Re: [pkix] Next edition of X.509
"Erik Andersen" <era@x500.eu> Sun, 24 January 2016 09:53 UTC
Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F0AA1B2BCF for <pkix@ietfa.amsl.com>; Sun, 24 Jan 2016 01:53:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.591
X-Spam-Level:
X-Spam-Status: No, score=-1.591 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2DqmjXk5rO8 for <pkix@ietfa.amsl.com>; Sun, 24 Jan 2016 01:53:33 -0800 (PST)
Received: from mail04.dandomain.dk (mail04.dandomain.dk [194.150.112.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA3AB1B2BC9 for <pkix@ietf.org>; Sun, 24 Jan 2016 01:53:32 -0800 (PST)
Received: from Morten ([62.44.135.85]) by mail04.dandomain.dk (DanDomain Mailserver) with ASMTP id 4201601241053285110; Sun, 24 Jan 2016 10:53:28 +0100
From: Erik Andersen <era@x500.eu>
To: pkix@ietf.org, Directory list <x500standard@freelists.org>
References: <000001d130da$b05884d0$11098e70$@x500.eu> <5665633F.7070906@cs.tcd.ie> <000401d130e3$bdf08120$39d18360$@x500.eu> <CAK6vND_=4it-HdN=igWeSsb9Qx2LjastBaJCa-TpObaBuYjNXQ@mail.gmail.com> <000001d155c7$98b64530$ca22cf90$@x500.eu> <CAK6vND8AEeW0iF85guerFa-oj==MMMSLdU7fArBihQkGWmxhTw@mail.gmail.com> <56A3B913.3030506@comcast.net> <CAK6vND-Fs=SiFTUJmtXsKPNgenwBFCEb=4oVxQ8zxdG4kttOjA@mail.gmail.com> <052101d15636$aecdca40$0c695ec0$@gmail.com> <CAK6vND_Yr8+cVF-Y_L203XAAn0DeVn7ww18Np-K++4njqEeUTg@mail.gmail.com> <56A419A1.2040503@cs.tcd.ie> <CAK6vND9AKua0fG9nyUjF4NyDYqCgRCv+Gya1-z3L+eg4eN1gag@mail.gmail.com> <56A42014.5060301@cs.tcd.ie>
In-Reply-To: <56A42014.5060301@cs.tcd.ie>
Date: Sun, 24 Jan 2016 10:53:31 +0100
Message-ID: <000001d1568d$15684ef0$4038ecd0$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIVSzUXZpx0TCzS4mpo4m9SkbHUeQJEdeqNAqiykAAB5gd5AgKSQWGxAf+4FlUCfrtvPwFTuCGCAe/27fQBRpxP1AJo+GJCAfu63acBvR9xt5298ifA
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/y0vFnnbRoq41aG3Qfk2JuHQJ5Ew>
Subject: Re: [pkix] Next edition of X.509
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 09:53:35 -0000
OK - let me explain what the intention is for the current work on X.509. 1. X.509 has been developed over a long period. It has been edited, at times simultaneously, by different people. There has been a shift in terminology during that time (e.g. the term certificate using system has been used as a synonym for relying party). Streamlining terminology and style is a pure (major) editorial task not intended to change the technical content. 2. When attribute certificates were introduced, an attempt was made to generalize a lot of the text to cover both types of certificates. This was not done consistently and has made the text difficult to read. X.509 has a section 2 with the header "Public-key certificate framework", but it has a lot of stuff about attribute certificate before it has been introduced in Section 3. The goal has been to separate the discussion on PKI and PMI. This give a little redundancy, but not that much. People only interested in public-key certificates can read section 2 without being bothered with a lot on attribute certificate talk. Again, no technical change is intended. 3. The IT world is changing quite rapidly. I sometimes have the feeling that many PKI experts assumes that the work has more or less been done, except possibly for cryptographic algorithms. We have smart grid and IoT being developed quite rapidly. These are new environments with new challenges for PKI (and possibly for PMI). Revocation is this environment can be a major challenge. Resource constrained (battery driven) devices have to be supported, etc. All this requires X.509 adaptations. These adaptations has to made without affecting the current use of PKI. It is certainly not the intention to cause problems for running code. Personally, I am quite involved in smart grid security within IEC TC 57 WG15 on behalf of the Danish Energy Sector to progress that work and to understand the special requirements.. So the tasks are: 1) Streamline X.509; 2) adapt it to new environments. Collaboration with PKIX is very important, but we cannot let PKIX slow-down our effort to adapt to new environments. The task here is quite urgent. Major national infrastructure are at risk. Regards, Erik -----Oprindelig meddelelse----- Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Stephen Farrell Sendt: 24 January 2016 01:52 Til: Peter Bowen <pzbowen@gmail.com> Cc: <pkix@ietf.org> <pkix@ietf.org> Emne: Re: [pkix] Next edition of X.509 Hiya, On 24/01/16 00:43, Peter Bowen wrote: > On Sat, Jan 23, 2016 at 4:24 PM, Stephen Farrell > <stephen.farrell@cs.tcd.ie> wrote: >> On 23/01/16 23:58, Peter Bowen wrote: >>> Until it is clear that using >>> EKU in the way I described in covered by X.509, it is not possible >>> to have a strict profile (e.g. PKIX) include it in the profile. >> >> I don't know what you mean by that, can you elaborate? >> >> My guess is that almost nobody does new implementations of X.509 code >> nowadays, and those that might would go to 5280 and not the latest >> version of X.509, but I'd be very interested if either of those >> assumptions is wrong. >> >> If I'm not wrong, then updates to the base X.509 spec are no longer >> really important, other than for the sake of tidiness. >> Another corollary would be that the opinions of people who have no >> influence over running code but who think one document or the other >> is more important, can safely be ignored. Again, good to know it >> that's incorrect. > > 5280 clearly states that "This memo profiles the X.509 v3 certificate > and X.509 v2 certificate revocation list (CRL) for use in the > Internet." Right, the history though is that PKIX and CCITT (now ITU-T) collaborated very well twenty years ago on that and it was then a good idea to ensure a lack of divergence. I think the world has changed sufficiently since then, but again that's back to the assumptions from my previous posting. Keep in mind that RFC2459 begat RFC3280 which begat RFC5280 so there's a good bit of history, and we mostly wanted to minimise the code/text changes throughout that evolution. > I'm assuming (possibly incorrectly) that a profile is a subset. It > add restrictions but anything that is compliant to the profile is also > compliant to the more general spec. > > During discussions about PKI interoperability (especially getting > existing PKIs cross-signed by other PKIs or added to trust anchor > lists) it has come up repeatedly that some PKI implementers see the > use of EKU in a CA-certificates as a constraint as not allowed under > X.509 and therefore not allowed in RFC 5280. > > If I have this wrong, and you think that it is a viable path to define > the use of EKU in CA-certificates as a constraint in the PKIX profile > with no changes to X.509, I would be very happy. There are many cases where things initially proposed in an I-D ended up being back-ported to the ITU-T X.509 document. If you have a thing you think needs doing and find that publishing an I-D seems like a reasonable approach, then I'd say just go for it and we'll see if it gets support from implementers. If OTOH you care more about whether text gets into an ITU-T spec, then that might not be the route for you. Cheers, S. > > Thanks, > Peter > _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Michael StJohns
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Erwann Abalea
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Santosh Chokhani
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Stephen Farrell
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Peter Bowen
- Re: [pkix] Next edition of X.509 Martin Rex
- Re: [pkix] Next edition of X.509 Wei Chuang
- Re: [pkix] Next edition of X.509 Erik Andersen
- Re: [pkix] Next edition of X.509 Jeffrey Walton
- Re: [pkix] Next edition of X.509 Erwann Abalea