Re: [pkix] Next edition of X.509
Peter Bowen <pzbowen@gmail.com> Sun, 24 January 2016 00:43 UTC
Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 572F71B2CD2 for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 16:43:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7QhL9SXCADT for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 16:43:20 -0800 (PST)
Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 157831B2CD1 for <pkix@ietf.org>; Sat, 23 Jan 2016 16:43:20 -0800 (PST)
Received: by mail-pa0-x232.google.com with SMTP id yy13so61017495pab.3 for <pkix@ietf.org>; Sat, 23 Jan 2016 16:43:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FVypNRkJtKvUbf7qaYstjQHrvlfQidld8HiH2EewNYQ=; b=ZYeVv+AhOrkw4QFeI9MV3OkijyVKVURjSMUc9ppnkgnZUrRykY+TTwgjBsEtUuHO7M V41agvTf0BkNwkpQRqQ4nTQ80E+jcbV1v6UCyLXbWDiK1+gHVTpEW5c08hcxINkQ5hjd ELmEKmLvKvVWAgkjOqKYW3JkkJJfL9y0RrBic3yacXXNS+OzAfBnoY/2LodPnaTlFHxf p6NIZ7AKbwBowPA3U0yqbAB4WIP2HEW4YVNIHFsEe2JEFfAHpvSJVbSDcAqqLPQ71CqU aCSuV8FfigmNozFZISu/DE2uOImtPHFbfyGr6fQkVn2WN/iVUM/bapFmzSsC8YY1Fy4J vJvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FVypNRkJtKvUbf7qaYstjQHrvlfQidld8HiH2EewNYQ=; b=E/kaWF59CWLSaeEgtpNwcCV4Styf6W7S3g4aIq4qbTzUCgL4sHpQcZd0PcIY3o2Svs aYJSfRUaO/Q+0kt642oNY7SEytME3jYugbnLnd4GAiF9O1X7hJJC+8+Nnle+N6tvzePf jMr9ecE/eyEmx7KzXy7tiURtgyziLMS9tc61ozupeq448z+1aT8OBYqSdc/QvfI74Mw6 maJ8PldqEejGTNL5G6xAOYPdRHdrwkzOeYG/CJ2/i7UqhTgsBLOwzkMcK8wv8UVzurfC XY8qLLugOBg2b+V6HZB9oE5ghdfSjIiLIQQ/cvPumLR5O6Yk3I4j072R0XUs1MD7S6cr S4vg==
X-Gm-Message-State: AG10YOSHQCcD6vzk/G9T3lhYQEsKrTqIoEaru6VhviwFW3RzM2ArRiROCfdeJ4hPAYj/FmlueK+jDi652ECQKg==
MIME-Version: 1.0
X-Received: by 10.67.14.136 with SMTP id fg8mr14490711pad.105.1453596199730; Sat, 23 Jan 2016 16:43:19 -0800 (PST)
Received: by 10.66.142.193 with HTTP; Sat, 23 Jan 2016 16:43:19 -0800 (PST)
In-Reply-To: <56A419A1.2040503@cs.tcd.ie>
References: <000001d130da$b05884d0$11098e70$@x500.eu> <5665633F.7070906@cs.tcd.ie> <000401d130e3$bdf08120$39d18360$@x500.eu> <CAK6vND_=4it-HdN=igWeSsb9Qx2LjastBaJCa-TpObaBuYjNXQ@mail.gmail.com> <000001d155c7$98b64530$ca22cf90$@x500.eu> <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com> <56A3B913.3030506@comcast.net> <CAK6vND-Fs=SiFTUJmtXsKPNgenwBFCEb=4oVxQ8zxdG4kttOjA@mail.gmail.com> <052101d15636$aecdca40$0c695ec0$@gmail.com> <CAK6vND_Yr8+cVF-Y_L203XAAn0DeVn7ww18Np-K++4njqEeUTg@mail.gmail.com> <56A419A1.2040503@cs.tcd.ie>
Date: Sat, 23 Jan 2016 16:43:19 -0800
Message-ID: <CAK6vND9AKua0fG9nyUjF4NyDYqCgRCv+Gya1-z3L+eg4eN1gag@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/AfLQ6eAYVAyEvJD3Z_ORkQa19WM>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 00:43:21 -0000
On Sat, Jan 23, 2016 at 4:24 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > On 23/01/16 23:58, Peter Bowen wrote: >> Until it is clear that using >> EKU in the way I described in covered by X.509, it is not possible to >> have a strict profile (e.g. PKIX) include it in the profile. > > I don't know what you mean by that, can you elaborate? > > My guess is that almost nobody does new implementations of X.509 > code nowadays, and those that might would go to 5280 and not the > latest version of X.509, but I'd be very interested if either of > those assumptions is wrong. > > If I'm not wrong, then updates to the base X.509 spec are no > longer really important, other than for the sake of tidiness. > Another corollary would be that the opinions of people who > have no influence over running code but who think one document > or the other is more important, can safely be ignored. Again, > good to know it that's incorrect. 5280 clearly states that "This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet." I'm assuming (possibly incorrectly) that a profile is a subset. It add restrictions but anything that is compliant to the profile is also compliant to the more general spec. During discussions about PKI interoperability (especially getting existing PKIs cross-signed by other PKIs or added to trust anchor lists) it has come up repeatedly that some PKI implementers see the use of EKU in a CA-certificates as a constraint as not allowed under X.509 and therefore not allowed in RFC 5280. If I have this wrong, and you think that it is a viable path to define the use of EKU in CA-certificates as a constraint in the PKIX profile with no changes to X.509, I would be very happy. Thanks, Peter
- [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Michael StJohns
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Martin Rex
- Re: [pkix] Next edition of X.509 Wei Chuang
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Jeffrey Walton
- Re: [pkix] Next edition of X.509 Erwann Abalea