IETF Logo Mail Archive

Re: [pkix] [Technical Errata Reported] RFC5280 (7661)

"David A. Cooper" <david.cooper@nist.gov> Thu, 28 September 2023 16:14 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79B30C17EB78 for <pkix@ietfa.amsl.com>; Thu, 28 Sep 2023 09:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.109
X-Spam-Level:
X-Spam-Status: No, score=-8.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1RecVaVuP0Ro for <pkix@ietfa.amsl.com>; Thu, 28 Sep 2023 09:14:24 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on2122.outbound.protection.outlook.com [40.107.89.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FC69C14CF05 for <pkix@ietf.org>; Thu, 28 Sep 2023 09:14:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C2ShTKkLNpEK2Q+xOoqTKDRi2bWTU+j52HrdO/vca68U0UF35zXZPVEGt7uO5momuN0R5ND5HE0CLQ9t3zVahxMs2cvZe1SDkyuEeQwagDehITuC1PTePliE6A3L1Cc0yrlpZaCLzrDp1TJ0r1uuwQ4OkXNXQaR1C+sT3QdvW2uLBBhGodXP5IGLVmBUvDu+iuzQQssKhBZZ79fb7xBIw6rDnIKJ1LTlXsWmzzsq+ohp0jDzlmuNN6xEFBRCnEkZnKrxTjHIncMW0+yOunc/4Jy/43t4OWpv1cyRLiXu1f0vcn+dqHkdnzOXx4j7gUqdRhvnamsBvzEAf2v459dAiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ps+G3A82Kd8NK8d4SiGWxS3j48RqMg1HWM5zMDtDrQs=; b=bAx575GPf0J2GfBBxw1i5CP7RztfRgEJhYS2SA1Tlz5PRDEZk9CkrMlWmbmsmksTQXSdPys3ya6YvHYlzQAcvJO28OyKSS2f63jQQRkCiOxPGDwPf3LCWSywkMbcbyCrt+Z+bcax/ewwMS8grM/2TrQkvCym00iuLaL75aob89zIv15/bxdZwr3IJg46HoAEC76O0bHg0lvSpbTxH8vBnW+e65UPGRgxPXQKdJQFedFM1lTuXB8ZZziZYHardLOUKnKA4I0HSD9stcesbLqNA0eIlQPxeEg6417DbwtU71STRhTzWv+nz8rjqYwec1IR74iL/u4MyuannCUHUm+vlQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 129.6.18.29) smtp.rcpttodomain=ietf.org smtp.mailfrom=nist.gov; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nist.gov; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ps+G3A82Kd8NK8d4SiGWxS3j48RqMg1HWM5zMDtDrQs=; b=HZ+Nw1v/WhufBWem7qCZMRsY56XbKQsKsS+2NdynII6GJo2ll0Hxz7tOlvxJ0q1v/FR6kWgPTqPsejXmGoRDa7alw+qA9p0K9/P8/hxcgnrvELvyyhB4mNo3Nrl6gL11D1gUHU9NsXcuYc91H6RC3zYEUeeW6Y8DGfrRn/oN3NEOqBushMRC8SHtkd2ZfFqnaoTCSmYxaz9f628IVuDvIe4Vej8i/DNUML+RWGYOtfuT9kk2Be8ZDosq/M8CpyIRjm3AFj5YbBMAvKc/VkkParXUHRJ0ktI3b1y/kZcxwYJTrMFYA335V0iS/oJd637rZ40Toc8wNdXIfsGgh4Q32A==
Received: from CY5PR09CA0016.namprd09.prod.outlook.com (2603:10b6:930:1::24) by DS0PR09MB11256.namprd09.prod.outlook.com (2603:10b6:8:177::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.21; Thu, 28 Sep 2023 16:14:20 +0000
Received: from DM3GCC02FT031.eop-gcc02.prod.protection.outlook.com (2a01:111:f400:7d04::202) by CY5PR09CA0016.outlook.office365.com (2603:10b6:930:1::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.25 via Frontend Transport; Thu, 28 Sep 2023 16:14:20 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 129.6.18.29) smtp.mailfrom=nist.gov; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nist.gov;
Received-SPF: Pass (protection.outlook.com: domain of nist.gov designates 129.6.18.29 as permitted sender) receiver=protection.outlook.com; client-ip=129.6.18.29; helo=smtp1.nist.gov; pr=C
Received: from smtp1.nist.gov (129.6.18.29) by DM3GCC02FT031.mail.protection.outlook.com (10.97.8.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.26 via Frontend Transport; Thu, 28 Sep 2023 16:14:20 +0000
Received: from [132.163.219.194] ([132.163.219.194]) by smtp1.nist.gov with Microsoft SMTPSVC(10.0.14393.4169); Thu, 28 Sep 2023 12:14:19 -0400
Message-ID: <5cf73bbc-4e32-4e1c-9e57-2ea8b5fa076d@nist.gov>
Date: Thu, 28 Sep 2023 09:14:18 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Russ Housley <housley@vigilsec.com>, RFC Editor <rfc-editor@rfc-editor.org>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Roman D. Danyliw" <rdd@cert.org>, Paul Wouters <paul.wouters@aiven.io>, Stefan Santesson <stefan@aaa-sec.com>, ben.strauss@dell.com, IETF PKIX <pkix@ietf.org>
References: <20230928131036.D1CD013BB505@rfcpa.amsl.com> <4091FFAB-4E82-4D5F-B497-5C193366E456@vigilsec.com>
From: "David A. Cooper" <david.cooper@nist.gov>
In-Reply-To: <4091FFAB-4E82-4D5F-B497-5C193366E456@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 28 Sep 2023 16:14:19.0977 (UTC) FILETIME=[D6281390:01D9F226]
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM3GCC02FT031:EE_|DS0PR09MB11256:EE_
X-MS-Office365-Filtering-Correlation-Id: 99b8d789-18b3-4570-0a1d-08dbc03df912
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: k6P0Qe1x2Y7X0DPa/mCi+wy53eHuWekxZEfceksgfJoO00nQ06OvK1UlGFdLCvVe6kByCrqiICvY7ZCfgndMwOOvyTpdNC/osmzaxtWnPpS/NjttLxCrXZFcECvvJT+RAvVEbaMfpzU8hJnQAvBGsrqov+Z/bQmgj/mwhN9B2KfYl2Tlm1rsggs3h94dFEN7xYqD7gLsvXFhwK0OJsRT+tLR7TCg3zeI9yVpOPPN8kB7bNujjGRmmvTUO0DjU1mZk7KWR+U5lQfQ1UaDz8rFO5dDvqy5Owjumr/Q02qaY1ouAmA7jPS80qr1IZpKxc0u4aH3BbpvGfCu5Ab04nLNaUZytACKs3We1UR9MEzQeg3AuKb7NhfOn43gTg0a3EevaIG4ylW+cdcX9ilL1OISzvY5tV0dHSEWg7GIqd1N2+ziCy1935yoc7odlWlLz/fosaRCqheNucL6aSxjenlmcGDqlb6iE/qF3Qg0St4Rxzk/AvZXyW0ZExNLs/YUWB0Goidoil4mjHYeASuIsO1IChZMolqYvZN47nk89PaEurqHqIbKCPspdbd1SDEm6eA7C2RIENw8mDXzTPUK0g98/tXU8rqFIOCBSmawtTDw/B4Mn4YLGBSkf933Ym8mRzftTNivJNom7yAzL6pFDrgtlQ2XdnfXAvwjCl/8UNsYWLxl+9xYE3ylpC+hM5eTSXl4+mYn0kU6D/ILOrGwQwrzZDrcpdtNvLGQD6PoHEpvBYc=
X-Forefront-Antispam-Report: CIP:129.6.18.29; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:smtp1.nist.gov; PTR:smtp1.nist.gov; CAT:NONE; SFS:(13230031)(4636009)(230922051799003)(186009)(451199024)(82310400011)(1800799009)(40470700004)(46966006)(36840700001)(31686004)(83380400001)(40460700003)(2616005)(53546011)(336012)(82960400001)(356005)(31696002)(2906002)(5660300002)(36756003)(956004)(8936002)(316002)(6706004)(4326008)(54906003)(110136005)(47076005)(66574015)(26005)(508600001)(426003)(86362001)(70206006)(7636003)(36860700001)(7596003)(8676002)(966005)(43740500002); DIR:OUT; SFP:1102;
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Sep 2023 16:14:20.6679 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 99b8d789-18b3-4570-0a1d-08dbc03df912
X-MS-Exchange-CrossTenant-Id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2ab5d82f-d8fa-4797-a93e-054655c61dec; Ip=[129.6.18.29]; Helo=[smtp1.nist.gov]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TreatMessagesAsInternal-DM3GCC02FT031.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR09MB11256
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/psWOVfIxJhKT5EagEXNzGEGZ47w>
Subject: Re: [pkix] [Technical Errata Reported] RFC5280 (7661)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Sep 2023 16:14:28 -0000

While the term cross-certificate is commonly used to only to refer to 
certificates issued between "peers" where each CA issues a certificate 
to the other CA, a cross-certificate is any certificate issued by one CA 
to another CA.  There is no requirement for certificates to be issued in 
both directions. And, the definition in RFC 4949 is not correct in 
suggesting that a certificate is only a cross-certificate if the issuer 
and subject are in different PKIs (whatever that means).

As Section 3.2 of RFC 5280 notes "Cross-certificates are CA certificates 
in which the issuer and subject are different entities."

The errata is correct that "signature key used for issuing certificates" 
could be interpreted as referring to a private key. This could be fixed 
by simply deleting the clause "that contains a CA signature key used for 
issuing certificates."

On 9/28/23 8:54 AM, Russ Housley wrote:
> Cross certification results in each CA issuing a certificate to the other.  Dropping the second sentence is not helpful in my view.
>
> Russ
>
>
>> On Sep 28, 2023, at 9:10 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>>
>> The following errata report has been submitted for RFC5280,
>> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile".
>>
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid7661
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Benjamin Strauss <ben.strauss@dell.com>
>>
>> Section: 3.5
>>
>> Original Text
>> -------------
>>       (g)  cross-certification:  Two CAs exchange information used in
>>            establishing a cross-certificate.  A cross-certificate is a
>>            certificate issued by one CA to another CA that contains a CA
>>            signature key used for issuing certificates.
>>
>> Corrected Text
>> --------------
>>       (g)  cross-certification:  Two CAs exchange information used in
>>            establishing a cross-certificate.
>>
>> Notes
>> -----
>> The removed sentence is factually inaccurate and misleading: "A cross-certificate is a certificate issued by one CA to another CA that contains a CA signature key used for issuing certificates."
>> A "signature key used for issuing certificates" would be a private key.  A certificate simply does not contain a private key.  A definition of "cross-certificate" for the purpose of this RFC is already provided in section 3.2, so there is no point in elaborating here.
>> (The definition given in section 3.2 conflicts with the narrower, and more generally used, definition given in RFC 4949, but that is beside the point.)
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC5280 (draft-ietf-pkix-rfc3280bis-11)
>> --------------------------------------
>> Title               : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
>> Publication Date    : May 2008
>> Author(s)           : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk
>> Category            : PROPOSED STANDARD
>> Source              : Public-Key Infrastructure (X.509)
>> Area                : Security
>> Stream              : IETF
>> Verifying Party     : IESG

v2.23.0 | Report a Bug | By Email