Re: [pkix] [x500standard] SV: Re: SV: Private key usage period extension

Stefan Santesson <stefan@aaa-sec.com> Fri, 06 May 2016 16:54 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC5ED12D1BC for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 09:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ad8crr4BWtE5 for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 09:54:14 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [194.9.95.112]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA22F12B032 for <pkix@ietf.org>; Fri, 6 May 2016 09:54:13 -0700 (PDT)
Received: from s554.loopia.se (localhost [127.0.0.1]) by s554.loopia.se (Postfix) with ESMTP id A6C1B170215C for <pkix@ietf.org>; Fri, 6 May 2016 18:52:45 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-Originating-IP: 90.229.17.25
X-Loopia-User: stefan@fiddler.nu
Received: from s498.loopia.se (unknown [172.21.200.96]) by s554.loopia.se (Postfix) with ESMTP id 8B53D9472E7; Fri, 6 May 2016 18:52:45 +0200 (CEST)
Received: from s549.loopia.se (unknown [172.21.200.105]) by s498.loopia.se (Postfix) with ESMTP id 88B474605C5; Fri, 6 May 2016 18:52:45 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s498.loopia.se ([172.21.200.105]) by s549.loopia.se (s549.loopia.se [172.21.200.137]) (amavisd-new, port 10024) with LMTP id GxgQ-Wkh5OKy; Fri, 6 May 2016 18:52:45 +0200 (CEST)
Received: from [10.0.1.51] (unknown [90.229.17.25]) (Authenticated sender: stefan@fiddler.nu) by s498.loopia.se (Postfix) with ESMTPSA id 345E6460DD0; Fri, 6 May 2016 18:52:45 +0200 (CEST)
User-Agent: Microsoft-MacOutlook/f.15.1.160411
Date: Fri, 06 May 2016 18:52:43 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: <x500standard@freelists.org>, 'PKIX' <pkix@ietf.org>
Message-Id: <7E6E49F9-EDA2-4B2C-AFD4-961300167D89@aaa-sec.com>
Thread-Topic: [x500standard] SV: Re: SV: [pkix] Private key usage period extension
References: <000901d1a773$379e1680$a6da4380$@x500.eu> <572C6980.8000808@cs.tcd.ie> <CA+i=0E6oo1hZSbyN_xYM1oB4-gKiuxCx-OotqAVz+G6Z7S6uJA@mail.gmail.com> <005501d1a792$626cdb20$27469160$@x500.eu> <AC93E3F3-8F1E-4395-84A6-245E5EE8B5CE@aaa-sec.com> <007d01d1a79d$b0410410$10c30c30$@x500.eu>
In-Reply-To: <007d01d1a79d$b0410410$10c30c30$@x500.eu>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="B_3545405565_862273897"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/ntO_FT9SKlF1O7Trl9EsyROVmsk>
Subject: Re: [pkix] [x500standard] SV: Re: SV: Private key usage period extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2016 16:54:17 -0000

Hi Erik

From:  <x500standard-bounce@freelists.org> on behalf of Erik Andersen <era@x500.eu>Hi Stefan,
 

Thanks for the clarification. You wrote at some time that the extension is not worth fixing. It is against my responsibility as rapporteur and editor. If it is broken it shall be fixed or deprecated.



I have one issue left. I do not like that either notBefore or notAfter can be omitted. notAfter could mean that the private key is valid until the sun burns out. If not specified, it could default the end of the validity of the cert validity period. Something similar for an omitted notBefore.


I’m afraid I do not agree.

The default function of a certificate is that both notBefore and notAfter are undefined with regard to private key usage period.
This means that the verifier using this certificate can assume that the private key can be used at least during the validity of the certificate.

In this extension you can set the notBefore and notAfter independently.

I don’t see anything strange or broken with that. It means that the undefined time is undefined = default behaviour.

/stefan