Re: [pkix] Private key usage period extension
"Erik Andersen" <era@x500.eu> Sat, 07 May 2016 05:53 UTC
Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33BE12D512 for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 22:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sR6ecaaI-nOD for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 22:53:47 -0700 (PDT)
Received: from mail02.dandomain.dk (mail02.dandomain.dk [194.150.112.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D55112B036 for <pkix@ietf.org>; Fri, 6 May 2016 22:53:46 -0700 (PDT)
Received: from Morten ([62.44.135.181]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201605070753418377; Sat, 07 May 2016 07:53:41 +0200
From: Erik Andersen <era@x500.eu>
To: 'Directory list' <x500standard@freelists.org>, 'PKIX' <pkix@ietf.org>
References: <000901d1a773$379e1680$a6da4380$@x500.eu> <9A043F3CF02CD34C8E74AC1594475C73F4C7B87A@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C7B87A@uxcn10-5.UoA.auckland.ac.nz>
Date: Sat, 07 May 2016 07:53:41 +0200
Message-ID: <000001d1a824$cf6496e0$6e2dc4a0$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJYEc9fvtVi9SNiQE1fwP6vqYjwqAKM1/Vknou8tEA=
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/jI8x_waXvnPH4IE58LfooNkBwx4>
Subject: Re: [pkix] Private key usage period extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 May 2016 05:53:50 -0000
It seem like we just leave as it is. I could suggest a new note saying something like "This Specification does not specify any semantic associated with this extension. This has to be defined for the individual usage". Regards, Erik -----Oprindelig meddelelse----- Fra: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz] Sendt: 07 May 2016 07:09 Til: Erik Andersen <era@x500.eu>; Directory list <x500standard@freelists.org>; PKIX <pkix@ietf.org> Emne: RE: [pkix] Private key usage period extension Erik Andersen <era@x500.eu> writes: >This extension was included in RFC 3280 with a heavy health warning. It >was omitted from RFC 5280 (except for A.2). It's been deprecated since RFC 2459. At that time no-one was ever able to give a coherent explanation for this that got much beyond "PKIX doesn't do that sort of thing" [0]. >In my mind, the validity of the private key should not spread outside >the validity period of the certificate. It's not meant for that, in fact it's the exact opposite, it's an extremely useful extension for when you want to say that, for example, a signing key is valid for one year but the certificate used to verify its signatures is valid for ten years. The lack of a capability for doing this has been plaguing cert-based signatures for years, leading to all manner of workaround hacks to deal with verifying signatures after the cert has expired. Peter. [0] Years later people retconned explanations for it, but none of them were terribly credible. =
- [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] Private key usage period extension Peter Rybár
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Erwann Abalea
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] [x500standard] Private key usage perio… Stefan Santesson
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Peter Rybár
- Re: [pkix] [x500standard] SV: Private key usage p… Stefan Santesson
- Re: [pkix] [x500standard] Re: SV: Private key usa… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Private key… Stefan Santesson
- Re: [pkix] Private key usage period extension Russ Housley
- Re: [pkix] Private key usage period extension Peter Gutmann
- Re: [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] Private key usage period extension Martin Rex