Re: [pkix] Managing Long-Lived CA certs
swilson@lockstep.com.au Tue, 18 July 2017 22:26 UTC
Return-Path: <swilson@lockstep.com.au>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E307131A8B for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 15:26:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.699
X-Spam-Level:
X-Spam-Status: No, score=-4.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AvwJNAfjNfVS for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 15:26:16 -0700 (PDT)
Received: from smtp98.iad3a.emailsrvr.com (smtp98.iad3a.emailsrvr.com [173.203.187.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCAFA1317D4 for <pkix@ietf.org>; Tue, 18 Jul 2017 15:26:15 -0700 (PDT)
Received: from smtp21.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp21.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 11A89258A8 for <pkix@ietf.org>; Tue, 18 Jul 2017 18:26:10 -0400 (EDT)
Received: from app26.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp21.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id F0E76254F0 for <pkix@ietf.org>; Tue, 18 Jul 2017 18:26:09 -0400 (EDT)
X-Sender-Id: swilson@lockstep.com.au
Received: from app26.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Tue, 18 Jul 2017 18:26:10 -0400
Received: from lockstep.com.au (localhost [127.0.0.1]) by app26.wa-webapps.iad3a (Postfix) with ESMTP id 3C60FE0298 for <pkix@ietf.org>; Tue, 18 Jul 2017 18:26:09 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: swilson@lockstep.com.au, from: swilson@lockstep.com.au) with HTTP; Wed, 19 Jul 2017 08:26:09 +1000 (AEST)
X-Auth-ID: swilson@lockstep.com.au
Date: Wed, 19 Jul 2017 08:26:09 +1000
From: swilson@lockstep.com.au
To: pkix@ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_20170719082609000000_57457"
Importance: Normal
X-Priority: 3 (Normal)
X-Type: html
In-Reply-To: <1500391529591.47499@cs.auckland.ac.nz>
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org> <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu> <1500348690922.69356@cs.auckland.ac.nz> <27d212b4-c5a6-19d1-2afd-f18adaf21031@nist.gov> <1500387403338.42595@cs.auckland.ac.nz>, <a6c8cee5-2577-c680-c61e-d3fa819d31ea@nist.gov> <1500391529591.47499@cs.auckland.ac.nz>
Message-ID: <1500416769.24548519@apps.rackspace.com>
X-Mailer: webmail/12.9.4-RC
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/DPZsYFWI9XfSsNX7wF1YQyUE77Y>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 22:26:18 -0000
This is why we in PKI can't have nice things. Cheers, Steve. Stephen Wilson Managing Director Lockstep Technologies E: swilson@lockstep.com.au M: +61 (0)414 488 851 W: http://lockstep.com.au T: @steve_lockstep Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. -----Original Message----- From: "Peter Gutmann" <pgut001@cs.auckland.ac.nz> Sent: Wednesday, 19 July, 2017 1:25am To: "David A. Cooper" <david.cooper@nist.gov> Cc: "pkix@ietf.org" <pkix@ietf.org> Subject: Re: [pkix] Managing Long-Lived CA certs David A. Cooper <david.cooper@nist.gov> writes: >So, you intentionally delete the quote I provided from RFC 5280 saying that >use of the private key usage period extension is "neither deprecated nor >recommended" so that you can falsely claim that the "PKIX RFCs for the last >twenty years" have said the same thing. So you intentionally quibble over trivia in order to turn this into a long and pointlessly boring argument... >From drafts of 2459 around 20 years ago until 5280 the spec said you shouldn't use PKUP (3280 was even more strongly worded than the original 2459 text I cited, "This extension SHOULD NOT be used within the Internet PKI"), and then 5280 removed mention of it. The majority of the PKI implementations I'm aware of date from well before 5280, when the "don't use PKUP" was in force. That's why I pointed out that support for it in implementations could be hard to find. Peter. _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Rob Stradling
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Santosh Chokhani
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs David A. Cooper
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs David A. Cooper
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs swilson
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Anders Rundgren
- Re: [pkix] Managing Long-Lived CA certs Denis
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs EG Giessmann
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- [pkix] Upgradable/Replaceable IoT systems. Re: Ma… Anders Rundgren
- [pkix] Connected Cars. Upgradable/Replaceable IoT… Anders Rundgren
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Robert Moskowitz
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Peter Gutmann
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Robert Moskowitz
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Erwann Abalea