[pkix] [Errata Held for Document Update] RFC5280 (8789)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 03 March 2026 17:33 UTC
Return-Path: <wwwrun@rfcpa.rfc-editor.org>
X-Original-To: pkix@ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from rfcpa.rfc-editor.org (unknown [167.172.21.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E7610C39538E; Tue, 3 Mar 2026 09:33:45 -0800 (PST)
Received: by rfcpa.rfc-editor.org (Postfix, from userid 461) id DAFE82B457C; Tue, 3 Mar 2026 09:33:45 -0800 (PST)
To: elizabethpslator@gmail.com, david.cooper@nist.gov, stefans@microsoft.com, stephen.farrell@cs.tcd.ie, sharon.boeyen@entrust.com, housley@vigilsec.com, wpolk@nist.gov
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20260303173345.DAFE82B457C@rfcpa.rfc-editor.org>
Date: Tue, 03 Mar 2026 09:33:45 -0800
Message-ID-Hash: 64NVPLMNI6JNED22YHBFSZMJ24H2YPGB
X-Message-ID-Hash: 64NVPLMNI6JNED22YHBFSZMJ24H2YPGB
X-MailFrom: wwwrun@rfcpa.rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: paul.wouters@aiven.io, iesg@ietf.org, pkix@ietf.org, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] [Errata Held for Document Update] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/lMHWfO9mPL24Oxga7ioZV1OMN8Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>
The following errata report has been held for document update for RFC5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid8789 -------------------------------------- Status: Held for Document Update Type: Editorial Reported by: Elizabeth Peraza Slator <elizabethpslator@gmail.com> Date Reported: 2026-02-28 Held by: Paul Wouters (IESG) Section: GLOBAL Original Text ------------- Section 4.2.1.12 says: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS WWW server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS WWW client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement It should say: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement Notes: The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular: - openssl verification considers them unconditionally even if the server is not a web server or the client a web client - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW - Standards like common criteria assume that these object identifiers are for generic server and clients [0]. [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1 Report New Errata Corrected Text -------------- Section 4.2.1.12 says: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS WWW server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS WWW client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement It should say: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement Notes: The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular: - openssl verification considers them unconditionally even if the server is not a web server or the client a web client - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW - Standards like common criteria assume that these object identifiers are for generic server and clients [0]. [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1 Report New Errata Notes ----- Sec AD (Paul Wouters): Changed to Editorial, as the suggested changes are in an ASN.1 comment -------------------------------------- RFC5280 (draft-ietf-pkix-rfc3280bis-11) -------------------------------------- Title : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Publication Date : May 2008 Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk Category : PROPOSED STANDARD Source : Public-Key Infrastructure (X.509) Stream : IETF Verifying Party : IESG
- [pkix] [Errata Held for Document Update] RFC5280 … RFC Errata System
- [pkix] Re: [Errata Held for Document Update] RFC5… Corey Bonnell
- [pkix] Re: [Errata Held for Document Update] RFC5… Deb Cooley