Re: [pkix] [Errata Held for Document Update] RFC4210 (5731)
Roman Danyliw <rdd@cert.org> Fri, 29 April 2022 20:36 UTC
Return-Path: <rdd@cert.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F00E4C1594B3; Fri, 29 Apr 2022 13:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKhCsbmLU_hr; Fri, 29 Apr 2022 13:36:33 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on072f.outbound.protection.office365.us [IPv6:2001:489a:2202:d::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1873BC1594B2; Fri, 29 Apr 2022 13:36:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=lCOLF5w3VrdZyN8HVKvukoB3aafprnTg2AU1nUFth5lWB3uH0flHaMOLd8JwqC7AisRDx3ZRPTYumrC0Rwc6MgIVyfJR4x7NCb1fcGGp8eswACOEP3KB5CgE+eiSxcXgLHZ/a/5FKVuqyR9RMFBNZve0qESf8GG6yvK1O8+NwQ/gGZE+puXQgQ9g0U4vftrIAQv6VvHuV8FUeMsKbKOrH6YqyhS8ldqm8t9GXTyKbVHUSw75GGRRBulM+V+USVHhyXII0fZQh0mnhSE4mkpEBls95JaBXr3Bjqd9aR05BJ9JqOnD5S4wmIdLfLxKNyzuyy8qwLFdA0bCzhNQEOCkOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eQ0sP3aXn7V9Fg3Onoypx5qQlQGecx6KlIKkJs0A6z8=; b=Jj/CkEyX4WX1Ektxd0oozboc/ZuGb/9+d4lc3YF2axUDIcuf/zq4rs0XygHClCUgwKFUH7CyULLfPXTpG68I+uwz0/oU07wkFliw6eu1S+HCoWfjT5E+d0YGnJgyZre+5AmysOD2yuuBfZwDcoJ/x6tvUALIgQSlU1MTobS6vP2FM+3swrEf+wLu6FBFn+0uM1Ei3g2UvscjvJEeDmfeidMU4/13SJK3voJlkklZOAhYyTreYntsYBy4CKRKPIhmP84vMvcHFgrmjEddk4BqXNsHoQlnRS2utA9I24jpr5z0qud2QZIjvAlwzVQtJEoxN430p7qOGSYoBXrKAGMOFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eQ0sP3aXn7V9Fg3Onoypx5qQlQGecx6KlIKkJs0A6z8=; b=RcyZ/swKNL5UMRxmM2PVmO93wIyoqi4FfQa7uP316BJh2qSXZlRSQsajrGJn/72IguqdyMf+uBRUEMEcVO5pPfXvLJfgiosY3dtuv3B3440fU6sUXbF+no2O4iF9YEWxCYO9iB5r2DiUHbJwUdvos4OIfwpNs0PC+iJjCZ3PArM=
Received: from PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:174::12) by PH1P110MB1097.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:175::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Fri, 29 Apr 2022 20:35:17 +0000
Received: from PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM ([fe80::b5e4:ae9e:26f6:5662]) by PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM ([fe80::b5e4:ae9e:26f6:5662%5]) with mapi id 15.20.5186.021; Fri, 29 Apr 2022 20:35:17 +0000
From: Roman Danyliw <rdd@cert.org>
To: Carlisle Adams <cadams@uottawa.ca>
CC: "iesg@ietf.org" <iesg@ietf.org>, "pkix@ietf.org" <pkix@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "lijun.liao@gmail.com" <lijun.liao@gmail.com>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "toka@ssh.com" <toka@ssh.com>, "tmononen@safenet-inc.com" <tmononen@safenet-inc.com>
Thread-Topic: [Errata Held for Document Update] RFC4210 (5731)
Thread-Index: AQHYWdsXXkNl6kUDTke5KznCeskjEq0HTc+AgAAO27A=
Date: Fri, 29 Apr 2022 20:35:16 +0000
Message-ID: <PH1P110MB1116013A327E6DDCA4CC71E4DCFC9@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM>
References: <20220427020357.64990289F7@rfcpa.amsl.com> <YT3PR01MB535048623E6E731BB1B30A85A2FC9@YT3PR01MB5350.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YT3PR01MB535048623E6E731BB1B30A85A2FC9@YT3PR01MB5350.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bf4c35ba-65c3-4c86-8146-08da2a1fc566
x-ms-traffictypediagnostic: PH1P110MB1097:EE_
x-microsoft-antispam-prvs: <PH1P110MB10978624F1806C4DC9673F31DCFC9@PH1P110MB1097.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: p+rHgoyhdvOIbArzsiPgKfUASZoDpu/WsaYxWaCXB00X9ajpB0i3Mzty7Zel1kft7dr4L4HhZptJDltgXB9rWYJuuk4NOkESmD98udfTfpTO4NwOZsh+qpfFZHMuSioAlhvLDoC4ZBQbAEEkOph555DHYRCE7/5gLkEOLwFuJfM7xwesWn9RBcHv5l9vvY0VkOyK1RTlXPzW/8p1XnJ6xwhvMww/q03N+SkdEHbw5xU8wTDJdxhchyKKVzA3eVSXcJm5a3gU5yMRYJu1CBDLjuODdQxf2A0vlFyIS7MsDc4f8LpzBnRqZsz4B5oAn4u+D//ObXqS7d6ZOeNnkRGHUXQjsNVbJxq5WtO54Yznr1JmmeeQxrj+e+u9gss+397nTtHV9DM4CdBWo4UCcBE1HrTJaozylx95nobE9gdX4s1y9MRo7uK3ktr/EShiO7w7+Fx85Xc59FoBLcFFDOHgXfWeFjXLcBgHAXZqw0TQBdJ74ny4NR+qmIgdPD+Yx4KOrUcQVNFE7uEkWLVafjQLp7/Bc/o4HkeG6DRJxG0ATvndQcX+l51f0J4EOQJnHbp9bMimMYJfBMh0+8WVF9RDFVIkj638N8O9Np/de2y98m0DXoP9kgLVdjjHZr1UbxTzxbMPgTOwhKrVTKBZOtaX/O4pw+qganDT36whwZqUXmlmhfiZmQADHAEKEz8LYGg94uMLXN/TUKUkVwZiPpqC3Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(6916009)(966005)(66574015)(498600001)(86362001)(83380400001)(9686003)(26005)(2906002)(54906003)(33656002)(7696005)(4326008)(186003)(55016003)(15650500001)(6506007)(82960400001)(38070700005)(53546011)(38100700002)(122000001)(66556008)(66946007)(64756008)(66446008)(66476007)(8676002)(8936002)(52536014)(76116006)(71200400001)(166002)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ajQRaSqcV68DhcwJ/eNJ7ezAEDIKPeCDrUUchC9LDMKpy7kVVs9sBW730doEnkbYCsUPTKzAAk/JpD9wH+E6L99+Wf3GzF/ZbYMUXDXK8j2Q2HdxOzSpQnQLw+DIElxRgyfNK0t42YmKpmmQq5BDAW0Fa0nPZJvytIDms8BE4f2xfiwIpc5RY9yC2plVRR5mVjo/3Zk+qyhdMb1+CMyOM0Gw5tVaadwtqk5ZZOzKSJc4E6ty5hXNX7/MywD7IemXtSiqxFs1+u8gcg5vZtLqb/MjEOhIq2HwLXWosp+w3OLbFCNKbyZg4uDVSLjCVylrUjNjboRqBpnd6XnhiapzwnavBSh2YkzJ4Xc89h0kjQaP2E44Fuw9ptH5HMXfeIbaja3LKfoOiit6xftr0sPZNvjpC0vJzk+maxO0L/3ZLUc=
Content-Type: multipart/alternative; boundary="_000_PH1P110MB1116013A327E6DDCA4CC71E4DCFC9PH1P110MB1116NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: bf4c35ba-65c3-4c86-8146-08da2a1fc566
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2022 20:35:16.9903 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH1P110MB1097
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/9Kn42mX239lFimcWZrMv5Udwm6Q>
Subject: Re: [pkix] [Errata Held for Document Update] RFC4210 (5731)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2022 20:36:37 -0000
Hi! Thanks for the feedback. I marked this “hold for document update” because action on this errata is being taken in Section 2.22 of https://datatracker.ietf.org/doc/draft-ietf-lamps-cmp-updates/ (an update to RFC4210). If the something needs to be refined now is a good time to do it since the document is in IETF Last Call. Regards, Roman From: iesg <iesg-bounces@ietf.org> On Behalf Of Carlisle Adams Sent: Friday, April 29, 2022 3:39 PM To: RFC Errata System <rfc-editor@rfc-editor.org>; lijun.liao@gmail.com; stephen.farrell@cs.tcd.ie; toka@ssh.com; tmononen@safenet-inc.com Cc: Roman Danyliw <rdd@cert.org>; iesg@ietf.org; pkix@ietf.org Subject: Re: [Errata Held for Document Update] RFC4210 (5731) Hi all, Thank you for this note, but I don't really see the problem. A CA can certainly have more than one certificate (in particular, one key pair and its corresponding certificate for signing EE certificates, and another key pair and its corresponding certificate for signing protocol messages). In all these certificates, "the name of the CA" will be the same, so there is no ambiguity if this name is in the recipient field of requests and in the sender field of responses. (Specifically, this does not imply that the certificate signing key must be used to also sign protocol message responses.) Note that there is a field called "extraCerts" where the CA can put the certificate for the public key required to verify protocol message signatures, if it wishes. Carlisle. ________________________________ From: RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>> Sent: April 26, 2022 10:03 PM To: lijun.liao@gmail.com<mailto:lijun.liao@gmail.com> <lijun.liao@gmail.com<mailto:lijun.liao@gmail.com>>; cadams@site.uottawa.ca<mailto:cadams@site.uottawa.ca> <cadams@site.uottawa.ca<mailto:cadams@site.uottawa.ca>>; stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>; toka@ssh.com<mailto:toka@ssh.com> <toka@ssh.com<mailto:toka@ssh.com>>; tmononen@safenet-inc.com<mailto:tmononen@safenet-inc.com> <tmononen@safenet-inc.com<mailto:tmononen@safenet-inc.com>> Cc: rdd@cert.org<mailto:rdd@cert.org> <rdd@cert.org<mailto:rdd@cert.org>>; iesg@ietf.org<mailto:iesg@ietf.org> <iesg@ietf.org<mailto:iesg@ietf.org>>; pkix@ietf.org<mailto:pkix@ietf.org> <pkix@ietf.org<mailto:pkix@ietf.org>>; rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org> <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>> Subject: [Errata Held for Document Update] RFC4210 (5731) Attention : courriel externe | external email The following errata report has been held for document update for RFC4210, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid5731 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Lijun Liao <lijun.liao@gmail.com<mailto:lijun.liao@gmail.com>> Date Reported: 2019-05-22 Held by: Roman Danyliw (IESG) Section: GLOBAL Original Text ------------- N/A Corrected Text -------------- N/A Notes ----- In appendixes D.4, D.5, E.5 and E.6, the recipient field of requests and the sender field of responses are specified as "the name of the CA". It is no problem for CA which signs the CMP response. However, as best practice, the CA's private key which is used to sign the certificates, is NOT RECOMMENDED to sign/decrypt the communication messages. In this case, another entity (private key + certificate) is used to decrypt the incoming messages and sign the outgoing ones. The text and comment for the fields "recipient" in requests and "sender" in responses need to be corrected to the case described above. If you think the original text and comment are correct, then we need instruction on how to handle this case. -------------------------------------- RFC4210 (draft-ietf-pkix-rfc2510bis-09) -------------------------------------- Title : Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP) Publication Date : September 2005 Author(s) : C. Adams, S. Farrell, T. Kause, T. Mononen Category : PROPOSED STANDARD Source : Public-Key Infrastructure (X.509) Area : Security Stream : IETF Verifying Party : IESG
- [pkix] [Errata Held for Document Update] RFC4210 … RFC Errata System
- Re: [pkix] [Errata Held for Document Update] RFC4… Carlisle Adams
- Re: [pkix] [Errata Held for Document Update] RFC4… Roman Danyliw