tue, 03 Mar 2026 14:44:11 -0500
X-Gm-Features: AaiRm50hrNQ3l_zECGhKXZQW4KdsaAaIAmmbghyN1f-0n1kuV0OT5vF_gBLZ3II
Message-ID: <CAGgd1OdDGTR4dcuXr=NCO+jtd==8nsbZSuoCzEp13p3BujQAPA@mail.gmail.com>
To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000268870064c23ee2c"
Message-ID-Hash: AXKXGFQCXLHDLKOMCTZVIMHZIWAOGKEO
X-Message-ID-Hash: AXKXGFQCXLHDLKOMCTZVIMHZIWAOGKEO
X-MailFrom: debcooley1@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: RFC Errata System <rfc-editor@rfc-editor.org>, "elizabethpslator@gmail.com" <elizabethpslator@gmail.com>, "david.cooper@nist.gov" <david.cooper@nist.gov>, "stefans@microsoft.com" <stefans@microsoft.com>, "sharon.boeyen@entrust.com" <sharon.boeyen@entrust.com>, "wpolk@nist.gov" <wpolk@nist.gov>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "iesg@ietf.org" <iesg@ietf.org>, "pkix@ietf.org" <pkix@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] Re: [Errata Held for Document Update] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/9mQLMGJvF_mKtfJMflntTcGtcgE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>
It appears to be. It does raise questions... I'll ask what we should do. Deb On Tue, Mar 3, 2026 at 2:38 PM Corey Bonnell <Corey.Bonnell= 40digicert.com@dmarc.ietf.org> wrote: > I'm confused. Isn't this erratum a duplicate of the verified, technical > erratum https://www.rfc-editor.org/errata/eid5802? > > -----Original Message----- > From: RFC Errata System <rfc-editor@rfc-editor.org> > Sent: Tuesday, March 3, 2026 12:34 PM > To: elizabethpslator@gmail.com; david.cooper@nist.gov; > stefans@microsoft.com; > stephen.farrell@cs.tcd.ie; sharon.boeyen@entrust.com; housley@vigilsec.com; > > wpolk@nist.gov > Cc: paul.wouters@aiven.io; iesg@ietf.org; pkix@ietf.org; > rfc-editor@rfc-editor.org > Subject: [pkix] [Errata Held for Document Update] RFC5280 (8789) > > The following errata report has been held for document update for RFC5280, > "Internet X.509 Public Key Infrastructure Certificate and Certificate > Revocation List (CRL) Profile". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid8789 > > -------------------------------------- > Status: Held for Document Update > Type: Editorial > > Reported by: Elizabeth Peraza Slator <elizabethpslator@gmail.com> Date > Reported: 2026-02-28 Held by: Paul Wouters (IESG) > > Section: GLOBAL > > Original Text > ------------- > Section 4.2.1.12 says: > > id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } > -- TLS WWW server authentication > -- Key usage bits that may be consistent: digitalSignature, > -- keyEncipherment or keyAgreement > > id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } > -- TLS WWW client authentication > -- Key usage bits that may be consistent: digitalSignature > -- and/or keyAgreement > It should say: > > id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } > -- TLS server authentication > -- Key usage bits that may be consistent: digitalSignature, > -- keyEncipherment or keyAgreement > > id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } > -- TLS client authentication > -- Key usage bits that may be consistent: digitalSignature > -- and/or keyAgreement > Notes: > > The proposed change removes the WWW part of the description. In practice > these > object identifiers are used for server and client applications, but not > necessarily web applications. In particular: > - openssl verification considers them unconditionally even if the server > is > not a web server or the client a web client > - There is no object identifier that can be used for protocols like SMTP, > IMAP, POP3, LDAP, radius, ...; in practice all these protocols are > deployed > with the identifiers for WWW > - Standards like common criteria assume that these object identifiers are > for > generic server and clients [0]. > > [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1 > > Report New Errata > > Corrected Text > -------------- > Section 4.2.1.12 says: > > id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } > -- TLS WWW server authentication > -- Key usage bits that may be consistent: digitalSignature, > -- keyEncipherment or keyAgreement > > id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } > -- TLS WWW client authentication > -- Key usage bits that may be consistent: digitalSignature > -- and/or keyAgreement > It should say: > > id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } > -- TLS server authentication > -- Key usage bits that may be consistent: digitalSignature, > -- keyEncipherment or keyAgreement > > id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } > -- TLS client authentication > -- Key usage bits that may be consistent: digitalSignature > -- and/or keyAgreement > Notes: > > The proposed change removes the WWW part of the description. In practice > these > object identifiers are used for server and client applications, but not > necessarily web applications. In particular: > - openssl verification considers them unconditionally even if the server > is > not a web server or the client a web client > - There is no object identifier that can be used for protocols like SMTP, > IMAP, POP3, LDAP, radius, ...; in practice all these protocols are > deployed > with the identifiers for WWW > - Standards like common criteria assume that these object identifiers are > for > generic server and clients [0]. > > [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1 > > Report New Errata > > Notes > ----- > Sec AD (Paul Wouters): Changed to Editorial, as the suggested changes are > in > an ASN.1 comment > > -------------------------------------- > RFC5280 (draft-ietf-pkix-rfc3280bis-11) > -------------------------------------- > Title : Internet X.509 Public Key Infrastructure Certificate > and > Certificate Revocation List (CRL) Profile > Publication Date : May 2008 > Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. > Housley, W. Polk > Category : PROPOSED STANDARD > Source : Public-Key Infrastructure (X.509) > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > pkix mailing list -- pkix@ietf.org > To unsubscribe send an email to pkix-leave@ietf.org >
- [pkix] [Errata Held for Document Update] RFC5280 … RFC Errata System
- [pkix] Re: [Errata Held for Document Update] RFC5… Corey Bonnell
- [pkix] Re: [Errata Held for Document Update] RFC5… Deb Cooley