IETF Logo Mail Archive

Re: [pkix] [Technical Errata Reported] RFC5280 (7164)

"David A. Cooper" <david.cooper@nist.gov> Mon, 17 October 2022 15:57 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D566C15271B for <pkix@ietfa.amsl.com>; Mon, 17 Oct 2022 08:57:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.568
X-Spam-Level:
X-Spam-Status: No, score=-1.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.233, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ya5cOnxbGTr9 for <pkix@ietfa.amsl.com>; Mon, 17 Oct 2022 08:57:53 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on2110.outbound.protection.outlook.com [40.107.89.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3D8FC15270F for <pkix@ietf.org>; Mon, 17 Oct 2022 08:57:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=efArgvm3NM25shrts0lzY6Vr/m5Hm1w/XyI4mnjYHjDR4aAkj1jjOXz/QW8p1+P043m6O/6E/QLNHQJm7nB9Ajedj5UfOX36+ZB148KSjcdGaiZnB+DNs1SlI9GIzS9NjFzBdQDSFMkhWZipxzMLRhLr4nv2I/korfq2DF/dsazP71GH7cMS6BJ13gTp5mMLqrcT/g5EcMeM3Kjgpvj3K3XGKEhJ146uRzRSFLrIIcWte2eiPRJS7C3pdmmNIkAJzQXD9qbJJaiv3JdETVIUx8+E052/QzzSkF+JecVFM2wMI44pp1BvzBrJGtJ1Q2BNFdx6J9MGZjLJ2LBcDOuDzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/+ChdFlOFUc0WzOUWduzDbNPOlwDgVemWC3NxERHA24=; b=jwXfjsdLqJJeNnIRwB01SM63byK4RtXzUP9biyuJD87mHcymaadhAIAuk+WAWlqRKuVPQleqwzS74yg4rE2QndTYARy4Be66nHm/bwPZA/qKFG7BUTxUYPDAvNENZYMmu7k6BUyC9X4DOpypLQ86tcTPGpJXBoDWgZOH755BhK3oZhJOLoNkHU0kMuAjfai1enYiWuP0wUgqftqSJMBKenrVUQ1/q/3jBkB01m9Cx+y8biUuaICmcPi3+c1szIMsWC6BWXL3pJtIQF7qAmLVTFy6OeklUllvS1YTXk/fOe5ikAkV+FeJFX4amXd5R5qOW9FP7+0VnPfDyNtuMOWH9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 129.6.18.29) smtp.rcpttodomain=ietf.org smtp.mailfrom=nist.gov; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nist.gov; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/+ChdFlOFUc0WzOUWduzDbNPOlwDgVemWC3NxERHA24=; b=c9UY4JGrfKqu+r0gZT8P/LIM9Wh5BP7pamlaNDuoTuR2tpMnpHMVYkNCE71177k00QpL9UQh/Hx73wYNRJ/mArRv3LPabN1NUTwO3hFno3k166FXYElQTTYpVHI6IUE95TkWIT32h6XiYKeu06So9Kt6PpKtqbs6s5oF0/qsPnvS6UHmOPLYMYBKs5Ed1z15Bc9XRDC30iyRiCqW6kH9QwxyHv/vOeLjEChIJg5XPTZsogT4NCMVmNNhAKlHymaPDGeOV8tqzKdgL642+i/hSBKE3cQZoMW5Dw86N/5M2x0rGwJFQZlaVAkr5Wgwpeuas5iZul7fqpTBlwwjSev10g==
Received: from MWHPR09CA0003.namprd09.prod.outlook.com (2603:10b6:300:80::13) by SA0PR09MB6793.namprd09.prod.outlook.com (2603:10b6:806:7a::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5709.15; Mon, 17 Oct 2022 15:57:49 +0000
Received: from BL0GCC02FT013.eop-gcc02.prod.protection.outlook.com (2a01:111:f400:7d05::200) by MWHPR09CA0003.outlook.office365.com (2603:10b6:300:80::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.30 via Frontend Transport; Mon, 17 Oct 2022 15:57:49 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 129.6.18.29) smtp.mailfrom=nist.gov; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nist.gov;
Received-SPF: Pass (protection.outlook.com: domain of nist.gov designates 129.6.18.29 as permitted sender) receiver=protection.outlook.com; client-ip=129.6.18.29; helo=smtp1.nist.gov; pr=C
Received: from smtp1.nist.gov (129.6.18.29) by BL0GCC02FT013.mail.protection.outlook.com (10.97.10.80) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.20 via Frontend Transport; Mon, 17 Oct 2022 15:57:47 +0000
Received: from [132.163.220.214] ([132.163.220.214]) by smtp1.nist.gov with Microsoft SMTPSVC(10.0.14393.4169); Mon, 17 Oct 2022 11:57:46 -0400
Content-Type: multipart/alternative; boundary="------------ZPX0BOgnPkrNcFNWWc18dm2Z"
Message-ID: <3da44408-6a37-890b-89f1-aac5beaa8aab@nist.gov>
Date: Mon, 17 Oct 2022 08:57:43 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.2
Content-Language: en-US
To: Aaron Gable <aaron@letsencrypt.org>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, pkix@ietf.org, Stefan Santesson <stefan@aaa-sec.com>, Russ Housley <housley@vigilsec.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, wpolk@nist.gov, rdd@cert.org, paul.wouters@aiven.io, Carl Wallace <carl@redhoundsoftware.com>
References: <20221014193934.45A8855E27@rfcpa.amsl.com> <f0316f70-a901-1683-8345-8798f702c85b@nist.gov> <CAEmnErd3LMav5amb_nf+QZza1K85AvOqghMQvTSvH8set5m6cQ@mail.gmail.com> <43D80D51-F005-4E63-9002-588A64A9EF6F@redhoundsoftware.com> <CAEmnErcoA8=zZxWsgq8CgmS-NeNiWkmub4roRKO2TLqkdPEsJw@mail.gmail.com>
From: "David A. Cooper" <david.cooper@nist.gov>
In-Reply-To: <CAEmnErcoA8=zZxWsgq8CgmS-NeNiWkmub4roRKO2TLqkdPEsJw@mail.gmail.com>
X-OriginalArrivalTime: 17 Oct 2022 15:57:47.0048 (UTC) FILETIME=[3365A280:01D8E241]
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL0GCC02FT013:EE_|SA0PR09MB6793:EE_
X-MS-Office365-Filtering-Correlation-Id: 4bd35168-60b6-4e84-caf8-08dab0585661
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: iigo9tizoDvChjx/v4jyjbfrH6i9QIy6pEfnukcOLdM1eb8rr1frGmNy5Mep9/iJp5E/jY3HPu5k9bf9G5z6WQjGLVAemH0VMHd/50AXf8VwCq5LVI/O8i+U1W+Drtbv4WHos14UY+3zP7wP+BbhKdEzxp9v9bL/c4oUl1/uWQL4r92TjfTW0pZiqt5bVxOzM3W8k0Q3TDghszIuGc6hCgdSmcdFkIlY/GZdnIgKBTKIiFny6w10h9EwCaj50YrFPg4XMy0cBEruB+IHeusPhUbPJyW1PrJSb5TcCez1PJR4H2T7eooghbsM5BXothKE+qfNjBwcHkM20yySYlIXG2TcgjZmiJeCITyWa0BRgD8had5pbzGym11DEJry5sSMSkf2UsgrC6YejMwjgInTWG+h38OJqZu5I/hDxuDC0w7ZBV7SSds5TjPjacffmh1AC39ahhluSMZD87KaTHQTOtBnRnGLrngSiujxtkU7all69MYK5Jf4wSIbjC8B0zby0ETVMIHXrnl3ZM3NH9xB1trNuikjBrgknFQ/2gPZanGp+DNfU7ESSfZMbmlDzo3UGg/ritDLQOI/9mwm1ogIvoHfeSEjRNgAjRU4UoBf94Eh+3ekhptqeOYmGDeOkeB8atjTXKNnqIQHFSE3oSzFpViXo4BtGsRc/xlYwVYU+hgfEW+K3xyTTuG9g0+FkV+/GWH2PO3cMF8F2fVB688HAiH3KYBF15oRm5dVyDoRKld4WgLw8LZWHrtPML5F+5fHIex6VZ3noK78UO+21RXgnC+zIzSfXEOGwOq8S/rsyFY=
X-Forefront-Antispam-Report: CIP:129.6.18.29; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:smtp1.nist.gov; PTR:smtp1.nist.gov; CAT:NONE; SFS:(13230022)(6019001)(4636009)(269900001)(451199015)(46966006)(36840700001)(40470700004)(45080400002)(107886003)(6666004)(966005)(498600001)(8936002)(6862004)(4326008)(54906003)(70206006)(8676002)(6706004)(36756003)(36860700001)(40460700003)(7636003)(7596003)(356005)(166002)(82960400001)(86362001)(2616005)(956004)(31696002)(186003)(336012)(82310400005)(33964004)(53546011)(26005)(83380400001)(47076005)(66574015)(426003)(2906002)(31686004)(5660300002)(30864003)(43740500002); DIR:OUT; SFP:1102;
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2022 15:57:47.9050 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4bd35168-60b6-4e84-caf8-08dab0585661
X-MS-Exchange-CrossTenant-Id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2ab5d82f-d8fa-4797-a93e-054655c61dec; Ip=[129.6.18.29]; Helo=[smtp1.nist.gov]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TreatMessagesAsInternal-BL0GCC02FT013.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR09MB6793
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/V83VTRF5-gz-Va1nYnDhTqbiFaY>
Subject: Re: [pkix] [Technical Errata Reported] RFC5280 (7164)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2022 15:57:58 -0000

On 10/14/22 4:13 PM, Aaron Gable wrote:
> But Section 5 explicitly allows CRLs to have scopes which cannot be 
> encoded using the issuingDistributionPoint, crlScope, or 
> AAissuingDistributionPoint extensions, such as "all certificates 
> issued to the NIST employees located in Boulder". And, of course, the 
> crlScope extension was already deprecated by the time X.509 (08/2005) 
> was published, removing the ability of even a CRL with a scope like 
> "all even-numbered serials" to be representable within the CRL itself. 

I believe that when Section 5 noted that the scope of a CRL could be 'a 
set of certificates based on arbitrary local information, such as "all 
certificates issued to the NIST employees located in Boulder",' it meant 
that something like this could be accomplished using the 
distributionPoint field in the cRLDistributionPoints and 
issuingDistributionPoint extensions. It would just involve creating a 
distribution point for the certificates issued to NIST employees located 
in Boulder and then including this in the distributionPoint field in the 
appropriate certificates and CRLs. It wasn't suggesting that the scope 
of a CRL could be limited in this way without having an extension in the 
CRL that limits the scope of the CRL.

Section 5.2.5 clearly indicates that a issuingDistributionPoint 
extension may have just the onlySomeReasons field present:

    Conforming CRLs issuers MUST NOT issue CRLs where the DER encoding of
    the issuing distribution point extension is an empty sequence.  That
    is, if onlyContainsUserCerts, onlyContainsCACerts, indirectCRL, and
    onlyContainsAttributeCerts are all FALSE, then either the
    distributionPoint field or the onlySomeReasons field MUST be present.

If you were correct that setting onlyContainsUserCerts to TRUE is not a 
way to limit the scope of the CRL but only a way to indicate that the 
CRL issuer only issued end-entity certificates (suggesting it should 
have been named the onlyIssuesUserCerts field), then that would seem to 
imply that similarly the onlySomeReasons is not a way to limit the scope 
of the CRL, but only a way to indicate that the CRL issue only revokes 
certificates for the specified reasons. However, Section 6.3 clearly 
indicates otherwise. It indicates that if a CRL contains the 
onlySomeReasons flag, then the relying party needs to obtain additional 
CRLs until CRL covering all revocation reasons have been obtained and 
checked. Even if this were not the case, the fact that a CRL could 
contain an issuingDistributionPoint extension with just the 
onlySomeReasons field present and that this CRL would not necessarily 
contain entries for all unexpired revoked certificates (as confirmed by 
Section 6.3.3), demonstrates that the proposed change would be a 
technical change, not a clarification of the original intent of the text.

On 10/14/22 4:33 PM, Aaron Gable wrote:
> The CRL would contain entries for all revoked unexpired certificates 
> issued by the CRL issuer. It would also be asserting that the CRL 
> issuer does not issue any end-entity public key certificates, and 
> therefore that all certificates issued by the CRL issuer are CA 
> certificates. If this assertion were not true, the CRL would be 
> considered misissued.
>
> I think this interpretation is reasonable, given that the 
> conditionality of the requirements around the distributionPoint field 
> and the requirements around the onlyContainsCACerts field are 
> opposites. The former says "if this field is missing, then something 
> must be true", while the latter says "if something is true, then the 
> field must be present". It does not matter *why* that condition is 
> true -- perhaps the scope only contains CA certs because the CA has 
> decided that should be the scope, or perhaps the scope only contains 
> CA certs because the issuer has in fact only issued CA certs -- the 
> consequence of the condition being true is the same either way.
>
> Aaron
>
> On Fri, Oct 14, 2022 at 4:23 PM Carl Wallace 
> <carl@redhoundsoftware.com> wrote:
>
>     If the proposed fix were accepted, what would be included in a CRL
>     that included an IDP extension with the distributionPoint field
>     absent and the onlyContainsCACerts field set to true?
>
>     *From: *pkix <pkix-bounces@ietf.org> on behalf of Aaron Gable
>     <aaron=40letsencrypt.org@dmarc.ietf.org>
>     *Date: *Friday, October 14, 2022 at 7:14 PM
>     *To: *"David A. Cooper" <david.cooper@nist.gov>
>     *Cc: *RFC Errata System <rfc-editor@rfc-editor.org>, <pkix@ietf.org>
>     *Subject: *Re: [pkix] [Technical Errata Reported] RFC5280 (7164)
>
>     Ah, interesting. I agree that the distributionPoint URL does not
>     seem necessary in cases where the CRL contains extensions which
>     fully describe its scope and inclusion in a scope which can be
>     computed based on fields of the certificate itself. For example, a
>     CRL with a crlScope extension with a serialNumberRange indicating
>     that it contains entries for certificates with even-numbered
>     serials is not vulnerable to substitution attacks because a
>     relying party can compute whether or not the certificate in
>     question falls within the scope of the CRL.
>
>     But Section 5 explicitly allows CRLs to have scopes which cannot
>     be encoded using the issuingDistributionPoint, crlScope, or
>     AAissuingDistributionPoint extensions, such as "all certificates
>     issued to the NIST employees located in Boulder". And, of course,
>     the crlScope extension was already deprecated by the time X.509
>     (08/2005) was published, removing the ability of even a CRL with a
>     scope like "all even-numbered serials" to be representable within
>     the CRL itself.
>
>     This leads me to believe that the intent of this requirement was
>     to ensure that all sharded/partitioned/scoped CRLs should have a
>     distributionPoint to defend against substitution attacks. However,
>     the actual text of the requirement, via its inclusion of the
>     "within its scope" qualifier, fails to convey that intent. That is
>     why I suggested this errata in this location.
>
>     Aaron
>
>     On Fri, Oct 14, 2022 at 1:17 PM David A. Cooper
>     <david.cooper@nist.gov> wrote:
>
>         I believe that this errata is incorrect. The text from RFC
>         5280 that is
>         proposed to be modified is referring to the distributionPoint
>         field of
>         the issuingDistributionPoint extension, whereas the text that
>         is quoted
>         from X.509 is referring to the issuingDistributionPoint
>         extension as a
>         whole.
>
>         X.509 is noting that if there is no extension limiting the
>         scope of the
>         CRL, then the scope of the CRL must be all unexpired public-key
>         certificates issued by the CRL issuer. The extension limiting
>         the scope
>         could be the issuingDistributionPoint extension or it could be
>         some
>         other extension (e.g., crlScope or
>         AAissuingDistributionPoint). The text
>         from Section 5.2.5 of RFC 5280 is about the case in which the
>         issuingDistributionPoint extension is present, but the
>         distributionPoint
>         field in that extension is absent, in which case the scope of
>         the CRL is
>         presumably limited by some other field in the
>         issuingDistributionPoint
>         extension.
>
>         The submitter may be correct that RFC 5280 never explicitly
>         says that
>         the scope of a CRL must include all unexpired certificates
>         issued by the
>         CRL issuer unless the CRL contains an extension (or
>         extensions) that
>         limit the scope, but addressing that would involve a different
>         change
>         from the one proposed here.
>
>         On 10/14/22 12:39 PM, RFC Errata System wrote:
>         > The following errata report has been submitted for RFC5280,
>         > "Internet X.509 Public Key Infrastructure Certificate and
>         Certificate Revocation List (CRL) Profile".
>         >
>         > --------------------------------------
>         > Type: Technical
>         > Reported by: Aaron Gable <aaron@letsencrypt.org>
>         >
>         > Section: 5.2.5
>         >
>         > Original Text
>         > -------------
>         >     If the distributionPoint field is absent, the CRL MUST
>         contain
>         >     entries for all revoked unexpired certificates issued by
>         the CRL
>         >     issuer, if any, within the scope of the CRL.
>         >
>         > Corrected Text
>         > --------------
>         >     If the distributionPoint field is absent, the CRL MUST
>         contain
>         >     entries for all revoked unexpired certificates issued by
>         the CRL
>         >     issuer.
>         >
>         > Notes
>         > -----
>         > The removed phrase does not appear in the original text that
>         this requirement is derived from, ITU-T Rec. X.509 (08/2005)
>         Section 8.6.2.2
>         <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2F8.6.2.2%2F&data=05%7C01%7Cdavid.cooper%40nist.gov%7Cd05c7e9473ca425d348508daae3c8948%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638013872273508417%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RNbXDZm1QyhWKX5J78kL2m7%2FF5EcNmtN7S8MQRRiPKM%3D&reserved=0>:
>         "If the issuing distribution point field, the AA issuing
>         distribution point field, and the CRL scope field are all
>         absent, the CRL shall contain entries for all revoked
>         unexpired public-key certificates issued by the CRL issuer."
>         >
>         > The removed phrase does not serve to create a stricter
>         requirement; rather it creates a looser requirement which
>         allows a CRL which does contain entries for all revoked
>         unexpired certificates *within its scope* to not include the
>         distributionPoint field. Given that the distributionPoint
>         field serves an important security purpose in preventing
>         substitution attacks, it is unlikely that this loosening was
>         the intent of the original authors.
>         >
>         > Instructions:
>         > -------------
>         > This erratum is currently posted as "Reported". If
>         necessary, please
>         > use "Reply All" to discuss whether it should be verified or
>         > rejected. When a decision is reached, the verifying party
>         > can log in to change the status and edit the report, if
>         necessary.
>         >
>         > --------------------------------------
>         > RFC5280 (draft-ietf-pkix-rfc3280bis-11)
>         > --------------------------------------
>         > Title               : Internet X.509 Public Key
>         Infrastructure Certificate and Certificate Revocation List
>         (CRL) Profile
>         > Publication Date    : May 2008
>         > Author(s)           : D. Cooper, S. Santesson, S. Farrell,
>         S. Boeyen, R. Housley, W. Polk
>         > Category            : PROPOSED STANDARD
>         > Source              : Public-Key Infrastructure (X.509)
>         > Area                : Security
>         > Stream              : IETF
>         > Verifying Party     : IESG
>
>     _______________________________________________ pkix mailing list
>     pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
>     <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fpkix&data=05%7C01%7Cdavid.cooper%40nist.gov%7Cd05c7e9473ca425d348508daae3c8948%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638013872273508417%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=T3eMl%2BRa5807O4Pe2U0LLzXZFn2ADKLFvolZPAKwr%2BA%3D&reserved=0>
>
>

v2.23.0 | Report a Bug | By Email