Re: [pkix] Private key usage period extension clarification
"Erik Andersen" <era@x500.eu> Tue, 10 May 2016 07:30 UTC
Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BB6E12D0C0 for <pkix@ietfa.amsl.com>; Tue, 10 May 2016 00:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.439
X-Spam-Level:
X-Spam-Status: No, score=-0.439 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_WEB=0.77, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9b3KBGj4qHV for <pkix@ietfa.amsl.com>; Tue, 10 May 2016 00:30:55 -0700 (PDT)
Received: from mail02.dandomain.dk (mail02.dandomain.dk [194.150.112.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F52B12B037 for <pkix@ietf.org>; Tue, 10 May 2016 00:30:54 -0700 (PDT)
Received: from Morten ([62.44.135.14]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201605100930505581; Tue, 10 May 2016 09:30:50 +0200
From: Erik Andersen <era@x500.eu>
To: 'Directory list' <x500standard@freelists.org>, 'PKIX' <pkix@ietf.org>
References: <003401d1a9c2$a7e00100$f7a00300$@x500.eu> <57304697.2040503@free.fr>
In-Reply-To: <57304697.2040503@free.fr>
Date: Tue, 10 May 2016 09:30:48 +0200
Message-ID: <000001d1aa8d$e1120420$a3360c60$@x500.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01D1AA9E.A49BE590"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQLTnraW7WgUiYrjxnmI8sdgoiT1vgFBessTnaPQHYA=
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/EsLquMq-6s9_zW0YIY5KXKduDRA>
Subject: Re: [pkix] Private key usage period extension clarification
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2016 07:30:58 -0000
Hi Denis, Thanks for your comments. I agree with your proposed NOTE 2. However, this note should not give the impression that it reflects the semantic for the extension. There are other usages of this extension as described in document (http://www.icao.int/publications/Documents/9303_p12_cons_en.pdf). Stefan also had some other example. You gave yourself also another example, so I still like to include my proposed note i addition. Regards, Erik Fra: Denis [mailto:denis.ietf@free.fr] Sendt: 09 May 2016 10:13 Til: Erik Andersen <era@x500.eu>; Directory list <x500standard@freelists.org>; PKIX <pkix@ietf.org> Emne: Re: [pkix] Private key usage period extension clarification Erik, I agree with the change proposals up to NOTE 1. However, I do not agree with the current NOTE 2 which states: NOTE 2 - If the verifier of a digital signature wants to check that the certificate has not been revoked, for example, due to key compromise, up to the time of verification, then a valid certificate will still exist for the public key at verification time. After the certificate(s) for a public key have expired, a signature verifier cannot rely on compromises being notified via CRLs. Erik's comment is: "It is difficult to tell what that note wants to say that is particular to this extension. Maybe the writer had some undocumented semantic in mind". I agree that the note is far from being crystal clear, but it is dealing with the verification of a digital signature before and after the expiry of the certificate. Denis's comment is: "Note 2 is trying to explain the verification of a digital signature before and after the expiry of the certificate. This has nothing to do with the private key usage period extension and thus it should be deleted". However, I would propose to replace it with a useful clarification. Replace NOTE 2 of 8.2.2.5 with: The period of use of the private key corresponding to a public key can only be enforced if both the private key and the corresponding certificate are placed in a tamper resistant hardware module that contains a reliable clock synchronized with UTC. When this is not the case, it can help a signer to avoid to use a signing private key up to the very end of the validity period of the certificate.
- [pkix] Private key usage period extension clarifi… Erik Andersen
- Re: [pkix] Private key usage period extension cla… Erik Andersen