Re: [pkix] Managing Long-Lived CA certs

"David A. Cooper" <david.cooper@nist.gov> Tue, 18 July 2017 14:03 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B9D413178E for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 07:03:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.478
X-Spam-Level:
X-Spam-Status: No, score=-3.478 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgMJboQpYXGH for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 07:03:55 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [IPv6:2610:20:6005:13::151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 152A613167D for <pkix@ietf.org>; Tue, 18 Jul 2017 07:03:54 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.361.1; Tue, 18 Jul 2017 10:03:50 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.361.1; Tue, 18 Jul 2017 10:03:52 -0400
Received: from [129.6.105.183] (cooper-optiplex-9010.campus.nist.gov [129.6.105.183]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id v6IE3PjF031505; Tue, 18 Jul 2017 10:03:25 -0400
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org> <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu> <1500348690922.69356@cs.auckland.ac.nz>
From: "David A. Cooper" <david.cooper@nist.gov>
CC: PKIX <pkix@ietf.org>
Message-ID: <27d212b4-c5a6-19d1-2afd-f18adaf21031@nist.gov>
Date: Tue, 18 Jul 2017 10:03:25 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <1500348690922.69356@cs.auckland.ac.nz>
Content-Type: text/html; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-NIST-MailScanner-Information:
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/MeEzCirpUNTa_Q8P3UOZcpEyyVs>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 14:03:57 -0000

Can you provide a citation for your claim that "PKIX says you're not allowed to use it. No reason given, you just can't."?

RFC 5280 says:
This specification obsoletes [RFC3280].  Differences from RFC 3280 are summarized below:

      * Section 4.2.1.4 in RFC 3280, which specified the
        privateKeyUsagePeriod certificate extension but deprecated its
        use, was removed.  Use of this ISO standard extension is neither
        deprecated nor recommended for use in the Internet PKI.

"Use of this ISO standard extension is neither deprecated nor recommended" doesn't sound like "you just can't" to me.

On 07/17/2017 11:31 PM, Peter Gutmann wrote:
Erik Andersen <era@x500.eu> writes:

What about the private key usage period extension
That would be the obvious choice, but PKIX says you're not allowed to use it.
No reason given, you just can't.  This would imply that support for it in
implementations is going to be hard to find...

Peter.