IETF Logo Mail Archive

Re: [pkix] Next edition of X.509

Peter Bowen <pzbowen@gmail.com> Sat, 23 January 2016 12:44 UTC

Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF8DE1A00A3 for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 04:44:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KX4QuYdMAdOb for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 04:44:08 -0800 (PST)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DF561A00A1 for <pkix@ietf.org>; Sat, 23 Jan 2016 04:44:08 -0800 (PST)
Received: by mail-pa0-x231.google.com with SMTP id cy9so55986180pac.0 for <pkix@ietf.org>; Sat, 23 Jan 2016 04:44:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=AOsl2u2vN/rocTaDpWXvkK63/pKn35fRXkFa68dQaxU=; b=XRGcsq/B8SwYHdN11ee+qLtguuFWEeiWz7jmau+xDbsq7vDFmJ/lIArhnK8Fnkdd4t 5Eki7u+mTIR7S+XY59ZjhFymtZ4+dUchdhgRCuob1JLXCi2l0eMkj4Q71150pSa6Dx3E wDEae01noiptKxXdpCxhYwjQeaQSQaqvNcpB2U+UXcsI6rKhnRAfEP9proczgxXvQPhc wpZEWIZYOXZrCb58CUG2B6ppzYL0TlTK1z3Jy1LkyP+s5lFpj6deikqGf/+SxPpeIJqR PfTKtDx3wZq7pV6Wq1oK6P0IMrpsRPmmJjBgqG6a/236m9fQrPsLrshfGGWVlXLeWSEp X6+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=AOsl2u2vN/rocTaDpWXvkK63/pKn35fRXkFa68dQaxU=; b=mf4JG8rto69D3E/eJote9jiYtbAImpuD/wKoSNzua+0/rvb5f2Vjl6aBphMrlFVNEG 02A+gWgl7oGhIpE0AAFvtzNihPMBd+ruGnQ9WtDKZGYzB7ITMd/s/SA7QTlN6ZKOzFSO zhMmhV/2MAJH7TfRPb9SrMncHTE7aTqf7sNASTmK4fTYLiFoeTchlmatWW6sPHOimgt5 WunUhw35XYB58SJgxS28pFq6LPMQp9oROFevHHKVnylxByTYkoLzMs0HXQ+x6tcuwfY5 4DS47kczukApKNnyI5F0BsusXMvus4fjE8CpZwJSLSscCkW3hCBpoqSDUBkZI692orPc OFqQ==
X-Gm-Message-State: AG10YORIrOx7Hnr5qpWcJ3IYZCkOHvVqhgQ1VkxxYMBBg7oOhnNcnYKra2+KRM7D/FWaWJgC2ZXgl3eKS+OG6g==
MIME-Version: 1.0
X-Received: by 10.67.14.136 with SMTP id fg8mr10827021pad.105.1453553048072; Sat, 23 Jan 2016 04:44:08 -0800 (PST)
Received: by 10.66.142.193 with HTTP; Sat, 23 Jan 2016 04:44:08 -0800 (PST)
In-Reply-To: <000001d155c7$98b64530$ca22cf90$@x500.eu>
References: <000001d130da$b05884d0$11098e70$@x500.eu> <5665633F.7070906@cs.tcd.ie> <000401d130e3$bdf08120$39d18360$@x500.eu> <CAK6vND_=4it-HdN=igWeSsb9Qx2LjastBaJCa-TpObaBuYjNXQ@mail.gmail.com> <000001d155c7$98b64530$ca22cf90$@x500.eu>
Date: Sat, 23 Jan 2016 04:44:08 -0800
Message-ID: <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Erik Andersen <era@x500.eu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/Y4xTgQbMQQbsUuYGkBA0clIuey4>
Cc: Directory list <x500standard@freelists.org>, PKIX <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 12:44:10 -0000

In 8.2.2.4, replace the first sentence with:

The presence of this extension in an end-entity certificate indicates
one or more purposes for which the certified public key may be used,
in addition to, or in place of the basic purposes indicated in the key
usage extension field. The presence of this extension in a certificate
issued by one CA to another CA constrains the key purposes in
subsequent certificates in a certification path.

If there is support for this addition, then additions will also be
needed in section 10 to include key purposes in the input, output, and
processing.

Thanks,
Peter

On Sat, Jan 23, 2016 at 2:19 AM, Erik Andersen <era@x500.eu> wrote:
> Hi Peter,
>
> I would like to explore whether there is support for such an addition to X.509. Could I have your comments please?
>
> Regards,
>
> Erik
>
> -----Oprindelig meddelelse-----
> Fra: Peter Bowen [mailto:pzbowen@gmail.com]
> Sendt: 23 January 2016 02:50
> Til: Erik Andersen <era@x500.eu>
> Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>; Directory list <x500standard@freelists.org>; PKIX <pkix@ietf.org>; WG15@iectc57.org
> Emne: Re: [pkix] Next edition of X.509
>
> Erik,
>
> While I'm sure this is a contentious proposal, I would proposal that
> X.509 add language allowing usage of Extended Key Usage for constraints, joining certificate policies, name constraints, basic constraints, etc.  Many widely deployed certificate path validation libraries already implement this even though it is unclear at best whether such is compliant with X.509 (10/2012).
>
> Thanks,
> Peter
>
> On Mon, Dec 7, 2015 at 3:38 AM, Erik Andersen <era@x500.eu> wrote:
>> Hi Stephen,
>>
>> I will collect any comment on any list. The goal is to get the best technical specification.
>>
>> Regards,
>>
>> Erik
>>
>> -----Oprindelig meddelelse-----
>> Fra: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
>> Sendt: 07 December 2015 11:45
>> Til: Erik Andersen <era@x500.eu>; Directory list
>> <x500standard@freelists.org>; PKIX <pkix@ietf.org>
>> Cc: WG15@iectc57.org
>> Emne: Re: [pkix] Next edition of X.509
>>
>>
>> Thank you Erik! Do I understand correctly that comments from this list that you get before February are useful and that sending comments to the pkix list works well enough for you?
>>
>> If so, great, and I'd ask folks who care about RFC5280 or other PKIX
>> RFCs to please review this to check for any glitches that might affect
>> interop should new code be written based on the ISO doc. I'm sure
>> other comments are also welcome,
>>
>> Cheers,
>> S.
>>
>> On 07/12/15 10:33, Erik Andersen wrote:
>>> In preparation for the next edition of X.509 (the 2016 edition), I
>>> have forwarded to the ISO/IEC JTC1/SC6 two documents for three months ballots:
>>>
>>>
>>>
>>> These two documents may be found as:
>>>
>>>
>>>
>>> 1.       http://www.x500standard.com/uploads/extensions/x509-pdam-amd2.pdf,
>>> which is the 3rd PDAM text for an amendment to X.509.
>>>
>>> 2.       http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor2.pdf, which a
>>> second draft technical corrigendum. This technical corrigendum is
>>> based on a set of defects reports, which include the justification
>>> for the changes. The Defect reports may be found on
>>> http://www.x500standard.com/index.php?n=Ig.DefectReports.
>>>
>>>
>>>
>>> An early corrigendum has been approved within ISO and ITU-T and may
>>> be found
>>> as: http://www.x500standard.com/uploads/dtc/X509-Ed7-Cor1.pdf.
>>>
>>>
>>>
>>> These three documents together with the seventh edition will provide
>>> the input to the next edition of X.509. The different
>>> X.recommendations, including X.509, may be found at
>>> http://www.itu.int/rec/T-REC-X/e. This edition of X.509 is freely available in the PDF version.
>>>
>>>
>>>
>>> Those involved in  ISO/IEC JTC1/SC6 can, of course, submit ballot
>>> comments on the two documents out for ballot. Others, which may have
>>> comments on the these document, may post them on the lists and after
>>> consolidation and consensus, they may be issued as ITU-T comments.
>>>
>>>
>>>
>>> It is important to check whether any of the suggested changes affects
>>> running codes. If that is a case, it is a mistake.
>>>
>>>
>>>
>>> The intension behind the changes has been:
>>>
>>> 1.       A better separation between public-key certificates and attribute
>>> certificates.
>>>
>>> 2.       Use of a consistent terminology.
>>>
>>> 3.       Use of a consistent editing style in accordance with the ITU-T
>>> editing guidelines..
>>>
>>> 4.       A new PKI component called trust broker assists a relying party
>>> validating a public-key certificate is included.
>>>
>>> 5.       IEC TC57 WG15 has identified a requirement for a feature first
>>> called whitelist but now the term is authorization and validation
>>> list is used. A proposal for such a feature is included in the amendment.
>>>
>>> The main goal has been to position X.509 for new challenges, such
>>> smart grid security and security for Internet of Things with battery
>>> driven devices, very short messages (can we put a 257 octets
>>> signature on a few octets message?) , short reaction time
>>> requirements, many millions of entities, etc. This is all very different from Web-based  systems.
>>>
>>> Kind regards,
>>>
>>> Erik
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> pkix mailing list
>>> pkix@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pkix
>>>
>>
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix
>

v2.23.0 | Report a Bug | By Email