IETF Logo Mail Archive

[pkix] Re: [Technical Errata Reported] RFC5280 (8789)

Paul Hoffman <phoffman@proper.com> Tue, 03 March 2026 19:44 UTC

Return-Path: <phoffman@proper.com>
X-Original-To: pkix@mail2.ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 09BE2C3AA43C for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 11:44:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cc5lV3VEBzzC for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 11:44:45 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9C04DC3AA437 for <pkix@ietf.org>; Tue, 3 Mar 2026 11:44:45 -0800 (PST)
Received: from [10.106.148.22] ([144.125.144.255]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id 623JiboX051750 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <pkix@ietf.org>; Tue, 3 Mar 2026 12:44:38 -0700 (MST) (envelope-from phoffman@proper.com)
X-Authentication-Warning: mail.proper.com: Host [144.125.144.255] claimed to be [10.106.148.22]
From: Paul Hoffman <phoffman@proper.com>
To: pkix@ietf.org
Date: Tue, 03 Mar 2026 11:44:37 -0800
X-Mailer: MailMate (2.0r6272)
Message-ID: <A401E4EB-3DEC-4BE4-9EC3-C62989C073C1@proper.com>
In-Reply-To: <SN7PR14MB649277FF0B9F8D7824393895837FA@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <20260228012810.26368C000CC4@rfcpa.rfc-editor.org> <8946F689-00A0-4ED7-8570-E4A9A907B954@proper.com> <AB8DC100-40AF-43BF-BC66-B3EBDD95C3E9@sn3rd.com> <d6728fcc-52a2-4db0-9023-e8e95d645597@nthpermutation.com> <SN7PR14MB649277FF0B9F8D7824393895837FA@SN7PR14MB6492.namprd14.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: XP62DWLLVAEH5WSR6M4FB7IGNBMSGXYN
X-Message-ID-Hash: XP62DWLLVAEH5WSR6M4FB7IGNBMSGXYN
X-MailFrom: phoffman@proper.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/PDkOJATinhiVy3Yy6VZ3z2qddBE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>

On 3 Mar 2026, at 11:32, Tim Hollebeek wrote:

> I think it should be rejected as well. I actually have lots of strong feelings on this issue, but the original text is not wrong.

So, some people think it is a comment and thus just editorial, others think it is technical but wrong.

We have a long history of people reading 5280 and 3280 literally, including the comments, particularly comments about key usage. To me, the fact that those arguments exist among readers indicates that the comments are in fact part of the spec.

We also know that many CAs will write certificates with id-kp-serverAuth that are not intended for the (undefined) WWW.

--Paul Hoffman

v2.40.3 | Report a Bug | By Email | System Status