Re: [pkix] [Technical Errata Reported] RFC5280 (7164)
Stefan Santesson <stefan@aaa-sec.com> Fri, 14 October 2022 22:06 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECA45C152566 for <pkix@ietfa.amsl.com>; Fri, 14 Oct 2022 15:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLOc_o4RXnQD for <pkix@ietfa.amsl.com>; Fri, 14 Oct 2022 15:06:55 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15513C152562 for <pkix@ietf.org>; Fri, 14 Oct 2022 15:06:54 -0700 (PDT)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 6ACF82F5ABDF for <pkix@ietf.org>; Sat, 15 Oct 2022 00:06:50 +0200 (CEST)
Received: from s899.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id 59EC12E2AE8C; Sat, 15 Oct 2022 00:06:50 +0200 (CEST)
Received: from s475.loopia.se (unknown [172.22.191.5]) by s899.loopia.se (Postfix) with ESMTP id 55F462C8BA54; Sat, 15 Oct 2022 00:06:50 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s899.loopia.se ([172.22.191.5]) by s475.loopia.se (s475.loopia.se [172.22.190.15]) (amavisd-new, port 10024) with LMTP id kIYapBipVbSv; Sat, 15 Oct 2022 00:06:49 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.229.17.25
Received: from smtpclient.apple (unknown [90.229.17.25]) (Authenticated sender: mailstore2@aaa-sec.com) by s899.loopia.se (Postfix) with ESMTPSA id 852852C8BA68; Sat, 15 Oct 2022 00:06:49 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Stefan Santesson <stefan@aaa-sec.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 15 Oct 2022 00:06:48 +0200
Message-Id: <4AA0F386-EE50-4214-8690-4C947C482D78@aaa-sec.com>
References: <9169B4F8-2A03-4FEE-9D8A-32E8075999E0@vigilsec.com>
Cc: aaron@letsencrypt.org, David Cooper <david.cooper@nist.gov>, Stefan Santesson <sts@aaa-sec.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Tim Polk <wpolk@nist.gov>, "Roman D. Danyliw" <rdd@cert.org>, Paul Wouters <paul.wouters@aiven.io>, IETF PKIX <pkix@ietf.org>
In-Reply-To: <9169B4F8-2A03-4FEE-9D8A-32E8075999E0@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/tUftWMCloy0rOWmUHXpaoAZq9EE>
Subject: Re: [pkix] [Technical Errata Reported] RFC5280 (7164)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 22:06:59 -0000
I agree. Skickat från min iPhone > 14 okt. 2022 kl. 22:03 skrev Russ Housley <housley@vigilsec.com>: > > I see your point, but I think we should keep "if any" > > Russ > > >> On Oct 14, 2022, at 3:39 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: >> >> The following errata report has been submitted for RFC5280, >> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid7164 >> >> -------------------------------------- >> Type: Technical >> Reported by: Aaron Gable <aaron@letsencrypt.org> >> >> Section: 5.2.5 >> >> Original Text >> ------------- >> If the distributionPoint field is absent, the CRL MUST contain >> entries for all revoked unexpired certificates issued by the CRL >> issuer, if any, within the scope of the CRL. >> >> Corrected Text >> -------------- >> If the distributionPoint field is absent, the CRL MUST contain >> entries for all revoked unexpired certificates issued by the CRL >> issuer. >> >> Notes >> ----- >> The removed phrase does not appear in the original text that this requirement is derived from, ITU-T Rec. X.509 (08/2005) Section 8.6.2.2: "If the issuing distribution point field, the AA issuing distribution point field, and the CRL scope field are all absent, the CRL shall contain entries for all revoked unexpired public-key certificates issued by the CRL issuer." >> >> The removed phrase does not serve to create a stricter requirement; rather it creates a looser requirement which allows a CRL which does contain entries for all revoked unexpired certificates *within its scope* to not include the distributionPoint field. Given that the distributionPoint field serves an important security purpose in preventing substitution attacks, it is unlikely that this loosening was the intent of the original authors. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC5280 (draft-ietf-pkix-rfc3280bis-11) >> -------------------------------------- >> Title : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile >> Publication Date : May 2008 >> Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk >> Category : PROPOSED STANDARD >> Source : Public-Key Infrastructure (X.509) >> Area : Security >> Stream : IETF >> Verifying Party : IESG >
- [pkix] [Technical Errata Reported] RFC5280 (7164) RFC Errata System
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Russ Housley
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… David A. Cooper
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Stefan Santesson
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Aaron Gable
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Carl Wallace
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Aaron Gable
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Carl Wallace
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Russ Housley
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… David A. Cooper
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Tim Hollebeek
- Re: [pkix] [Technical Errata Reported] RFC5280 (7… Carl Wallace