IETF Logo Mail Archive

Re: [pkix] Next edition of X.509

"Santosh Chokhani" <santosh.chokhani@gmail.com> Sat, 23 January 2016 23:55 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95C541B2BEE for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 15:55:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06QKg8-QJ1fm for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 15:55:04 -0800 (PST)
Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 542A71B2BEA for <pkix@ietf.org>; Sat, 23 Jan 2016 15:55:04 -0800 (PST)
Received: by mail-pf0-x22b.google.com with SMTP id 65so61777868pff.2 for <pkix@ietf.org>; Sat, 23 Jan 2016 15:55:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:thread-index:content-language; bh=5AGaYFhAEaA3etjW3npaCCkSZsBtZBeXzu2IMlyM7+g=; b=hZ5tbyBour2RC2mLRVEzQ+VXMQVL16nIKwvCB/qr7aSJo16zqwHbTL5wU2EFtodqCH TDvkwmU6m7FKq6zmwAg0SDmv9ILsBDgeuZdyRRNF0qoEEnr9lXs+2OKOenaOqSPMFT1M J81R0iVB4eJ/ChIvpD/sWMp+ePyaWyqH5FvQWgrwlokTl+uT10dmy8t1N8Q0RwEnGLxZ n7b06bVKY6E5jcZ7R0F5cWsHUTuzoov02WTEyYKZIXu/j73RTdB4wAmu8qWVPozYnkQ5 5Lb1XuhYsH4oowIoMfUxhEiWdQibHZwojEkJrc6LtuIw3fshMk8puqSik3h84bVEhfU8 S4bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:thread-index:content-language; bh=5AGaYFhAEaA3etjW3npaCCkSZsBtZBeXzu2IMlyM7+g=; b=DyBYh1EAB5BaHxQEOA16yTJ0MsFiOVPpcPmq5yZgLOjz5TI2lw1KGaKbD8K2wEbJuN vzp4D4RALHTFe4ha04yEgX2QtOttQ9kjzLznq3i12yOL1P8zajpkj6Q4mBlvrfrob+9s OIiY6kjzw49BaazrISezdVAy3sX6BK8M5cjHifST8oij5XKihauIC3JOQvCY33Cuy+OR e1o1oQ617fFq5TGuMbvOx8Q4e9ajlWRP1n/wt2buDbK0O6o2Cy28Ws+l/NXMshtxKBMm 8KoyNxRe5aPsU4AJTgqF/oSyzp1BDPX9HqtCbEZFpr/M6vkJi9sQ3+KoqTQ20yrgAvnQ ndMA==
X-Gm-Message-State: AG10YOShI9FtiBeYm+WlvfVE+wu0hxwtdSdTOpxmcIyw5BXncdTXTDSdPeqqp9BXAcAjog==
X-Received: by 10.98.89.139 with SMTP id k11mr15458412pfj.82.1453593303979; Sat, 23 Jan 2016 15:55:03 -0800 (PST)
Received: from SantoshBrain ([27.5.106.227]) by smtp.gmail.com with ESMTPSA id 73sm18652429pfp.50.2016.01.23.15.55.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 23 Jan 2016 15:55:03 -0800 (PST)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'Erwann Abalea' <eabalea@gmail.com>, 'Peter Bowen' <pzbowen@gmail.com>
References: <000001d130da$b05884d0$11098e70$@x500.eu> <5665633F.7070906@cs.tcd.ie> <000401d130e3$bdf08120$39d18360$@x500.eu> <CAK6vND_=4it-HdN=igWeSsb9Qx2LjastBaJCa-TpObaBuYjNXQ@mail.gmail.com> <000001d155c7$98b64530$ca22cf90$@x500.eu> <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com> <CA+i=0E4d_KKjMmMQ3q=VWRA4iU3=HR2RffE1-P5Xc8aG+VWcGw@mail.gmail.com>
In-Reply-To: <CA+i=0E4d_KKjMmMQ3q=VWRA4iU3=HR2RffE1-P5Xc8aG+VWcGw@mail.gmail.com>
Date: Sat, 23 Jan 2016 18:54:59 -0500
Message-ID: <052f01d15639$79fa33a0$6dee9ae0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0530_01D1560F.9125D950"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIVSzUXZpx0TCzS4mpo4m9SkbHUeQJEdeqNAqiykAAB5gd5AgKSQWGxAf+4FlUBv3gY9Z4YtUHQ
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/Q3BlLSPyk0Qv2xmDDjnuoGTkngM>
Cc: 'Directory list' <x500standard@freelists.org>, 'PKIX' <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 23:55:07 -0000

What do you mean by not working?

 

If one assumes that absence of EKU makes a certificate unconstrained, does this not work?

 

May be you mean OCSP clients do not enforce EKU for the path.

 

From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erwann Abalea
Sent: Saturday, January 23, 2016 6:43 PM
To: Peter Bowen <pzbowen@gmail.com>
Cc: Directory list <x500standard@freelists.org>; PKIX <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509

 

It doesn't work with designated OCSP responder certificates, unless you introduce an exception for this particular extended key usage.

 

2016-01-23 13:44 GMT+01:00 Peter Bowen <pzbowen@gmail.com <mailto:pzbowen@gmail.com> >:

In 8.2.2.4, replace the first sentence with:

The presence of this extension in an end-entity certificate indicates
one or more purposes for which the certified public key may be used,
in addition to, or in place of the basic purposes indicated in the key
usage extension field. The presence of this extension in a certificate
issued by one CA to another CA constrains the key purposes in
subsequent certificates in a certification path.

If there is support for this addition, then additions will also be
needed in section 10 to include key purposes in the input, output, and
processing.

Thanks,
Peter


On Sat, Jan 23, 2016 at 2:19 AM, Erik Andersen <era@x500.eu <mailto:era@x500.eu> > wrote:
> Hi Peter,
>
> I would like to explore whether there is support for such an addition to X.509. Could I have your comments please?
>
> Regards,
>
> Erik
>
> -----Oprindelig meddelelse-----
> Fra: Peter Bowen [mailto:pzbowen@gmail.com <mailto:pzbowen@gmail.com> ]
> Sendt: 23 January 2016 02:50
> Til: Erik Andersen <era@x500.eu <mailto:era@x500.eu> >
> Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie> >; Directory list <x500standard@freelists.org <mailto:x500standard@freelists.org> >; PKIX <pkix@ietf.org <mailto:pkix@ietf.org> >; WG15@iectc57.org <mailto:WG15@iectc57.org> 
> Emne: Re: [pkix] Next edition of X.509
>
> Erik,
>
> While I'm sure this is a contentious proposal, I would proposal that
> X.509 add language allowing usage of Extended Key Usage for constraints, joining certificate policies, name constraints, basic constraints, etc.  Many widely deployed certificate path validation libraries already implement this even though it is unclear at best whether such is compliant with X.509 (10/2012).
>
> Thanks,
> Peter
>
> On Mon, Dec 7, 2015 at 3:38 AM, Erik Andersen <era@x500.eu <mailto:era@x500.eu> > wrote:
>> Hi Stephen,
>>
>> I will collect any comment on any list. The goal is to get the best technical specification.
>>
>> Regards,
>>
>> Erik
>>
>> -----Oprindelig meddelelse-----
>> Fra: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie> ]
>> Sendt: 07 December 2015 11:45
>> Til: Erik Andersen <era@x500.eu <mailto:era@x500.eu> >; Directory list
>> <x500standard@freelists.org <mailto:x500standard@freelists.org> >; PKIX <pkix@ietf.org <mailto:pkix@ietf.org> >
>> Cc: WG15@iectc57.org <mailto:WG15@iectc57.org> 
>> Emne: Re: [pkix] Next edition of X.509
>>
>>
>> Thank you Erik! Do I understand correctly that comments from this list that you get before February are useful and that sending comments to the pkix list works well enough for you?
>>
>> If so, great, and I'd ask folks who care about RFC5280 or other PKIX
>> RFCs to please review this to check for any glitches that might affect
>> interop should new code be written based on the ISO doc. I'm sure
>> other comments are also welcome,
>>
>> Cheers,
>> S.
>>
>> On 07/12/15 10:33, Erik Andersen wrote:
>>> In preparation for the next edition of X.509 (the 2016 edition), I
>>> have forwarded to the ISO/IEC JTC1/SC6 two documents for three months ballots:
>>>
>>>
>>>
>>> These two documents may be found as:
>>>
>>>
>>>
>>> 1.       http://www.x500standard.com/uploads/extensions/x509-pdam-amd2.pdf,
>>> which is the 3rd PDAM text for an amendment to X.509.
>>>
>>> 2.       http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor2.pdf, which a
>>> second draft technical corrigendum. This technical corrigendum is
>>> based on a set of defects reports, which include the justification
>>> for the changes. The Defect reports may be found on
>>> http://www.x500standard.com/index.php?n=Ig.DefectReports.
>>>
>>>
>>>
>>> An early corrigendum has been approved within ISO and ITU-T and may
>>> be found
>>> as: http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor1.pdf.
>>>
>>>
>>>
>>> These three documents together with the seventh edition will provide
>>> the input to the next edition of X.509. The different
>>> X.recommendations, including X.509, may be found at
>>> http://www.itu.int/rec/T-REC-X/e. This edition of X.509 is freely available in the PDF version.
>>>
>>>
>>>
>>> Those involved in  ISO/IEC JTC1/SC6 can, of course, submit ballot
>>> comments on the two documents out for ballot. Others, which may have
>>> comments on the these document, may post them on the lists and after
>>> consolidation and consensus, they may be issued as ITU-T comments.
>>>
>>>
>>>
>>> It is important to check whether any of the suggested changes affects
>>> running codes. If that is a case, it is a mistake.
>>>
>>>
>>>
>>> The intension behind the changes has been:
>>>
>>> 1.       A better separation between public-key certificates and attribute
>>> certificates.
>>>
>>> 2.       Use of a consistent terminology.
>>>
>>> 3.       Use of a consistent editing style in accordance with the ITU-T
>>> editing guidelines..
>>>
>>> 4.       A new PKI component called trust broker assists a relying party
>>> validating a public-key certificate is included.
>>>
>>> 5.       IEC TC57 WG15 has identified a requirement for a feature first
>>> called whitelist but now the term is authorization and validation
>>> list is used. A proposal for such a feature is included in the amendment.
>>>
>>> The main goal has been to position X.509 for new challenges, such
>>> smart grid security and security for Internet of Things with battery
>>> driven devices, very short messages (can we put a 257 octets
>>> signature on a few octets message?) , short reaction time
>>> requirements, many millions of entities, etc. This is all very different from Web-based  systems.
>>>
>>> Kind regards,
>>>
>>> Erik
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> pkix mailing list
>>> pkix@ietf.org <mailto:pkix@ietf.org> 
>>> https://www.ietf.org/mailman/listinfo/pkix
>>>
>>
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org <mailto:pkix@ietf.org> 
>> https://www.ietf.org/mailman/listinfo/pkix
>

_______________________________________________
pkix mailing list
pkix@ietf.org <mailto:pkix@ietf.org> 
https://www.ietf.org/mailman/listinfo/pkix





 

-- 

Erwann.

v2.23.0 | Report a Bug | By Email