IETF Logo Mail Archive

[pkix] Re: [Technical Errata Reported] RFC5280 (8789)

Paul Hoffman <phoffman@proper.com> Sat, 28 February 2026 02:23 UTC

Return-Path: <phoffman@proper.com>
X-Original-To: pkix@mail2.ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BE719C02595B for <pkix@mail2.ietf.org>; Fri, 27 Feb 2026 18:23:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYHZdcG11mln for <pkix@mail2.ietf.org>; Fri, 27 Feb 2026 18:23:32 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0E8CCC025956 for <pkix@ietf.org>; Fri, 27 Feb 2026 18:23:31 -0800 (PST)
Received: from [10.106.148.22] (76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id 61S2NCxD078397 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 27 Feb 2026 19:23:13 -0700 (MST) (envelope-from phoffman@proper.com)
X-Authentication-Warning: mail.proper.com: Host 76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70] claimed to be [10.106.148.22]
From: Paul Hoffman <phoffman@proper.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Date: Fri, 27 Feb 2026 18:23:11 -0800
X-Mailer: MailMate (2.0r6272)
Message-ID: <8946F689-00A0-4ED7-8570-E4A9A907B954@proper.com>
In-Reply-To: <20260228012810.26368C000CC4@rfcpa.rfc-editor.org>
References: <20260228012810.26368C000CC4@rfcpa.rfc-editor.org>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 3EZMXMV2AH6ME52TXY7BLOKSK5OG3XO5
X-Message-ID-Hash: 3EZMXMV2AH6ME52TXY7BLOKSK5OG3XO5
X-MailFrom: phoffman@proper.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: david.cooper@nist.gov, stefans@microsoft.com, sharon.boeyen@entrust.com, wpolk@nist.gov, paul.wouters@aiven.io, kent@bbn.com, stefan@aaa-sec.com, elizabethpslator@gmail.com, pkix@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/ZWiIzGlg2yUHNsdqgOhJwF_7xfQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>

This errata report is correct and should be marked as "hold for document update".

--Paul Hoffman

On 27 Feb 2026, at 17:28, RFC Errata System wrote:

> The following errata report has been submitted for RFC5280,
> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid8789
>
> --------------------------------------
> Type: Technical
> Reported by: Elizabeth Peraza Slator <elizabethpslator@gmail.com>
>
> Section: GLOBAL
>
> Original Text
> -------------
> Section 4.2.1.12 says:
>
>    id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
>    -- TLS WWW server authentication
>    -- Key usage bits that may be consistent: digitalSignature,
>    -- keyEncipherment or keyAgreement
>
>    id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>    -- TLS WWW client authentication
>    -- Key usage bits that may be consistent: digitalSignature
>    -- and/or keyAgreement
> It should say:
>
>    id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
>    -- TLS server authentication
>    -- Key usage bits that may be consistent: digitalSignature,
>    -- keyEncipherment or keyAgreement
>
>    id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>    -- TLS client authentication
>    -- Key usage bits that may be consistent: digitalSignature
>    -- and/or keyAgreement
> Notes:
>
> The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular:
> - openssl verification considers them unconditionally even if the server is not a web server or the client a web client
> - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW
> - Standards like common criteria assume that these object identifiers are for generic server and clients [0].
>
> [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1
>
> Report New Errata
>
> Corrected Text
> --------------
> Section 4.2.1.12 says:
>
>    id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
>    -- TLS WWW server authentication
>    -- Key usage bits that may be consistent: digitalSignature,
>    -- keyEncipherment or keyAgreement
>
>    id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>    -- TLS WWW client authentication
>    -- Key usage bits that may be consistent: digitalSignature
>    -- and/or keyAgreement
> It should say:
>
>    id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
>    -- TLS server authentication
>    -- Key usage bits that may be consistent: digitalSignature,
>    -- keyEncipherment or keyAgreement
>
>    id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>    -- TLS client authentication
>    -- Key usage bits that may be consistent: digitalSignature
>    -- and/or keyAgreement
> Notes:
>
> The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular:
> - openssl verification considers them unconditionally even if the server is not a web server or the client a web client
> - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW
> - Standards like common criteria assume that these object identifiers are for generic server and clients [0].
>
> [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1
>
> Report New Errata
>
> Notes
> -----
> Thank you very much
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". (If it is spam, it
> will be removed shortly by the RFC Production Center.) Please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> will log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC5280 (draft-ietf-pkix-rfc3280bis-11)
> --------------------------------------
> Title               : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
> Publication Date    : May 2008
> Author(s)           : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk
> Category            : PROPOSED STANDARD
> Source              : Public-Key Infrastructure (X.509)
> Stream              : IETF
> Verifying Party     : IESG

v2.40.1 | Report a Bug | By Email | System Status