IETF Logo Mail Archive

[pkix] Re: [Technical Errata Reported] RFC5280 (8789)

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 03 March 2026 19:33 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: pkix@mail2.ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8A423C3A726A for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 11:33:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pF9yF2M696nG for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 11:33:04 -0800 (PST)
Received: from CH1PR05CU001.outbound.protection.outlook.com (mail-northcentralusazon11020126.outbound.protection.outlook.com [52.101.193.126]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A7886C3A7263 for <pkix@ietf.org>; Tue, 3 Mar 2026 11:33:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=MVmXOCbWPcQVWhVqwISHpScH3bCORET43Y0oF0AOLrr4PsOj0r1RDpjflMoh6AbEEexu95IMDx9RW2plr3JckyYM9dVLqOQTtpgeuG/qMB6cM7gTkhlxzo1XK7G0x82SIPd8/guoTBesqA5nAaB7PmYrxGf8eD55GqYcyH7i/45GMtrFDpga9DnXxanHVGF6Ngi/0B6oJlisrGRIK3sJsLqS4gu45957oAMqwGkEodgYC6I6WBsgZliOty5rk+L1EOOng5efjqwYIwva41U5/MbzRwl7dBfrkmhqMEAFSPgzQnnGh00ieBj36G/84xgeTsm7EwevDqS2tmehOMNWCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1qBu3bYLdEZF8DTOfxFY9HDqNTx5TzzFwgTFV6lrtmY=; b=KBG5XGU8ZlEY2N6OK5fUqPPRJWTvfcbxFcvZF24rWQzlkq0sAtNbM1Nn/mfqPw2+AphOboaxX5MGmLBA5m9hdrrRdEQurCaznal+pOp1yQAYrTB+/nH+REUTOoSxk9MElqqPNebbui1bp9ZrrG8+P7f878pgQUiJh5CqJ4S1Y2DtM8uGat8rWiABapLHbVimgnwORHy0hAYY8EIurD+vo/FRt3e8845G0uup9Gnt4VTm4IOIyK9tUPaZ7OS+pkxwADfh3gGzpOx3MVz8O5Egj7k3TTYVZ/pzaVa3CGn7CtRueZJAZIwdmtJ8nSGSTa4UFnfUt8+Sfuiz4wkhU8gQrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1qBu3bYLdEZF8DTOfxFY9HDqNTx5TzzFwgTFV6lrtmY=; b=Jmn1VTX+ZnEBzHLcJjv7T0QxF3eRymz2cgmk+Z//21FdQu5QcUX5uROdY3EAjuBT46rTsnfjQqar2htea4/IfIEfbhrrxsVyrnOLtN3A37WcuF4+9WcAafB06bIXoKlOA/f/nYIFUANcYKxCGr7iqty6IuDnVUaaJrC9vRh5dkvjOwudVFUctaWY5hegn6GXn2OF5kIO1h48WFk2j64DysCPwQhi0vg6T+h5XKtB0SvpfG2l4HS8zeMerMt+yYwTHZxuyueSX0wqjTbZoXF2fp3kUeraLOhVSnkX/+wNVAUHcAH4KDOqp4PNsrMQlkXxhIPMICk+/6MOJLSYSIK/gQ==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by PH0PR14MB6541.namprd14.prod.outlook.com (2603:10b6:510:286::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9654.22; Tue, 3 Mar 2026 19:33:00 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::e9cb:cd7b:d129:34e3]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::e9cb:cd7b:d129:34e3%3]) with mapi id 15.20.9654.022; Tue, 3 Mar 2026 19:32:59 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Michael StJohns <msj@nthpermutation.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)
Thread-Index: AQHcqFlFAgjDP7yDwkGl06X5ZFjBwbWdCgmAgAAL4wCAACI0HA==
Date: Tue, 03 Mar 2026 19:32:59 +0000
Message-ID: <SN7PR14MB649277FF0B9F8D7824393895837FA@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <20260228012810.26368C000CC4@rfcpa.rfc-editor.org> <8946F689-00A0-4ED7-8570-E4A9A907B954@proper.com> <AB8DC100-40AF-43BF-BC66-B3EBDD95C3E9@sn3rd.com> <d6728fcc-52a2-4db0-9023-e8e95d645597@nthpermutation.com>
In-Reply-To: <d6728fcc-52a2-4db0-9023-e8e95d645597@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|PH0PR14MB6541:EE_
x-ms-office365-filtering-correlation-id: 2ea93eb8-c75a-43c8-9445-08de795bad89
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|4022899009|38070700021|8096899003|13003099007|7053199007;
x-microsoft-antispam-message-info: 8EzjxgzZWctFKnCwH8KMhVg9Pu2rL+x1aQzcDS9wUNOn81im8nUgMavZNiZiHXnW0g8jPBRIODpxDqrE2VABVDfX0yZReZ87NhWwtRAHGysjU28gRk2XxTTG83dFuNvx/5zckIkSa/fn9o83tkUibCEXeyUXdFPbY4T+Xmlo0EWbQ3Ck3veZJkoGcpjaJslpu/5GfyXRKvJ/Jy/LRBxo9bf+mVOclnEpLUzAbPMBQuLfvX4IWuofMQYlX1HYdYP1D4fj3ZPsnKCdxptC5r5xh1GoStvLCFnwlG6/GHZ09w24zTcwv1L0icdOvhchsNl6soyCqfAiIqO/Eaauas+8BuA8xIgt5AL/76o+bL3NPMuVp4DXcOGswDF+Ou+7ubTCT6UA9dxFS9Gu2QJsHQvhq1LFt35VyPxZolXw8m6OAt4CfwX6i0M/jE1F8M/ZlnWGVHr7+sIeLfRKOGLG10nyuJv8+qkWWA7q4nTyA2IusZOPQE8YiLSksKHdFq1D2EuGh8ZLEKR6elN157LN7Eh+0k9XdqafnODvxjh5imA6Nuext6zMUkCN+j4+3M8TY6Tf1plIStkXQd9970WeZaqvLf2twTJE+9seSN5elDcvtbiomt0sizleqkgsINYcycslTky4Vc2Y+ZsvhJQIrmtHj0zuFkTUK1mjcMmraT3crcSBhZ/fUuZz64I7AEkBKOJs8PmihN+hTZ1A6Nmemngpec4cv+ztGFnZSBPxgRwtAbso9IY/GVq9eDv/9AAA+SjG
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN7PR14MB6492.namprd14.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(4022899009)(38070700021)(8096899003)(13003099007)(7053199007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JY9SwFhYhF9a6C4EJIASMJ4d7PLLBjhIwWFqw/NBjGk8608VfRz7tHKxIz9Y9LeOVfPa9x7UiYUloqfP2uh+A6bFVabbAQUsv/FqWzLMB99mqPQ+w7OJVzFy9TLZkO3GV2bPaYvqLP5oD3eyKI9rpiZLlQ3nYFwNoFuxkPw6Cbt4sMra9gTM6FiYjrjoGl+bHhmfBhQ/PknqORRgfZ6UuED1L4W9ACI7PoSfZhx9eftu4AgcjnNxfR6k6+MDft7yANKIhUGbxrFhWNvdyYtWlul/ANAvbwBeSdeh+ij7pSDHJG2h6AQOVu2AZ0lmaNDmS0vX7tZ+E+nmBPja64MYEXNggz497mMYeb2i16VKFvmnayc3TuaBIEBMum7cwuWFafE0Iqk2pQUKBOIc7ZIG34A7slCqNqmGxQo7AjxtAdzsMOL3/+eSV3abBcOfROBlVjTjpOPLf7DjM+ilolb7U5aNB5pPEXGiruGOsQstQaYatqsFM4f/gN+3YKosk1Qai+14phpmNyJLaER+UqR5diaDXMR+LJd27fsP8k8U5b/KuvSjVgJCNls64Zq1Byyizzv8z9O6ftqZ+7rhywTCGF+q8xCD04ZlNnE57hLWlB34jQgqB27bEl+L0ZS0JeEBKanX1lpRwU19MvtNA4qfqWouWvlT+28cqt5vz28fdmVa+Ovirh6rN9f1wO1D2zfSW88YeK8f2M/E8dg4Zlw1OR/eFqMHNsGybpZvPJKfJ+SkW7KRSmG5nYFbyUPV556zCfs86wD3uh6u3Zd8xDs4tjkZf6uE/tAHmF4jykBLnCO6B4oO1YvZL+nvMtQNCqcKupUH+1a5C8gzQLCr5lDIk367RSX+Z7r8AY8JOXCWkC2voOS9pA3WxYczj2o393zvvsL3wkP6BWqsdxPBDlL/M6uUm9IjxrbvciOn40ECM+Xeic9BCpOFMRzA76EAJ4c9nAC6RndZsEdTBohibggxeGhtX0nGgzU1TgJ9Xbd2jjHEwm+gYgtscKAwZXcuZQlVKlMZAtFgNtsXjlu8G1my7ZxXnEefgc2yhp/b5NHvZ2NMQHssQQeSQ+cgbknVDjpGWJpZzJpViP09LGmlDxhMByQdyL655+xINbIZeVlUgWQ4DfnhtjNEFGbqDbGYp5uy0yClxonIn3oo0V47xDzCAzytla8QKANvardHSmJ1JkV9SirVML4iksTnfSqTCXJwHIGYGknJMEFetxPW4Ht916hI5FLceNgd9zM1fHYALPh7Y1XhSvxsFyDAHPcrdHFVjcx8z6c9Oxsk6bc7IwjIoTPELhQld2BBY+/QyyLBOiZGxUNoQQDTZyRzD1NNu/dnRhy6ar7Y3TrGzQKj/b/Dc27ijt6jQ71XDvaVMy45IaBZGOpEND4BtzIWnlok+FP7y1akg5dO1UEr41bo4xa2D4XXjMNMn2GVQxSFcNflbyOtIhQQJ3hSB7csEfAvv0Lve0VjXH48VCDKfMozE0RZUs6i9D5uoV8Y39hK1vY5g8VEmhS7d453DCcKzN+Lp0HY99gzTS54BJA4HNOApICo9oq4iKgWbXOJyZcift1h9wX71hf2sin1nDGd654cEeVd3fyqOCUzebMeRZu+dTKSUULUOOZx2755VRdBYs7tdR3N5ACg1leXs6bY613wCVzQcdAvKVfMwcFDovWMgACS37G+IxIWTNrtoUNfxDeUficSAkDC4Vyqhs4z3DV+XOgLRZm33uBxmORoYhCb+VhLFA==
Content-Type: multipart/alternative; boundary="_000_SN7PR14MB649277FF0B9F8D7824393895837FASN7PR14MB6492namp_"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2ea93eb8-c75a-43c8-9445-08de795bad89
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2026 19:32:59.2693 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1H84l7eNBdSlbS6BFxi+UzjC0kne9rI2vL+Znrka/sAJXg/RXLZ6dnmgkWQjU4LAuK+kMHUhSlbpuOVUbll/fioCIdiG2rznlQmoza8PQSE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR14MB6541
Message-ID-Hash: KNV3RH7CQSCBNNKHUKY6M2QJN3NH4WLO
X-Message-ID-Hash: KNV3RH7CQSCBNNKHUKY6M2QJN3NH4WLO
X-MailFrom: tim.hollebeek@digicert.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/up-19yomhxMmNbfzr-hkbkKElpY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>

I think it should be rejected as well. I actually have lots of strong feelings on this issue, but the original text is not wrong.

-Tim
________________________________
From: Michael StJohns <msj@nthpermutation.com>
Sent: Tuesday, March 3, 2026 12:29 PM
To: pkix@ietf.org <pkix@ietf.org>
Subject: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)

What Sean said.  I'd actually be inclined to reject the errata as a) it
is in a comment, and b) the fact that people are using this for non-WWW
stuff does not change the behavior for WWW stuff.

Mike

On 3/3/2026 11:47, Sean Turner wrote:
> If we want to remove the “WWW” from the comment sure, but please mark this as “Editorial" as the suggested changes are in an ASN.1 comment ;)
>
> spt
>
>> On Feb 27, 2026, at 21:23, Paul Hoffman <phoffman@proper.com> wrote:
>>
>> This errata report is correct and should be marked as "hold for document update".
>>
>> --Paul Hoffman
>>
>> On 27 Feb 2026, at 17:28, RFC Errata System wrote:
>>
>>> The following errata report has been submitted for RFC5280,
>>> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile".
>>>
>>> --------------------------------------
>>> You may review the report below and at:
>>> https://www.rfc-editor.org/errata/eid8789
>>>
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Elizabeth Peraza Slator <elizabethpslator@gmail.com>
>>>
>>> Section: GLOBAL
>>>
>>> Original Text
>>> -------------
>>> Section 4.2.1.12 says:
>>>
>>>    id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
>>>    -- TLS WWW server authentication
>>>    -- Key usage bits that may be consistent: digitalSignature,
>>>    -- keyEncipherment or keyAgreement
>>>
>>>    id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>>>    -- TLS WWW client authentication
>>>    -- Key usage bits that may be consistent: digitalSignature
>>>    -- and/or keyAgreement
>>> It should say:
>>>
>>>    id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
>>>    -- TLS server authentication
>>>    -- Key usage bits that may be consistent: digitalSignature,
>>>    -- keyEncipherment or keyAgreement
>>>
>>>    id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>>>    -- TLS client authentication
>>>    -- Key usage bits that may be consistent: digitalSignature
>>>    -- and/or keyAgreement
>>> Notes:
>>>
>>> The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular:
>>> - openssl verification considers them unconditionally even if the server is not a web server or the client a web client
>>> - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW
>>> - Standards like common criteria assume that these object identifiers are for generic server and clients [0].
>>>
>>> [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1
>>>
>>> Report New Errata
>>>
>>> Corrected Text
>>> --------------
>>> Section 4.2.1.12 says:
>>>
>>>    id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
>>>    -- TLS WWW server authentication
>>>    -- Key usage bits that may be consistent: digitalSignature,
>>>    -- keyEncipherment or keyAgreement
>>>
>>>    id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>>>    -- TLS WWW client authentication
>>>    -- Key usage bits that may be consistent: digitalSignature
>>>    -- and/or keyAgreement
>>> It should say:
>>>
>>>    id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
>>>    -- TLS server authentication
>>>    -- Key usage bits that may be consistent: digitalSignature,
>>>    -- keyEncipherment or keyAgreement
>>>
>>>    id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>>>    -- TLS client authentication
>>>    -- Key usage bits that may be consistent: digitalSignature
>>>    -- and/or keyAgreement
>>> Notes:
>>>
>>> The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular:
>>> - openssl verification considers them unconditionally even if the server is not a web server or the client a web client
>>> - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW
>>> - Standards like common criteria assume that these object identifiers are for generic server and clients [0].
>>>
>>> [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1
>>>
>>> Report New Errata
>>>
>>> Notes
>>> -----
>>> Thank you very much
>>>
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". (If it is spam, it
>>> will be removed shortly by the RFC Production Center.) Please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party
>>> will log in to change the status and edit the report, if necessary.
>>>
>>> --------------------------------------
>>> RFC5280 (draft-ietf-pkix-rfc3280bis-11)
>>> --------------------------------------
>>> Title               : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
>>> Publication Date    : May 2008
>>> Author(s)           : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk
>>> Category            : PROPOSED STANDARD
>>> Source              : Public-Key Infrastructure (X.509)
>>> Stream              : IETF
>>> Verifying Party     : IESG
>> _______________________________________________
>> pkix mailing list -- pkix@ietf.org
>> To unsubscribe send an email to pkix-leave@ietf.org
> _______________________________________________
> pkix mailing list -- pkix@ietf.org
> To unsubscribe send an email to pkix-leave@ietf.org


_______________________________________________
pkix mailing list -- pkix@ietf.org
To unsubscribe send an email to pkix-leave@ietf.org

v2.40.4 | Report a Bug | By Email | System Status