[pkix] Re: [Technical Errata Reported] RFC5280 (8789)
Sean Turner <sean@sn3rd.com> Tue, 03 March 2026 16:47 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: pkix@mail2.ietf.org
Delivered-To: pkix@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 24B60C38C6E7 for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 08:47:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVtHtyse3s-S for <pkix@mail2.ietf.org>; Tue, 3 Mar 2026 08:47:27 -0800 (PST)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 75273C38C6E2 for <pkix@ietf.org>; Tue, 3 Mar 2026 08:47:27 -0800 (PST)
Received: by mail-qk1-x732.google.com with SMTP id af79cd13be357-8cb40277a8bso613760785a.1 for <pkix@ietf.org>; Tue, 03 Mar 2026 08:47:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1772556447; x=1773161247; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=cGx491Idhed2VaDPaOJrKwGz/dbt2i7AQPHsLv7bKfc=; b=J4bkbIDy/jqbpDtxzR7fs2iYuQYPpXYH9Q0Pb8b6pVLuHXmstY8ETpnnYnxc6xVPGh AUV+EDLNzPLNV+TW60GLMjj8JA7+BfcDOnhmAhH5Uw76kZ4KC6QPrxHG2PBlNinKJb94 YzYaRB6gGvvbxHATzSFvgkbtpew2fWjPUAkVo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772556447; x=1773161247; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=cGx491Idhed2VaDPaOJrKwGz/dbt2i7AQPHsLv7bKfc=; b=s3/OkoEOcqdZ/A3VqQwkdEppC6CUidO8OCiZFRFZrdLLoJtpqzmqTLaIWOd7C20A7i aTffNlNu0S2fRysg3TqWBCh0+G+lA2HBiQoRFFqtf7Vm78IW/emzsbJTB4e3Adlvgeqe 4Ap3JsviwfDkET3OOCyvI9r/52zle02URJQ3fKabE1Ux0ITUkdAyTsAMsVHv+MzlTu0o fbgnj2fe/8C8Bb4efvH9g6LkpIVS8W1ZBo0EK7EHuXJ8oayvp1xwzGOlexgCwN2VTzJV 40GJe0/qRRW1CaWY7CSZ4TSmO4ozbgpcrg1nyj5G9DdQRyqNdqLcfg0T4aIzXNQQeQ+M U5kA==
X-Forwarded-Encrypted: i=1; AJvYcCX4QChgt0q47j+QFM4T3aDI9u8tweOII5RuR1wYffOFz8nHVrygWeznN9uKvlxFovpfqScV@ietf.org
X-Gm-Message-State: AOJu0YwMIbRuMb3xd0JAkvswNZHnqBGeUJI2Qxzj5bazxg4sDYG0m+fW a4wGUYwUGV+cohFnd7AWP70YM0ELm/jgkh1S/nazzr9cqXVyIvkQ98zfaINc+gAg/48=
X-Gm-Gg: ATEYQzwuqmuT8nOuuX8bu0Uzc/vLPowmQ0y7jnwCF40VM1nHk9UH1sX+OOt0cLYP8ah P168xQmejCfZVNwoyhnsKKbQhhV8mRLIiXvcTTbLVQKWPxE+V+aCs+5VzHdlkPh5LCILp3m7MUN KwwiJcUT0QTa2z9BfnzymoIFMYXCbQLLQAtpct495185N+tIhvwK+CWW+t5ANHCGw2eCKZA2Equ 3c3zcuVMv7YH1iq1B3CN/OmAyyOU6YIOTZwNcHNCV/HJGEHUCSkfwxbmgv9NJGUJgQBuMhDIXcF o+O9X3BcLvWNU3+XQDj4Rq+030Y8AXRy9EPDxtxUZ5Kt+MHiijgnKu6uL200lzkdkMuU1mZE0dg 4cym7aTiGav6Iswm4+6BJL37gH3bWng8/tW5FKGjuIVX8LCL8uRhD9MPeyAlVdTB8NX9oflwQBO 6J3ek5ixeKq/qtKbgP/A1ox7V2Nd6r1tQNbt82D32Z0B4=
X-Received: by 2002:a05:620a:44cf:b0:8c7:1b41:d94b with SMTP id af79cd13be357-8cbc8dc2723mr1866065685a.9.1772556446924; Tue, 03 Mar 2026 08:47:26 -0800 (PST)
Received: from smtpclient.apple ([2600:4040:253b:2200:68d8:77cd:78a7:8260]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8cbbf658f70sm1412337885a.7.2026.03.03.08.47.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Mar 2026 08:47:26 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.4\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <8946F689-00A0-4ED7-8570-E4A9A907B954@proper.com>
Date: Tue, 03 Mar 2026 11:47:05 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <AB8DC100-40AF-43BF-BC66-B3EBDD95C3E9@sn3rd.com>
References: <20260228012810.26368C000CC4@rfcpa.rfc-editor.org> <8946F689-00A0-4ED7-8570-E4A9A907B954@proper.com>
To: Paul Hoffman <phoffman@proper.com>
X-Mailer: Apple Mail (2.3826.700.81.1.4)
Message-ID-Hash: OIPZU6KYU7DBHEF464CGRDCY2RIDJVLQ
X-Message-ID-Hash: OIPZU6KYU7DBHEF464CGRDCY2RIDJVLQ
X-MailFrom: sean@sn3rd.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: RFC Errata System <rfc-editor@rfc-editor.org>, Paul Wouters <paul.wouters@aiven.io>, Stefan Santesson <stefan@aaa-sec.com>, elizabethpslator@gmail.com, pkix@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [pkix] Re: [Technical Errata Reported] RFC5280 (8789)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/xlSgEpC3xnclELYAUt0kwoATs6w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>
If we want to remove the “WWW” from the comment sure, but please mark this as “Editorial" as the suggested changes are in an ASN.1 comment ;) spt > On Feb 27, 2026, at 21:23, Paul Hoffman <phoffman@proper.com> wrote: > > This errata report is correct and should be marked as "hold for document update". > > --Paul Hoffman > > On 27 Feb 2026, at 17:28, RFC Errata System wrote: > >> The following errata report has been submitted for RFC5280, >> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid8789 >> >> -------------------------------------- >> Type: Technical >> Reported by: Elizabeth Peraza Slator <elizabethpslator@gmail.com> >> >> Section: GLOBAL >> >> Original Text >> ------------- >> Section 4.2.1.12 says: >> >> id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } >> -- TLS WWW server authentication >> -- Key usage bits that may be consistent: digitalSignature, >> -- keyEncipherment or keyAgreement >> >> id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } >> -- TLS WWW client authentication >> -- Key usage bits that may be consistent: digitalSignature >> -- and/or keyAgreement >> It should say: >> >> id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } >> -- TLS server authentication >> -- Key usage bits that may be consistent: digitalSignature, >> -- keyEncipherment or keyAgreement >> >> id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } >> -- TLS client authentication >> -- Key usage bits that may be consistent: digitalSignature >> -- and/or keyAgreement >> Notes: >> >> The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular: >> - openssl verification considers them unconditionally even if the server is not a web server or the client a web client >> - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW >> - Standards like common criteria assume that these object identifiers are for generic server and clients [0]. >> >> [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1 >> >> Report New Errata >> >> Corrected Text >> -------------- >> Section 4.2.1.12 says: >> >> id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } >> -- TLS WWW server authentication >> -- Key usage bits that may be consistent: digitalSignature, >> -- keyEncipherment or keyAgreement >> >> id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } >> -- TLS WWW client authentication >> -- Key usage bits that may be consistent: digitalSignature >> -- and/or keyAgreement >> It should say: >> >> id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } >> -- TLS server authentication >> -- Key usage bits that may be consistent: digitalSignature, >> -- keyEncipherment or keyAgreement >> >> id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } >> -- TLS client authentication >> -- Key usage bits that may be consistent: digitalSignature >> -- and/or keyAgreement >> Notes: >> >> The proposed change removes the WWW part of the description. In practice these object identifiers are used for server and client applications, but not necessarily web applications. In particular: >> - openssl verification considers them unconditionally even if the server is not a web server or the client a web client >> - There is no object identifier that can be used for protocols like SMTP, IMAP, POP3, LDAP, radius, ...; in practice all these protocols are deployed with the identifiers for WWW >> - Standards like common criteria assume that these object identifiers are for generic server and clients [0]. >> >> [0]. https://www.niap-ccevs.org/MMO/PP/-442-/#FCS_TLSC_EXT.1.1 >> >> Report New Errata >> >> Notes >> ----- >> Thank you very much >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". (If it is spam, it >> will be removed shortly by the RFC Production Center.) Please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> will log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC5280 (draft-ietf-pkix-rfc3280bis-11) >> -------------------------------------- >> Title : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile >> Publication Date : May 2008 >> Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk >> Category : PROPOSED STANDARD >> Source : Public-Key Infrastructure (X.509) >> Stream : IETF >> Verifying Party : IESG > > _______________________________________________ > pkix mailing list -- pkix@ietf.org > To unsubscribe send an email to pkix-leave@ietf.org
- [pkix] [Technical Errata Reported] RFC5280 (8789) RFC Errata System
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Paul Hoffman
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Sean Turner
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Michael StJohns
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Tim Hollebeek
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Paul Hoffman
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Tim Hollebeek
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Paul Hoffman
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Deb Cooley
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… StJohns, Michael
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Deb Cooley
- [pkix] Re: [Technical Errata Reported] RFC5280 (8… Paul Wouters