IETF Logo Mail Archive

Re: [pkix] Next edition of X.509

Peter Bowen <pzbowen@gmail.com> Wed, 27 January 2016 12:05 UTC

Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15B5F1A878B for <pkix@ietfa.amsl.com>; Wed, 27 Jan 2016 04:05:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sn0nCeElRzkP for <pkix@ietfa.amsl.com>; Wed, 27 Jan 2016 04:05:22 -0800 (PST)
Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A97921A8757 for <pkix@ietf.org>; Wed, 27 Jan 2016 04:05:22 -0800 (PST)
Received: by mail-pa0-x22e.google.com with SMTP id uo6so4021702pac.1 for <pkix@ietf.org>; Wed, 27 Jan 2016 04:05:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=8MNiJRU6PzQGyaLSSd2/1CDMxH/xV3kokl8YyfGfn5I=; b=HmMg4ldtwMLbGSwf8zERTL0Ox8x4Cu4/aryyJUUQKM+7CMjeoim7sJMNddIrpUAURo PYQ6YksKYAqcJwiI947LczP7ZMNFD+KDSWU/PPZRDNy4hapzfHb+pJFemrgQHtI5ezP8 aPTaNXiDhUL86i4xKRmysyJXnph1G9VNjTJrvLQJQkFU/ryMbbzJNixsnuFj2OvU2u+J NoJOoqunZVqs6gE6l4rNpfWR5UTnh7pI44WPx/hGeehQXn9HD0gid0xb2lEXL2BGSOii XYllC1LRO+qRy4hWsJ7d9HfWLPD2d8d+dXcI/ZwILrH98x1N65g6J8EC2gblYH310lJ3 /U7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8MNiJRU6PzQGyaLSSd2/1CDMxH/xV3kokl8YyfGfn5I=; b=Sf9e2QM1krgSFQTRoXhQ5IWodEqA1YP/F3OJmnZj2p4vCJs9WQRUORcJlhHqqF+mvN pG83RH5/MUesmXVRclhd+T3csy5oEqZwPw0Y0TvPHx1oIekI2MbLBtgmaYWGX9XtgesM IHfA6UPP93nSAWrfo8OaSTBjcFtoeCSNIF7dbteCrv+1soJ6E7Q1nBc/aujG4Sz+vS/J pX13ncGt/43Gjlqn9PLJNBjaERpuBtWW43TtwwSOCGwlWGzQIUaYd36Vp7ompq9mMluA 4iLFV9KBIi5FAOL4z41aB8SYzbBggT2zE91fZEAkYGdPAmktw4IvHKftPZMRQIptdkon UDtg==
X-Gm-Message-State: AG10YOSE9rEitTh4uOgEKT1kY5o4Bm3XvETPojGU9coyVhGsvTHtgLyeIccLQYDYeS57guqTSrhNP3P+eGBV1g==
MIME-Version: 1.0
X-Received: by 10.66.100.163 with SMTP id ez3mr42063877pab.5.1453896322009; Wed, 27 Jan 2016 04:05:22 -0800 (PST)
Received: by 10.66.142.193 with HTTP; Wed, 27 Jan 2016 04:05:21 -0800 (PST)
In-Reply-To: <001001d158ee$38831330$a9893990$@x500.eu>
References: <000001d130da$b05884d0$11098e70$@x500.eu> <5665633F.7070906@cs.tcd.ie> <000401d130e3$bdf08120$39d18360$@x500.eu> <CAK6vND_=4it-HdN=igWeSsb9Qx2LjastBaJCa-TpObaBuYjNXQ@mail.gmail.com> <000001d155c7$98b64530$ca22cf90$@x500.eu> <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com> <001001d158ee$38831330$a9893990$@x500.eu>
Date: Wed, 27 Jan 2016 04:05:21 -0800
Message-ID: <CAK6vND_H00jUA+iu5L+g45Jr5dOgJ_rSJCfpgeJszdhisQvbMQ@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Erik Andersen <era@x500.eu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/LxOm8v9R5kfkz41qL-03cXzAibo>
Cc: Directory list <x500standard@freelists.org>, PKIX <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 12:05:28 -0000

On Wed, Jan 27, 2016 at 2:33 AM, Erik Andersen <era@x500.eu> wrote:
> The second sentence in your proposal seems to imply that when a CA certificate has a certain extended key usage, then this extended key usage also applies for subsequent public-key certificates on certification path. Is that a right interpretation.

Yes, that is the right interpretation.  To further clarify, a
CA-certificate that includes an extKeyUsage extension containing the
anyExtendedKeyUsage key purpose is equivalent to a CA-certificate that
does not include an extKeyUsage extension.

> As to your first mail, it was my impression you were asking for the definition of new OIDs with associated semantics to cover restriction. Is that the case?

No.  There is no request to define new OIDs.  Rather the request is to
clarify (or redefine depending on your view) the meaning of the
extKeyUsage extension when present in a CA-certificate.

> The Chinese member body of SC6 is interested in a better algorithm for certificate validation to be added to X.509. I wonder whether your suggestion fits into that effort.

Without more details, I would assume it could.  Several code libraries
that implement portions of X.509 already interpret extKeyUsage as
described.

Thanks,
Peter


> -----Oprindelig meddelelse-----
> Fra: Peter Bowen [mailto:pzbowen@gmail.com]
> Sendt: 23 January 2016 13:44
> Til: Erik Andersen <era@x500.eu>
> Cc: Directory list <x500standard@freelists.org>; PKIX <pkix@ietf.org>
> Emne: Re: [pkix] Next edition of X.509
>
> In 8.2.2.4, replace the first sentence with:
>
> The presence of this extension in an end-entity certificate indicates one or more purposes for which the certified public key may be used, in addition to, or in place of the basic purposes indicated in the key usage extension field. The presence of this extension in a certificate issued by one CA to another CA constrains the key purposes in subsequent certificates in a certification path.
>
> If there is support for this addition, then additions will also be needed in section 10 to include key purposes in the input, output, and processing.
>
> Thanks,
> Peter
>
> On Sat, Jan 23, 2016 at 2:19 AM, Erik Andersen <era@x500.eu> wrote:
>> Hi Peter,
>>
>> I would like to explore whether there is support for such an addition to X.509. Could I have your comments please?
>>
>> Regards,
>>
>> Erik
>>
>> -----Oprindelig meddelelse-----
>> Fra: Peter Bowen [mailto:pzbowen@gmail.com]
>> Sendt: 23 January 2016 02:50
>> Til: Erik Andersen <era@x500.eu>
>> Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>; Directory list
>> <x500standard@freelists.org>; PKIX <pkix@ietf.org>; WG15@iectc57.org
>> Emne: Re: [pkix] Next edition of X.509
>>
>> Erik,
>>
>> While I'm sure this is a contentious proposal, I would proposal that
>> X.509 add language allowing usage of Extended Key Usage for constraints, joining certificate policies, name constraints, basic constraints, etc.  Many widely deployed certificate path validation libraries already implement this even though it is unclear at best whether such is compliant with X.509 (10/2012).
>>
>> Thanks,
>> Peter
>>
>> On Mon, Dec 7, 2015 at 3:38 AM, Erik Andersen <era@x500.eu> wrote:
>>> Hi Stephen,
>>>
>>> I will collect any comment on any list. The goal is to get the best technical specification.
>>>
>>> Regards,
>>>
>>> Erik
>>>
>>> -----Oprindelig meddelelse-----
>>> Fra: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
>>> Sendt: 07 December 2015 11:45
>>> Til: Erik Andersen <era@x500.eu>; Directory list
>>> <x500standard@freelists.org>; PKIX <pkix@ietf.org>
>>> Cc: WG15@iectc57.org
>>> Emne: Re: [pkix] Next edition of X.509
>>>
>>>
>>> Thank you Erik! Do I understand correctly that comments from this list that you get before February are useful and that sending comments to the pkix list works well enough for you?
>>>
>>> If so, great, and I'd ask folks who care about RFC5280 or other PKIX
>>> RFCs to please review this to check for any glitches that might
>>> affect interop should new code be written based on the ISO doc. I'm
>>> sure other comments are also welcome,
>>>
>>> Cheers,
>>> S.
>>>
>>> On 07/12/15 10:33, Erik Andersen wrote:
>>>> In preparation for the next edition of X.509 (the 2016 edition), I
>>>> have forwarded to the ISO/IEC JTC1/SC6 two documents for three months ballots:
>>>>
>>>>
>>>>
>>>> These two documents may be found as:
>>>>
>>>>
>>>>
>>>> 1.       http://www.x500standard.com/uploads/extensions/x509-pdam-amd2.pdf,
>>>> which is the 3rd PDAM text for an amendment to X.509.
>>>>
>>>> 2.       http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor2.pdf, which a
>>>> second draft technical corrigendum. This technical corrigendum is
>>>> based on a set of defects reports, which include the justification
>>>> for the changes. The Defect reports may be found on
>>>> http://www.x500standard.com/index.php?n=Ig.DefectReports.
>>>>
>>>>
>>>>
>>>> An early corrigendum has been approved within ISO and ITU-T and may
>>>> be found
>>>> as: http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor1.pdf.
>>>>
>>>>
>>>>
>>>> These three documents together with the seventh edition will provide
>>>> the input to the next edition of X.509. The different
>>>> X.recommendations, including X.509, may be found at
>>>> http://www.itu.int/rec/T-REC-X/e. This edition of X.509 is freely available in the PDF version.
>>>>
>>>>
>>>>
>>>> Those involved in  ISO/IEC JTC1/SC6 can, of course, submit ballot
>>>> comments on the two documents out for ballot. Others, which may have
>>>> comments on the these document, may post them on the lists and after
>>>> consolidation and consensus, they may be issued as ITU-T comments.
>>>>
>>>>
>>>>
>>>> It is important to check whether any of the suggested changes
>>>> affects running codes. If that is a case, it is a mistake.
>>>>
>>>>
>>>>
>>>> The intension behind the changes has been:
>>>>
>>>> 1.       A better separation between public-key certificates and attribute
>>>> certificates.
>>>>
>>>> 2.       Use of a consistent terminology.
>>>>
>>>> 3.       Use of a consistent editing style in accordance with the ITU-T
>>>> editing guidelines..
>>>>
>>>> 4.       A new PKI component called trust broker assists a relying party
>>>> validating a public-key certificate is included.
>>>>
>>>> 5.       IEC TC57 WG15 has identified a requirement for a feature first
>>>> called whitelist but now the term is authorization and validation
>>>> list is used. A proposal for such a feature is included in the amendment.
>>>>
>>>> The main goal has been to position X.509 for new challenges, such
>>>> smart grid security and security for Internet of Things with battery
>>>> driven devices, very short messages (can we put a 257 octets
>>>> signature on a few octets message?) , short reaction time
>>>> requirements, many millions of entities, etc. This is all very different from Web-based  systems.
>>>>
>>>> Kind regards,
>>>>
>>>> Erik
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> pkix mailing list
>>>> pkix@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/pkix
>>>>
>>>
>>> _______________________________________________
>>> pkix mailing list
>>> pkix@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pkix
>>
>

v2.23.0 | Report a Bug | By Email