IETF Logo Mail Archive

[pkix] Re: [Technical Errata Reported] RFC5280 (8789)

Paul Wouters <paul.wouters@aiven.io> Tue, 03 March 2026 17:34 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: pkix@mail2.ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1613EC395CE9 for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 09:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kCz5d4LKFezf for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 09:34:25 -0800 (PST)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CDED7C395B4C for <pkix@ietf.org>; Tue, 3 Mar 2026 09:34:18 -0800 (PST)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-b8fb6ad3243so886907866b.1 for <pkix@ietf.org>; Tue, 03 Mar 2026 09:34:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1772559258; cv=none; d=google.com; s=arc-20240605; b=kFGr97EZmW2aPRMB53tapksmy8v6qVymiS8Vce85/ZefX/KSZURJbP0kKawIGhfGZ6 /Zq05GPt4cYAW0NUCFNBRtQmtdmSjtCKi2eeE3JYOFauU6rdgMVzAbKQy9jfCwfIVpyJ nHSRq/GEJWTVseQJBkjQhtjZPx0FkuzssnJWFlLWItLn7e5kP+jGI3+zS2C5fVaN/RBD IwyqdJRHsht2jsvyQEck8jbO4+AAzN9pu4e2rpcVphEepKQAETABZK2qDpllXLETpILP 8urnkBucmTtOFIko2cDpB8AP1nEDta70G0JKFaqzU/Swn6/dovmAcr+VhhMLBHmwRLJ2 Jt6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=tp114+2PeXxGq4vXXSXvUKTVH7sN/2Wdrn1/tO79LSU=; fh=qZyhwYZnIE6R56/DMvKYtTu1eYwBy7PIP2fgIFp7iX4=; b=eZPba/dz3ejqsEI6KzGdJbroyTvPpqIICiITS5WJBnoOV1QFU/iCKZCBSkYwXwinXf kSL5pNOxMaMhcb2UnIoRscYEQRDZSsD2ugJPcR9la1Xu9bp9pf3IhRZsH1IyqlS+x3u6 8GTbGHbjarEO69+/hxNAFfBTGZvDVm4qhbusknMUOcBb9p/ZrLm8rCM6oZ3q2VZ7rRo0 0XvaAxqa4U13xhMVHlSZ0XiWZqxC3NHphjlf58C6c5L/VBTkm+38QKkhO7YYIGlhN0ZT FZAHKVVGXw7C2vT4El/d+vwlk6HOZG4wty/VPUSHRSZERuKjC6L3ZnEbluOZD4oXG8pY HlZg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1772559258; x=1773164058; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tp114+2PeXxGq4vXXSXvUKTVH7sN/2Wdrn1/tO79LSU=; b=M4dPT0LhIH4zuXcsVw+es1cdZRHMeKkU0XLMp+O89Z756OABoeGp96/vrZ2uuUBW2J XmNqPuUfDInC31+06hI0s6roPvh8B7cNXKDV2pJp+I0/kldy6xXZdQajiuKGU8I+UiEJ fVL2kVpQlG6JlWfJhLVBc8xopa5i28lE2xFkg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772559258; x=1773164058; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tp114+2PeXxGq4vXXSXvUKTVH7sN/2Wdrn1/tO79LSU=; b=tsWmbCTb5WpstaNKlD2pNqUb6QfWg9SX2UtgnYUEScDnO0FvwzdaEnKbqTa0Xypy1R cccShbcOFaOfe7eyAunFwIYPYbgBwvrzqK3q598aPxi/sLbWYhdF4HX+JP5MHZoAbW9p v9eVnBssOBiKGozxRwvE1Al9xmN1MGW2+Xi0rOSnHWwZUcSyp+QsxRCiFcP8qtTj/Plj qqF3+dDPBdttL0w5u5WYEmtJYN2Oa9mzT/I7skB3rY3jsUI2iWyWRojmFHwvgWB1N5ev DSg5yCt6zNVNLkpfkqsWP0hjDXjH3/6lLO+U9FAzl2F3xMMcKSFREh7kDXjBum2NUaYN gIBQ==
X-Forwarded-Encrypted: i=1; AJvYcCW5AsIpI8YxWVvAdvPN2S2ILj+vadkShSwCPueLPB5mTB4G61LOXTdTW9Y9FTeOvEALLnrB@ietf.org
X-Gm-Message-State: AOJu0Yy/3YEZz4FLpSb4e4YZcAGkwmGoa7bcxSepDLeroD3Fq59CTH/G b6roAC9A7r522vZ1H1URVZXj+JXYiSQ0oAKBxjlM7xHxTAdZaLMulYr1ksC5NlbXL2OY6JqBu8p gHttMn4c6ZHbFnSfaiqFfKkdMag+y0QzGWdHYhiQSKHdmSTgoOkbQUdc=
X-Gm-Gg: ATEYQzzDeRvWT3O4a4TFCC5BO1LYd5X5j3+iicaYNlcrnqMnVtlHWsKi4LM3C8PYvhQ 7J1OKeOE3dg00X+HXKKbQLen2sb5RhyswPfXiC915HYIeZCe3ndTLTUYWd0wD8uqq4jXEM0JptY jCK4tiSHNDKBX/uABP2vMc4P+zY0QQQRbWCuCsAxT75UeME2bPL8XtqJexXEM2LvnDzJB0nleSh IgPA+lUBax2y8zXYhrR8JnPRQ7AdaPVQ0RU75y0Ta1rzT96iWVmbWObX/MlMeWaKW3T5ovNekgn o9D/zDdaZNo9R3s45zYU/wD01kkYhv/vGnG1eKLm2F7V8kfo8ALNHs0pCjK86wyAtQg=
X-Received: by 2002:a17:907:e84a:b0:b86:e938:1b26 with SMTP id a640c23a62f3a-b93763b6851mr933711566b.24.1772559257592; Tue, 03 Mar 2026 09:34:17 -0800 (PST)
MIME-Version: 1.0
References: <20260228012810.26368C000CC4@rfcpa.rfc-editor.org> <8946F689-00A0-4ED7-8570-E4A9A907B954@proper.com> <AB8DC100-40AF-43BF-BC66-B3EBDD95C3E9@sn3rd.com>
In-Reply-To: <AB8DC100-40AF-43BF-BC66-B3EBDD95C3E9@sn3rd.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 03 Mar 2026 12:34:06 -0500
X-Gm-Features: AaiRm50hQsh4Y3pq5uf9kACOix-W2l_MAqWYQt3teYSXNihozcrxbUl8Yf4MEjM
Message-ID: <CAGL5yWa6pjpyU=1v8fXjiMCQ005+Vaafj+qRkABbLV62+WkKzw@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="000000000000e4907d064c221c4a"
Message-ID-Hash: FES2NBK5KKGCYXMPARLVQ47NX3RZBWNR
X-Message-ID-Hash: FES2NBK5KKGCYXMPARLVQ47NX3RZBWNR
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <phoffman@proper.com>, RFC Errata System <rfc-editor@rfc-editor.org>, Stefan Santesson <stefan@aaa-sec.com>, elizabethpslator@gmail.com, pkix@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/YYPLKgud8lnyB-r16LACyD6OaVQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>

On Tue, Mar 3, 2026 at 11:47 AM Sean Turner <sean@sn3rd.com> wrote:

> If we want to remove the “WWW” from the comment sure, but please mark this
> as “Editorial" as the suggested changes are in an ASN.1 comment ;)
>

Done

Paul


>
> spt
>
> > On Feb 27, 2026, at 21:23, Paul Hoffman <phoffman@proper.com> wrote:
> >
> > This errata report is correct and should be marked as "hold for document
> update".
> >
> > --Paul Hoffman
> >
> > On 27 Feb 2026, at 17:28, RFC Errata System wrote:
> >
> >> The following errata report has been submitted for RFC5280,
> >> "Internet X.509 Public Key Infrastructure Certificate and Certificate
> Revocation List (CRL) Profile".
> >>
> >> --------------------------------------
> >> You may review the report below and at:
> >> https://www.rfc-editor.org/errata/eid8789
> >>
> >> --------------------------------------
> >> Type: Technical
> >> Reported by: Elizabeth Peraza Slator <elizabethpslator@gmail.com>
> >>
> >> Section: GLOBAL
> >>
> >> Original Text
> >> -------------
> >> Section 4.2.1.12 says:
> >>
> >>   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
> >>   -- TLS WWW server authentication
> >>   -- Key usage bits that may be consistent: digitalSignature,
> >>   -- keyEncipherment or keyAgreement
> >>
> >>   id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
> >>   -- TLS WWW client authentication
> >>   -- Key usage bits that may be consistent: digitalSignature
> >>   -- and/or keyAgreement
> >> It should say:
> >>
> >>   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
> >>   -- TLS server authentication
> >>   -- Key usage bits that may be consistent: digitalSignature,
> >>   -- keyEncipherment or keyAgreement
> >>
> >>   id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
> >>   -- TLS client authentication
> >>   -- Key usage bits that may be consistent: digitalSignature
> >>   -- and/or keyAgreement
> >> Notes:
> >>
> >> The proposed change removes the WWW part of the description. In
> practice these object identifiers are used for server and client
> applications, but not necessarily web applications. In particular:
> >> - openssl verification considers them unconditionally even if the
> server is not a web server or the client a web client
> >> - There is no object identifier that can be used for protocols like
> SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are
> deployed with the identifiers for WWW
> >> - Standards like common criteria assume that these object identifiers
> are for generic server and clients [0].
> >>
> >> [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1
> >>
> >> Report New Errata
> >>
> >> Corrected Text
> >> --------------
> >> Section 4.2.1.12 says:
> >>
> >>   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
> >>   -- TLS WWW server authentication
> >>   -- Key usage bits that may be consistent: digitalSignature,
> >>   -- keyEncipherment or keyAgreement
> >>
> >>   id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
> >>   -- TLS WWW client authentication
> >>   -- Key usage bits that may be consistent: digitalSignature
> >>   -- and/or keyAgreement
> >> It should say:
> >>
> >>   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
> >>   -- TLS server authentication
> >>   -- Key usage bits that may be consistent: digitalSignature,
> >>   -- keyEncipherment or keyAgreement
> >>
> >>   id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
> >>   -- TLS client authentication
> >>   -- Key usage bits that may be consistent: digitalSignature
> >>   -- and/or keyAgreement
> >> Notes:
> >>
> >> The proposed change removes the WWW part of the description. In
> practice these object identifiers are used for server and client
> applications, but not necessarily web applications. In particular:
> >> - openssl verification considers them unconditionally even if the
> server is not a web server or the client a web client
> >> - There is no object identifier that can be used for protocols like
> SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are
> deployed with the identifiers for WWW
> >> - Standards like common criteria assume that these object identifiers
> are for generic server and clients [0].
> >>
> >> [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1
> >>
> >> Report New Errata
> >>
> >> Notes
> >> -----
> >> Thank you very much
> >>
> >> Instructions:
> >> -------------
> >> This erratum is currently posted as "Reported". (If it is spam, it
> >> will be removed shortly by the RFC Production Center.) Please
> >> use "Reply All" to discuss whether it should be verified or
> >> rejected. When a decision is reached, the verifying party
> >> will log in to change the status and edit the report, if necessary.
> >>
> >> --------------------------------------
> >> RFC5280 (draft-ietf-pkix-rfc3280bis-11)
> >> --------------------------------------
> >> Title               : Internet X.509 Public Key Infrastructure
> Certificate and Certificate Revocation List (CRL) Profile
> >> Publication Date    : May 2008
> >> Author(s)           : D. Cooper, S. Santesson, S. Farrell, S. Boeyen,
> R. Housley, W. Polk
> >> Category            : PROPOSED STANDARD
> >> Source              : Public-Key Infrastructure (X.509)
> >> Stream              : IETF
> >> Verifying Party     : IESG
> >
> > _______________________________________________
> > pkix mailing list -- pkix@ietf.org
> > To unsubscribe send an email to pkix-leave@ietf.org
>
>

v2.40.3 | Report a Bug | By Email | System Status