Re: [pkix] Next edition of X.509
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 24 January 2016 00:51 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B981E1B2CF1 for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 16:51:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A_fQhAA_ELv5 for <pkix@ietfa.amsl.com>; Sat, 23 Jan 2016 16:51:36 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E0751B2CED for <pkix@ietf.org>; Sat, 23 Jan 2016 16:51:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id DAEA5BE50; Sun, 24 Jan 2016 00:51:34 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SC37_LHi5Pr5; Sun, 24 Jan 2016 00:51:33 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.16.108]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id CEDB8BE29; Sun, 24 Jan 2016 00:51:32 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1453596693; bh=MbkrqOlNKFtyo2hCg4gmGjtLXjQCk6wWlYuaxWB4F44=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=HzpTSpTLqW5FweBWWAf8ca3fGgM5iaeWG7ilkxNS/+ZuZmqHVch1ROoW6eX+7Ld/V LDwXyFuvD5GUWGzDLNCkppkHn30GiPcIIJmHscMabmXyKnocdPnb2N3V1piHgAZSHd TTY66SQqv71UsKCEZ44LN5yca3gLoUgbzyPdePEo=
To: Peter Bowen <pzbowen@gmail.com>
References: <000001d130da$b05884d0$11098e70$@x500.eu> <5665633F.7070906@cs.tcd.ie> <000401d130e3$bdf08120$39d18360$@x500.eu> <CAK6vND_=4it-HdN=igWeSsb9Qx2LjastBaJCa-TpObaBuYjNXQ@mail.gmail.com> <000001d155c7$98b64530$ca22cf90$@x500.eu> <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com> <56A3B913.3030506@comcast.net> <CAK6vND-Fs=SiFTUJmtXsKPNgenwBFCEb=4oVxQ8zxdG4kttOjA@mail.gmail.com> <052101d15636$aecdca40$0c695ec0$@gmail.com> <CAK6vND_Yr8+cVF-Y_L203XAAn0DeVn7ww18Np-K++4njqEeUTg@mail.gmail.com> <56A419A1.2040503@cs.tcd.ie> <CAK6vND9AKua0fG9nyUjF4NyDYqCgRCv+Gya1-z3L+eg4eN1gag@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
X-Enigmail-Draft-Status: N1110
Message-ID: <56A42014.5060301@cs.tcd.ie>
Date: Sun, 24 Jan 2016 00:51:32 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAK6vND9AKua0fG9nyUjF4NyDYqCgRCv+Gya1-z3L+eg4eN1gag@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/vvTWwCJpDowU7tBdLaV9qp2Flv8>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 00:51:37 -0000
Hiya, On 24/01/16 00:43, Peter Bowen wrote: > On Sat, Jan 23, 2016 at 4:24 PM, Stephen Farrell > <stephen.farrell@cs.tcd.ie> wrote: >> On 23/01/16 23:58, Peter Bowen wrote: >>> Until it is clear that using >>> EKU in the way I described in covered by X.509, it is not possible to >>> have a strict profile (e.g. PKIX) include it in the profile. >> >> I don't know what you mean by that, can you elaborate? >> >> My guess is that almost nobody does new implementations of X.509 >> code nowadays, and those that might would go to 5280 and not the >> latest version of X.509, but I'd be very interested if either of >> those assumptions is wrong. >> >> If I'm not wrong, then updates to the base X.509 spec are no >> longer really important, other than for the sake of tidiness. >> Another corollary would be that the opinions of people who >> have no influence over running code but who think one document >> or the other is more important, can safely be ignored. Again, >> good to know it that's incorrect. > > 5280 clearly states that "This memo profiles the X.509 v3 certificate > and X.509 v2 certificate revocation list (CRL) for use in the > Internet." Right, the history though is that PKIX and CCITT (now ITU-T) collaborated very well twenty years ago on that and it was then a good idea to ensure a lack of divergence. I think the world has changed sufficiently since then, but again that's back to the assumptions from my previous posting. Keep in mind that RFC2459 begat RFC3280 which begat RFC5280 so there's a good bit of history, and we mostly wanted to minimise the code/text changes throughout that evolution. > I'm assuming (possibly incorrectly) that a profile is a > subset. It add restrictions but anything that is compliant to the > profile is also compliant to the more general spec. > > During discussions about PKI interoperability (especially getting > existing PKIs cross-signed by other PKIs or added to trust anchor > lists) it has come up repeatedly that some PKI implementers see the > use of EKU in a CA-certificates as a constraint as not allowed under > X.509 and therefore not allowed in RFC 5280. > > If I have this wrong, and you think that it is a viable path to define > the use of EKU in CA-certificates as a constraint in the PKIX profile > with no changes to X.509, I would be very happy. There are many cases where things initially proposed in an I-D ended up being back-ported to the ITU-T X.509 document. If you have a thing you think needs doing and find that publishing an I-D seems like a reasonable approach, then I'd say just go for it and we'll see if it gets support from implementers. If OTOH you care more about whether text gets into an ITU-T spec, then that might not be the route for you. Cheers, S. > > Thanks, > Peter >
- [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Michael StJohns
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Martin Rex
- Re: [pkix] Next edition of X.509 Wei Chuang
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Jeffrey Walton
- Re: [pkix] Next edition of X.509 Erwann Abalea