Re: [pkix] Managing Long-Lived CA certs

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 18 July 2017 03:31 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92D9212ECCE for <pkix@ietfa.amsl.com>; Mon, 17 Jul 2017 20:31:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ZaUjAUZpoNQ for <pkix@ietfa.amsl.com>; Mon, 17 Jul 2017 20:31:52 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FD98126B6E for <pkix@ietf.org>; Mon, 17 Jul 2017 20:31:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1500348712; x=1531884712; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=XzPMkIZke9kVURYAQeHr/TlT8gy+3lc82iUg9lqIWng=; b=YYmQGYdmZE6FPwvJcZpRLJ930tCHVWjmlw+2tyHaP9ySDUt2RkHhKloX 9x9sqEK9qaY+gqUnFgqVkw8z+exDBFDxv/ptrF5q/DAUSzzAgQDxB7W0C +igmPDqpAt3i9bR7SZ+PThynyTBCqRfmoRjwq/BIxdt4cxf040pu08PIq 4OW92A25im7UuqXd26Nl96jDHutqHecOndKrU61RV8Tf6x/mGw6PHZE5l eUkxWb9FQwd1+BuRjVJj50DrYDw4TYguZqr1zfwA4fqVmaOw/kr3OyCUG 5ixKU1rkL4aDsdeEUzuheTI5uzbAn9swgUg/ymH2nENDVLXf9ct4KXOF1 A==;
X-IronPort-AV: E=Sophos;i="5.40,376,1496059200"; d="scan'208";a="166174983"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-d.UoA.auckland.ac.nz) ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 18 Jul 2017 15:31:47 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.25) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 18 Jul 2017 15:31:47 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::6929:c5b:e4d6:fd92]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::6929:c5b:e4d6:fd92%14]) with mapi id 15.00.1263.000; Tue, 18 Jul 2017 15:31:47 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Erik Andersen <era@x500.eu>, PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Managing Long-Lived CA certs
Thread-Index: AQHS/wfFsHzAHG/6DUqwsYmxTQJgoKJXVMeAgAGZvr0=
Date: Tue, 18 Jul 2017 03:31:46 +0000
Message-ID: <1500348690922.69356@cs.auckland.ac.nz>
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org>, <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu>
In-Reply-To: <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/j7vkVuclSDk7WOFH7pdEsQPdHsg>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 03:31:55 -0000

Erik Andersen <era@x500.eu> writes:

>What about the private key usage period extension

That would be the obvious choice, but PKIX says you're not allowed to use it.
No reason given, you just can't.  This would imply that support for it in
implementations is going to be hard to find...

Peter.