Re: [pkix] Next edition of X.509
Erwann Abalea <eabalea@gmail.com> Sat, 23 January 2016 23:43 UTC
Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C78431B2B7E for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 15:43:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6P6-B5O7m_tx for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 15:43:02 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEB4E1B2B7A for <pkix@ietf.org>; Sat, 23 Jan 2016 15:43:01 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id s5so42333988qkd.0 for <pkix@ietf.org>; Sat, 23 Jan 2016 15:43:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=f3sqc3H0idlGMQ4+R8Yco0XinWvvGCLT24wkuTb/Yw8=; b=Zp6a6/JPXw6+7j6PRtoqXjyFHFkziKb54NDvCPOItKn2NA4qB/quDbgJ/5rs+u9ce3 9fcUkTU3QotvhwL7+rDSTLTcTx8qXso+mNw8GBMEIqfJhcUxCrlsEOQCc0lY1W0WP5hg V52E50SUx6WiWxRNm1FV39UpBnMkWltQdInSEaByHAXze/S4ziAKj/lQiYwIs+CUFWER LjWGdF9tMWVHg6xJh/uV9fpnlqBoRR0J3+/72C2I+dlofeQwt/NXLLy7Nxa8bEHn2VsV xzKz/FfwjghxAw0E1X8Ag+PSzATfIcJEGGlFx1JA0e5bwJlcC/yXCkwQSp7qp2625zcM QLNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=f3sqc3H0idlGMQ4+R8Yco0XinWvvGCLT24wkuTb/Yw8=; b=N6r3haGi0lN8Gn2rO7xILU3tK1oqCGFXMfpUh8Gcx8Pqe78JJLzxP3y7H7Nn0yGUtf 1WVCldoIoI4O5DgmeMDR6TCx1V4s0jvhMWj3gpKN8K2A4Vs9s6NgZr3Eq5fM+nDT0Kv3 2d+AqRQcFmpUOZpc+CULXkihUHwzsY8wBhqTLKG988+Xz+MUQvPoeEIY/5IOjRZQi7+1 PXCaxlUH1wRia5AmT159IrXoHVtNtZd1oksg/UvriICSFy7tA3VOTkr8wYjKU8OW/+4B LKx1++7U/mjRT/1HZvb03/H+jM5cTKlserLOcwrbU8+zjs/tqHRtukN66q+5cNXL2lf/ 2o5g==
X-Gm-Message-State: AG10YOTWkst7ZE261p/pusY3uGKXJy4EKE7l9AMniqmtN8WWY+fOHEA4GhFR91bBde4pLtDYQ5oBOOFpfzEIjw==
MIME-Version: 1.0
X-Received: by 10.55.23.144 with SMTP id 16mr3826386qkx.64.1453592581123; Sat, 23 Jan 2016 15:43:01 -0800 (PST)
Received: by 10.140.38.99 with HTTP; Sat, 23 Jan 2016 15:43:01 -0800 (PST)
In-Reply-To: <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com>
References: <000001d130da$b05884d0$11098e70$@x500.eu> <5665633F.7070906@cs.tcd.ie> <000401d130e3$bdf08120$39d18360$@x500.eu> <CAK6vND_=4it-HdN=igWeSsb9Qx2LjastBaJCa-TpObaBuYjNXQ@mail.gmail.com> <000001d155c7$98b64530$ca22cf90$@x500.eu> <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com>
Date: Sun, 24 Jan 2016 00:43:01 +0100
Message-ID: <CA+i=0E4d_KKjMmMQ3q=VWRA4iU3=HR2RffE1-P5Xc8aG+VWcGw@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: Peter Bowen <pzbowen@gmail.com>
Content-Type: multipart/alternative; boundary="001a1147b93e7231f2052a08e57d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/SeX_T_IZsh0x-hq7Dzool_Zzw_U>
Cc: Directory list <x500standard@freelists.org>, PKIX <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 23:43:05 -0000
It doesn't work with designated OCSP responder certificates, unless you introduce an exception for this particular extended key usage. 2016-01-23 13:44 GMT+01:00 Peter Bowen <pzbowen@gmail.com>: > In 8.2.2.4, replace the first sentence with: > > The presence of this extension in an end-entity certificate indicates > one or more purposes for which the certified public key may be used, > in addition to, or in place of the basic purposes indicated in the key > usage extension field. The presence of this extension in a certificate > issued by one CA to another CA constrains the key purposes in > subsequent certificates in a certification path. > > If there is support for this addition, then additions will also be > needed in section 10 to include key purposes in the input, output, and > processing. > > Thanks, > Peter > > On Sat, Jan 23, 2016 at 2:19 AM, Erik Andersen <era@x500.eu> wrote: > > Hi Peter, > > > > I would like to explore whether there is support for such an addition to > X.509. Could I have your comments please? > > > > Regards, > > > > Erik > > > > -----Oprindelig meddelelse----- > > Fra: Peter Bowen [mailto:pzbowen@gmail.com] > > Sendt: 23 January 2016 02:50 > > Til: Erik Andersen <era@x500.eu> > > Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>; Directory list < > x500standard@freelists.org>; PKIX <pkix@ietf.org>; WG15@iectc57.org > > Emne: Re: [pkix] Next edition of X.509 > > > > Erik, > > > > While I'm sure this is a contentious proposal, I would proposal that > > X.509 add language allowing usage of Extended Key Usage for constraints, > joining certificate policies, name constraints, basic constraints, etc. > Many widely deployed certificate path validation libraries already > implement this even though it is unclear at best whether such is compliant > with X.509 (10/2012). > > > > Thanks, > > Peter > > > > On Mon, Dec 7, 2015 at 3:38 AM, Erik Andersen <era@x500.eu> wrote: > >> Hi Stephen, > >> > >> I will collect any comment on any list. The goal is to get the best > technical specification. > >> > >> Regards, > >> > >> Erik > >> > >> -----Oprindelig meddelelse----- > >> Fra: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > >> Sendt: 07 December 2015 11:45 > >> Til: Erik Andersen <era@x500.eu>; Directory list > >> <x500standard@freelists.org>; PKIX <pkix@ietf.org> > >> Cc: WG15@iectc57.org > >> Emne: Re: [pkix] Next edition of X.509 > >> > >> > >> Thank you Erik! Do I understand correctly that comments from this list > that you get before February are useful and that sending comments to the > pkix list works well enough for you? > >> > >> If so, great, and I'd ask folks who care about RFC5280 or other PKIX > >> RFCs to please review this to check for any glitches that might affect > >> interop should new code be written based on the ISO doc. I'm sure > >> other comments are also welcome, > >> > >> Cheers, > >> S. > >> > >> On 07/12/15 10:33, Erik Andersen wrote: > >>> In preparation for the next edition of X.509 (the 2016 edition), I > >>> have forwarded to the ISO/IEC JTC1/SC6 two documents for three months > ballots: > >>> > >>> > >>> > >>> These two documents may be found as: > >>> > >>> > >>> > >>> 1. > http://www.x500standard.com/uploads/extensions/x509-pdam-amd2.pdf, > >>> which is the 3rd PDAM text for an amendment to X.509. > >>> > >>> 2. http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor2.pdf, > which a > >>> second draft technical corrigendum. This technical corrigendum is > >>> based on a set of defects reports, which include the justification > >>> for the changes. The Defect reports may be found on > >>> http://www.x500standard.com/index.php?n=Ig.DefectReports. > >>> > >>> > >>> > >>> An early corrigendum has been approved within ISO and ITU-T and may > >>> be found > >>> as: http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor1.pdf. > >>> > >>> > >>> > >>> These three documents together with the seventh edition will provide > >>> the input to the next edition of X.509. The different > >>> X.recommendations, including X.509, may be found at > >>> http://www.itu.int/rec/T-REC-X/e. This edition of X.509 is freely > available in the PDF version. > >>> > >>> > >>> > >>> Those involved in ISO/IEC JTC1/SC6 can, of course, submit ballot > >>> comments on the two documents out for ballot. Others, which may have > >>> comments on the these document, may post them on the lists and after > >>> consolidation and consensus, they may be issued as ITU-T comments. > >>> > >>> > >>> > >>> It is important to check whether any of the suggested changes affects > >>> running codes. If that is a case, it is a mistake. > >>> > >>> > >>> > >>> The intension behind the changes has been: > >>> > >>> 1. A better separation between public-key certificates and > attribute > >>> certificates. > >>> > >>> 2. Use of a consistent terminology. > >>> > >>> 3. Use of a consistent editing style in accordance with the ITU-T > >>> editing guidelines.. > >>> > >>> 4. A new PKI component called trust broker assists a relying > party > >>> validating a public-key certificate is included. > >>> > >>> 5. IEC TC57 WG15 has identified a requirement for a feature first > >>> called whitelist but now the term is authorization and validation > >>> list is used. A proposal for such a feature is included in the > amendment. > >>> > >>> The main goal has been to position X.509 for new challenges, such > >>> smart grid security and security for Internet of Things with battery > >>> driven devices, very short messages (can we put a 257 octets > >>> signature on a few octets message?) , short reaction time > >>> requirements, many millions of entities, etc. This is all very > different from Web-based systems. > >>> > >>> Kind regards, > >>> > >>> Erik > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> pkix mailing list > >>> pkix@ietf.org > >>> https://www.ietf.org/mailman/listinfo/pkix > >>> > >> > >> _______________________________________________ > >> pkix mailing list > >> pkix@ietf.org > >> https://www.ietf.org/mailman/listinfo/pkix > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > -- Erwann.
- [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Michael StJohns
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Martin Rex
- Re: [pkix] Next edition of X.509 Wei Chuang
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Jeffrey Walton
- Re: [pkix] Next edition of X.509 Erwann Abalea