Re: [pkix] Managing Long-Lived CA certs

"David A. Cooper" <david.cooper@nist.gov> Tue, 18 July 2017 14:27 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D6AB131B09 for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 07:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Dm-ncy4qk2P for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 07:27:20 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 672C5131A7D for <pkix@ietf.org>; Tue, 18 Jul 2017 07:27:20 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 18 Jul 2017 10:27:59 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.361.1; Tue, 18 Jul 2017 10:27:18 -0400
Received: from [129.6.105.183] (cooper-optiplex-9010.campus.nist.gov [129.6.105.183]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id v6IER8TW000495; Tue, 18 Jul 2017 10:27:08 -0400
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org> <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu> <1500348690922.69356@cs.auckland.ac.nz> <27d212b4-c5a6-19d1-2afd-f18adaf21031@nist.gov> <1500387403338.42595@cs.auckland.ac.nz>
From: "David A. Cooper" <david.cooper@nist.gov>
CC: "pkix@ietf.org" <pkix@ietf.org>
Message-ID: <a6c8cee5-2577-c680-c61e-d3fa819d31ea@nist.gov>
Date: Tue, 18 Jul 2017 10:27:08 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <1500387403338.42595@cs.auckland.ac.nz>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-NIST-MailScanner-Information:
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/ND0QJP74_xLFFOJudhNqAYQQ8n0>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 14:27:22 -0000

So, you intentionally delete the quote I provided from RFC 5280 saying 
that use of the private key usage period extension is "neither 
deprecated nor recommended" so that you can falsely claim that the "PKIX 
RFCs for the last twenty years" have said the same thing.

So, you are trying to claim that "the PKIX RFCs for the last twenty 
years" have said something, even though you know that RFC 5280, which is 
9 years old, doesn't say that.

In addition, even the text you quote doesn't support your claim that 
"PKIX says you're not allowed to use it." Before May 2008, PKIX said 
that you're not allowed to mark the extension as critical, which is not 
the same as "not allowed to use it." While PKIX previously recommended 
against the use of the extension, it has not done so for the past 9 years.

On 07/18/2017 10:16 AM, Peter Gutmann wrote:
> David A. Cooper <david.cooper@nist.gov> writes:
>
>> Can you provide a citation for your claim that "PKIX says you're not allowed
>> to use it. No reason given, you just can't."?
> Um, the PKIX RFCs for the last twenty years, starting with 2459:
>
>     4.2.1.4  Private Key Usage Period
>
>     This profile recommends against the use of this extension.  CAs
>     conforming to this profile MUST NOT generate certificates with
>     critical private key usage period extensions.
>
> Peter.
>
>