Re: [pkix] Managing Long-Lived CA certs
"Erik Andersen" <era@x500.eu> Tue, 18 July 2017 15:48 UTC
Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 957DD131B81 for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 08:48:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9bKwus1SYke for <pkix@ietfa.amsl.com>; Tue, 18 Jul 2017 08:47:59 -0700 (PDT)
Received: from mail04.dandomain.dk (mail04.dandomain.dk [194.150.112.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC53A127077 for <pkix@ietf.org>; Tue, 18 Jul 2017 08:47:53 -0700 (PDT)
Received: from Morten ([62.44.134.67]) by mail04.dandomain.dk (DanDomain Mailserver) with ASMTP id 4201707181747482506 for <pkix@ietf.org>; Tue, 18 Jul 2017 17:47:48 +0200
From: Erik Andersen <era@x500.eu>
To: 'PKIX' <pkix@ietf.org>
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org> <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu> <1500348690922.69356@cs.auckland.ac.nz> <27d212b4-c5a6-19d1-2afd-f18adaf21031@nist.gov>
In-Reply-To: <27d212b4-c5a6-19d1-2afd-f18adaf21031@nist.gov>
Date: Tue, 18 Jul 2017 17:47:50 +0200
Message-ID: <003d01d2ffdd$35d67c70$a1837550$@x500.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_003E_01D2FFED.F961E480"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQDOcHAtNaigQtZhTsCOwy8a/DXXLwJG2NRHAgHCn8ECXth9BaQtmm9Q
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/rDqNOwmkp3BTVOWIYozwh6x0RxM>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 15:48:02 -0000
Hi David, PKIX is not the whole world. The smart grid security work within IEC TC57 WG15 does not refer to RFC 5280, but only to X.509. X.509 provides functionality, like authorization and validation lists (AVLs) not part of any IETF specification. In the smart grid and IoT world, traditional PKI techniques fall short. I believe that is what Max is trying to tell. Erik Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af David A. Cooper Sendt: 18 July 2017 16:03 Til: Peter Gutmann <pgut001@cs.auckland.ac.nz> Cc: PKIX <pkix@ietf.org> Emne: Re: [pkix] Managing Long-Lived CA certs Can you provide a citation for your claim that "PKIX says you're not allowed to use it. No reason given, you just can't."? RFC 5280 says: This specification obsoletes [RFC3280]. Differences from RFC 3280 are summarized below: * Section 4.2.1.4 in RFC 3280, which specified the privateKeyUsagePeriod certificate extension but deprecated its use, was removed. Use of this ISO standard extension is neither deprecated nor recommended for use in the Internet PKI. "Use of this ISO standard extension is neither deprecated nor recommended" doesn't sound like "you just can't" to me. On 07/17/2017 11:31 PM, Peter Gutmann wrote: Erik Andersen <mailto:era@x500.eu> <era@x500.eu> writes: What about the private key usage period extension That would be the obvious choice, but PKIX says you're not allowed to use it. No reason given, you just can't. This would imply that support for it in implementations is going to be hard to find... Peter.
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Rob Stradling
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Santosh Chokhani
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs David A. Cooper
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs David A. Cooper
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs swilson
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Anders Rundgren
- Re: [pkix] Managing Long-Lived CA certs Denis
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs EG Giessmann
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- [pkix] Upgradable/Replaceable IoT systems. Re: Ma… Anders Rundgren
- [pkix] Connected Cars. Upgradable/Replaceable IoT… Anders Rundgren
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Robert Moskowitz
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Peter Gutmann
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Robert Moskowitz
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Erwann Abalea