Re: [pkix] Managing Long-Lived CA certs

"Erik Andersen" <era@x500.eu> Tue, 18 July 2017 06:00 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47FFA129B43 for <pkix@ietfa.amsl.com>; Mon, 17 Jul 2017 23:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raTosi-pfAyw for <pkix@ietfa.amsl.com>; Mon, 17 Jul 2017 23:00:41 -0700 (PDT)
Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E9C8129459 for <pkix@ietf.org>; Mon, 17 Jul 2017 23:00:40 -0700 (PDT)
Received: from Morten ([62.44.134.67]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201707180800374212 for <pkix@ietf.org>; Tue, 18 Jul 2017 08:00:37 +0200
From: "Erik Andersen" <era@x500.eu>
To: "'PKIX'" <pkix@ietf.org>
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org>, <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu> <1500348690922.69356@cs.auckland.ac.nz>
In-Reply-To: <1500348690922.69356@cs.auckland.ac.nz>
Date: Tue, 18 Jul 2017 08:00:36 +0200
Message-ID: <001801d2ff8b$2cd3a2d0$867ae870$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQDOcHAtNaigQtZhTsCOwy8a/DXXLwJG2NRHAgHCn8GkP+8tYA==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/Jot8Up74SnUUv8dcPbL_VMxSxRM>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 06:00:43 -0000

Hi Peter,

We live in a very changeable world. Today's implementations are junk
tomorrow.

If we are not allowed to do anything that is not supported by current
implementations, it is like trying to stop the world.

Erik

-----Oprindelig meddelelse-----
Fra: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz] 
Sendt: 18 July 2017 05:32
Til: Erik Andersen <era@x500.eu>eu>; PKIX <pkix@ietf.org>
Emne: Re: [pkix] Managing Long-Lived CA certs

Erik Andersen <era@x500.eu> writes:

>What about the private key usage period extension

That would be the obvious choice, but PKIX says you're not allowed to use
it.
No reason given, you just can't.  This would imply that support for it in
implementations is going to be hard to find...

Peter.




=