Re: [pkix] Managing Long-Lived CA certs

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 18 July 2017 15:25 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE87D131A7E for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 08:25:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNVtZCxkJbdd for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 08:25:49 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FD6A131A69 for <pkix@ietf.org>; Tue, 18 Jul 2017 08:25:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1500391549; x=1531927549; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=XL6SQGgOCHm2jK367oY/kXZ0IgDqed/reM37SF1hmS8=; b=yeJHbOJJ4MGCDdQgxpAVOyG38R6krzNdntYW9Cz2d//lPbmyqrfIeqjf QbpZAmsPvog1sz5V2ydQvSj+v6AU6EA3Ywb6c2nHN2X676UtVZlxc3vM+ A5elO7Vjnv+UYp5g9zgljguJWcBydmGMMl3QL4mOEoC6+uc1sULBVUWay zz6pM9OLmU0Dkf8WdYWeAawiHAouKlrVnPsOuULnpesaqMle9WWCLmiWm dYlleNlquWXw+v97ojKPzSpOqdwg03y48ReN4VALsoCc2IlE/3eG1wzoh WLI58CFjdkw/2EW70ggJ5I3LwXTL7xSKMifoXzilnBbU9OKJ3gtqdKA1y g==;
X-IronPort-AV: E=Sophos;i="5.40,378,1496059200"; d="scan'208";a="166310022"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-d.UoA.auckland.ac.nz) ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 19 Jul 2017 03:25:47 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 19 Jul 2017 03:25:47 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::6929:c5b:e4d6:fd92]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::6929:c5b:e4d6:fd92%14]) with mapi id 15.00.1263.000; Wed, 19 Jul 2017 03:25:47 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "David A. Cooper" <david.cooper@nist.gov>
CC: "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Managing Long-Lived CA certs
Thread-Index: AQHS/wfFsHzAHG/6DUqwsYmxTQJgoKJXVMeAgAGZvr3//+d/gIAAzL86//854gCAANk/0g==
Date: Tue, 18 Jul 2017 15:25:46 +0000
Message-ID: <1500391529591.47499@cs.auckland.ac.nz>
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org> <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu> <1500348690922.69356@cs.auckland.ac.nz> <27d212b4-c5a6-19d1-2afd-f18adaf21031@nist.gov> <1500387403338.42595@cs.auckland.ac.nz>, <a6c8cee5-2577-c680-c61e-d3fa819d31ea@nist.gov>
In-Reply-To: <a6c8cee5-2577-c680-c61e-d3fa819d31ea@nist.gov>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/gKkvHVDpSMZKbkr5tzOgsRGzdOY>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 15:25:51 -0000

David A. Cooper <david.cooper@nist.gov> writes:

>So, you intentionally delete the quote I provided from RFC 5280 saying that
>use of the private key usage period extension is "neither deprecated nor
>recommended" so that you can falsely claim that the "PKIX RFCs for the last
>twenty years" have said the same thing.

So you intentionally quibble over trivia in order to turn this into a long and
pointlessly boring argument...

>From drafts of 2459 around 20 years ago until 5280 the spec said you shouldn't
use PKUP (3280 was even more strongly worded than the original 2459 text I
cited, "This extension SHOULD NOT be used within the Internet PKI"), and then
5280 removed mention of it.  The majority of the PKI implementations I'm aware
of date from well before 5280, when the "don't use PKUP" was in force.  That's
why I pointed out that support for it in implementations could be hard to
find.

Peter.