IETF Logo Mail Archive

Re: [pkix] [Technical Errata Reported] RFC5280 (7164)

"David A. Cooper" <david.cooper@nist.gov> Fri, 14 October 2022 20:17 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D69D1C152563 for <pkix@ietfa.amsl.com>; Fri, 14 Oct 2022 13:17:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.914
X-Spam-Level:
X-Spam-Status: No, score=-2.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.233, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HaYke-lKkoa for <pkix@ietfa.amsl.com>; Fri, 14 Oct 2022 13:17:16 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2103.outbound.protection.outlook.com [40.107.91.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20E9DC152561 for <pkix@ietf.org>; Fri, 14 Oct 2022 13:17:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Znso6++MkQ9y/k0E1n9LmwBc7nBF9up3+CyNrmPqRlGGvXPEqdgh0DzwplMS131KeFMJBXCxyaFShQexogd4mepmnFFSV6Y+dJhG+0RPm45eIlwG4PIsXV923rUHRtsX/ZxmYwW2jvuEwH8HU4h/7BWdTaZTTAL2A1wd/SjZc/kn+97jd2MQA/KyTgViDmuNBls7Z/IWShuvPPvo2RBIeLotaKG08vWYLJcILoZlCswbM92Eeq/F722gEc6v40Lcc7PpnCpCLTfs9eJIeG+smnDkgM9KVFHNy6aDOtPgk1/NMvnABAtILhuDp8jbnPR1U1uZtXCrTrRTPkGklcfYRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7nqGXV3hQM55iSvJaQZTQYazsDW0kttIGmm025cQijw=; b=X8JaIYq+D99VSb5xHHsrzFIHY7hfWhQ+LMnK52aFXgVs6xH2FtR/R2ClTPgkcpyTjHPX1cy48B1//YCi4jc5e+RVBN8rrEbdO1VJ+vDcCUt2l4DqagfJgNABrN83yNTiOmB4nJyaAInswfRsX2uws4ISj+e2Megl1x4F3y3AA6kzOx0osvfhqgXFqH6eKhes77hnUnC7NpyKeOIVT/dq0xVyhzS/dt31uf/2uRzIaymIEbmFm+zTnjLJl/w/WFLl/XLPp+J+vudo280N5E51EX+s/f9OJR2wEnUbsOoyAVDR300akDAdl+FUePS79mMql2Atv8mzEjXRLiIancG5+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 129.6.18.29) smtp.rcpttodomain=ietf.org smtp.mailfrom=nist.gov; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nist.gov; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7nqGXV3hQM55iSvJaQZTQYazsDW0kttIGmm025cQijw=; b=YwXk2JyG5yMqL7sV7EPR5IxYQsy8uzhBVmTQfhsbzQHSp5eifxwoPh/uBIqSg+JrhVmTZBWUvhKsWIwK+vWlTgwz6nUbxtWjbwlaBXPi1Jd5qIaim52KFIYneiMJCRwLYNhLIAs/OI70/6Dq9A5sFhmUctqNYUxI1SArhDCBu7rdEtr99iv1wW98SBD8FDZZCUNUO7F0xR/5BN9qrZi3dnaLUC2Ic8v7cqSPpFv/KGLulzqD9lstLW/Z/diqHndyz9qzTG5Tj8iv+g/TwD3CoWUZEaDpRvXOmJYM1KmJh00AZjrMQREVO2Tj2/6wxv8UrKrFLC0IPgpR6IEkOEIh/A==
Received: from DM6PR09CA0034.namprd09.prod.outlook.com (2603:10b6:5:160::47) by SJ0PR09MB6959.namprd09.prod.outlook.com (2603:10b6:a03:265::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5709.15; Fri, 14 Oct 2022 20:17:12 +0000
Received: from DM3GCC02FT022.eop-gcc02.prod.protection.outlook.com (2a01:111:f400:7d04::209) by DM6PR09CA0034.outlook.office365.com (2603:10b6:5:160::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.30 via Frontend Transport; Fri, 14 Oct 2022 20:17:11 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 129.6.18.29) smtp.mailfrom=nist.gov; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nist.gov;
Received-SPF: Pass (protection.outlook.com: domain of nist.gov designates 129.6.18.29 as permitted sender) receiver=protection.outlook.com; client-ip=129.6.18.29; helo=smtp1.nist.gov; pr=C
Received: from smtp1.nist.gov (129.6.18.29) by DM3GCC02FT022.mail.protection.outlook.com (10.97.8.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.20 via Frontend Transport; Fri, 14 Oct 2022 20:17:11 +0000
Received: from [132.163.223.98] ([132.163.223.98]) by smtp1.nist.gov with Microsoft SMTPSVC(10.0.14393.4169); Fri, 14 Oct 2022 16:17:10 -0400
Message-ID: <f0316f70-a901-1683-8345-8798f702c85b@nist.gov>
Date: Fri, 14 Oct 2022 13:17:08 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.2
Content-Language: en-US
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: aaron@letsencrypt.org, pkix@ietf.org
References: <20221014193934.45A8855E27@rfcpa.amsl.com>
From: "David A. Cooper" <david.cooper@nist.gov>
In-Reply-To: <20221014193934.45A8855E27@rfcpa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 14 Oct 2022 20:17:10.0341 (UTC) FILETIME=[F09A6F50:01D8E009]
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM3GCC02FT022:EE_|SJ0PR09MB6959:EE_
X-MS-Office365-Filtering-Correlation-Id: d53614de-0c98-4161-459b-08daae2113c4
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: l9AcE9Abv0C5blXMifyCyxfCBTKobkAX1XVG/eZuOMaQ3tjR6dMCDdFt/Yq/c8lFpdGSc4U4C/fuKNQHyNbx8b6tnikSOEWfP2DaQNUJpdRqmn1lgw1HDEhFXkYT+iT7EtVKQ4hMS4PP9hdPRNyV8CPDNNZfLgovvrMrolYj/ndPNBZtnP1UPlK0bFe/6YyCQSEIR3Qjg6mVO9TDwzolyk2gNv5B/Ig8Zfg63xmcd6KeaM2zx4EVH2ewFEoLsHqfGrrjDuI4sDruEGWhGHv3MI5z80sIfriCBdRcpuBzFbxx2a4yyZ5ITv2HR+lD/xmmwPyd6/iFCbhKSkHXM/ldPvr+dBiKJRrbq/ui0zdPXQyedpj9jmwpSsqMHx9sAbYrOk+2eBKsWNqRpLxM0hhDXrOyCZ944TBM9ari1v3oAaJfdIZ7kP++4cnOAu7H+yaWbXNKN2sXpvFNwWejXnZ7w4eWHKfkHG/ZIWuQieLPoq1rWiNvtTYERK0cg+M7+uw055b/r4wcQSJpnEEr/a/hQ1QwXNRQyPWj+yWBdGdVbZ13KT91/zG5nYll+AVV11gJ1pDFRV194j+nFg6IzL2D+7CXBSNpqDOg8Od0WL21B2LbUVrAEYoEfz0RUlFLUFaacGzV9yspZ2sNwjxjlH7x261QCN5GSJxo4AEkQefBZgSMlcLWgBhuGKlZeP6hvvUOWx4JwdumtSoYBFnxDH/wKNByvoLjuvYOftNpndF2nkCI8GKkuZnQWw0MfJ3HbMfZpI77OE1IPhKX0xUv9q7vqQ==
X-Forefront-Antispam-Report: CIP:129.6.18.29; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:smtp1.nist.gov; PTR:smtp1.nist.gov; CAT:NONE; SFS:(13230022)(4636009)(451199015)(40470700004)(36840700001)(46966006)(86362001)(31686004)(6862004)(7596003)(40460700003)(7636003)(26005)(356005)(36756003)(31696002)(8676002)(5660300002)(8936002)(82960400001)(70206006)(4326008)(47076005)(36860700001)(66574015)(6706004)(83380400001)(53546011)(186003)(956004)(2616005)(2906002)(336012)(82310400005)(498600001)(426003)(43740500002); DIR:OUT; SFP:1102;
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2022 20:17:11.4192 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d53614de-0c98-4161-459b-08daae2113c4
X-MS-Exchange-CrossTenant-Id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2ab5d82f-d8fa-4797-a93e-054655c61dec; Ip=[129.6.18.29]; Helo=[smtp1.nist.gov]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TreatMessagesAsInternal-DM3GCC02FT022.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR09MB6959
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/YuErTrIPYt7MzTKE6R_KRqNouto>
Subject: Re: [pkix] [Technical Errata Reported] RFC5280 (7164)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 20:17:19 -0000

I believe that this errata is incorrect. The text from RFC 5280 that is 
proposed to be modified is referring to the distributionPoint field of 
the issuingDistributionPoint extension, whereas the text that is quoted 
from X.509 is referring to the issuingDistributionPoint extension as a 
whole.

X.509 is noting that if there is no extension limiting the scope of the 
CRL, then the scope of the CRL must be all unexpired public-key 
certificates issued by the CRL issuer. The extension limiting the scope 
could be the issuingDistributionPoint extension or it could be some 
other extension (e.g., crlScope or AAissuingDistributionPoint). The text 
from Section 5.2.5 of RFC 5280 is about the case in which the 
issuingDistributionPoint extension is present, but the distributionPoint 
field in that extension is absent, in which case the scope of the CRL is 
presumably limited by some other field in the issuingDistributionPoint 
extension.

The submitter may be correct that RFC 5280 never explicitly says that 
the scope of a CRL must include all unexpired certificates issued by the 
CRL issuer unless the CRL contains an extension (or extensions) that 
limit the scope, but addressing that would involve a different change 
from the one proposed here.

On 10/14/22 12:39 PM, RFC Errata System wrote:
> The following errata report has been submitted for RFC5280,
> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile".
>
> --------------------------------------
> Type: Technical
> Reported by: Aaron Gable <aaron@letsencrypt.org>
>
> Section: 5.2.5
>
> Original Text
> -------------
>     If the distributionPoint field is absent, the CRL MUST contain
>     entries for all revoked unexpired certificates issued by the CRL
>     issuer, if any, within the scope of the CRL.
>
> Corrected Text
> --------------
>     If the distributionPoint field is absent, the CRL MUST contain
>     entries for all revoked unexpired certificates issued by the CRL
>     issuer.
>
> Notes
> -----
> The removed phrase does not appear in the original text that this requirement is derived from, ITU-T Rec. X.509 (08/2005) Section 8.6.2.2: "If the issuing distribution point field, the AA issuing distribution point field, and the CRL scope field are all absent, the CRL shall contain entries for all revoked unexpired public-key certificates issued by the CRL issuer."
>
> The removed phrase does not serve to create a stricter requirement; rather it creates a looser requirement which allows a CRL which does contain entries for all revoked unexpired certificates *within its scope* to not include the distributionPoint field. Given that the distributionPoint field serves an important security purpose in preventing substitution attacks, it is unlikely that this loosening was the intent of the original authors.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC5280 (draft-ietf-pkix-rfc3280bis-11)
> --------------------------------------
> Title               : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
> Publication Date    : May 2008
> Author(s)           : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk
> Category            : PROPOSED STANDARD
> Source              : Public-Key Infrastructure (X.509)
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG

v2.23.0 | Report a Bug | By Email