IETF Logo Mail Archive

Re: [sidr] [Technical Errata Reported] RFC6487 (6854)

John Scudder <jgs@juniper.net> Mon, 09 May 2022 21:18 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5C58C157B3E; Mon, 9 May 2022 14:18:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.674
X-Spam-Level:
X-Spam-Status: No, score=-2.674 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=eSu6vNX3; dkim=pass (1024-bit key) header.d=juniper.net header.b=K1PFJWPG
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYrWQosienbP; Mon, 9 May 2022 14:18:25 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 000E7C14F747; Mon, 9 May 2022 14:18:23 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 249KNkwp021868; Mon, 9 May 2022 14:18:17 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=Ae72WGF3gCtbLkiOzrYh8Bwg948Rq/pCQk2WHbDjQA0=; b=eSu6vNX3r4B+DisRm8Okc6xPp6vtokZTFM/ZdZhAd4zKt3i/qH6T2u7calgKpC1gvbt8 2WY27YNnEmuKfJxIxZX8QObR/g7G+N+FrdaPK55CT2efxlskhdcP1kpX4cEKyQMqBxvQ oxVnIeiFP1wcxShVAm2R3pmnFE50sXbJ/jKGBrB/CWuKwI0CoO9LjrO0ewbaR9JigeTk GFJILfFF4AP3F6Ll0QZs3nG6gsYbp150pW9slQCYdEXfZvzQiFlSdwRwqZUBt+g4g7JU vgalxJT5fjXSDN17+OozaoUkDl8dWyEo/QA6t8DUr46E1/BzeHZq13JcQq+MXut9QLNX Yw==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2168.outbound.protection.outlook.com [104.47.55.168]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3fy9y202hs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 May 2022 14:18:16 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MQVPqi0mULNVo78pg7TQiaV+3RrHMxdF2tPy1MGFuu/ms4cFHqnSlo3zHDvY7lJOpxSRAm4JSgrh+VRP/hLgG4xUFsxBYtcVyyTyjP7cn10xZo9CV+qEpa9cSwzxLnQ/d+ZOyXVuXS9g0ou1f67uAde+aeRZhBAtB8ib+e9SEIt5+XTWg6xaBrZPx8+OjTWvr23zOTo8uDq7TKxX0ybVAssJ4/vpHhPvsxA2OsNy8PPgX7x4MA7Ur2K15LAKmuIJ7c7wFfNYdXAALRBfRo/ij44rfVSGIFTG+GsCKA/noSu+M21/GBQaeywlBTVNhQWm0Vhxo7kGjyJcy/jZA3xkaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ae72WGF3gCtbLkiOzrYh8Bwg948Rq/pCQk2WHbDjQA0=; b=SQ9lSU0ArffWPyMFF45nlakhlNYILI7cLILaEy7DFMCADkqrCH3EfbJJSNTx2pD9D8v5bZ/RRh6UV2RWkXfzEZTEhIw0CNOgp44RMN3AU7smFSn64OkdlceaCegBoTdRHd/KfnLbJRWnOQYLhU6Eo7bcm/bHHuTEkhiIIJ5NukDJI/3cdAnKwd46TbhvQMkwjeoy7p4SchhkvRHjQlonmuBbxzoFQ2rV1Fvdt3zh+xRcONdyCPMv+ftIRJMod+mrAHzGbCDEinx5/mJwY9WV8iXB1VXSlZD7PjdITqEkQvJzkOFz2d2TLyYxz39gU4lwPTnbSQc5EReo+FcVswP03Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ae72WGF3gCtbLkiOzrYh8Bwg948Rq/pCQk2WHbDjQA0=; b=K1PFJWPGEpBeXMmoMaLlvID0ZX31GhkqFKQWuLSY7HGJAjZhZiJW4bwyhe6PsgiiZNXo8nbKkH4DKtepk4wkRA5Z7YtIYLIAHWWdYBht5M0a2B+n2TDkFjMXNXNuw3louaVqavZJZqeZondFYZT5+pD1cvHpAsHrt9yjwEDeSKw=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by BY3PR05MB8369.namprd05.prod.outlook.com (2603:10b6:a03:3c0::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5250.12; Mon, 9 May 2022 21:18:13 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::fc4c:13b7:a19d:5367]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::fc4c:13b7:a19d:5367%7]) with mapi id 15.20.5250.012; Mon, 9 May 2022 21:18:13 +0000
From: John Scudder <jgs@juniper.net>
To: Corey Bonnell <Corey.Bonnell@digicert.com>, "sidrops@ietf.org" <sidrops@ietf.org>
CC: Geoff Huston <gih@apnic.net>, George Michaelson <ggm@apnic.net>, "robertl@apnic.net" <robertl@apnic.net>, "aretana.ietf@gmail.com" <aretana.ietf@gmail.com>, "martin.vigoureux@nokia.com" <martin.vigoureux@nokia.com>, Chris Morrow <morrowc@ops-netman.net>, "sandy@tislabs.com" <sandy@tislabs.com>, "sidr@ietf.org" <sidr@ietf.org>
Thread-Topic: [Technical Errata Reported] RFC6487 (6854)
Thread-Index: AQHYI103IxaP9Yhqd0CPlw5ii3GCAayWwLiAgAAFSICAgMfZAA==
Date: Mon, 09 May 2022 21:18:13 +0000
Message-ID: <75B90D51-F1F3-41F2-8142-D14997F59526@juniper.net>
References: <20220216174658.65B404C1CE@rfc-editor.org> <E88BA6FA-9871-42FB-8B56-08ABBF375AA0@apnic.net> <DM6PR14MB218608968CAE1AF1311895F192359@DM6PR14MB2186.namprd14.prod.outlook.com>
In-Reply-To: <DM6PR14MB218608968CAE1AF1311895F192359@DM6PR14MB2186.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.80.82.1.1)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1c832ec6-58b3-4a01-377b-08da32016cfb
x-ms-traffictypediagnostic: BY3PR05MB8369:EE_
x-microsoft-antispam-prvs: <BY3PR05MB8369124612A610B10BD0C9E5AAC69@BY3PR05MB8369.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DUHlxDSTKdwEKXgvwb5JRM/s+ZZ+RkTahcvXV0JiuB+4OQ6gtoZAtZyeLMHHcO0nyxw5EipfO2QH1oktsWEocsBH8m5mYbh+3mynAQYGtoI0lH3S1/ioNcJLKHwRxl2BxXAHiU9DpkcfuvrUp3xnFsn4h4Cka0yESXS2a3IIaVkH0rcHYtB+x8ucXoi5ait2n4X/24L1c/pB9znnQogm7+t31myQpEzNWI+X/gYtsBOg/PVxj0qF7pBPzUuCCvZGnataCMghsxqBd/KrtlDA65Y1gXSfCghWtZLmBGZS/ZO8otcfzOL5jqNZnhvU7RYPUFJXYAcT32WU3Gi9Y1lDJitqZDhtBOFTQrtnQTyFRpHfkfBDMSPV8hhQU37x10cj4bhskslHA82jCH/SSVUHaszVCBgFrV9XZCjlh/Bwx/ZC9RgeX8woQL+qNJDjlJIGeOE+UKHddSaGybfywkFdUXlZsrALgyEsGeuf/a1T57RNqPXjVW6d181c85LFJ1wShuqzyjyVQj20rKc2g3ixOIOAHdJavbe+8MtX6WBlSwc/k11d1ndmfvyKRCtmQHtQ3wVYgocYC8juIEL9+OY4f+K7AId+cflShWGglm11MmvAudt4YR4tITR5m4851Y6kRFKixAxRz5G9qBcz5HeU87oMhj9FQd8XsbZFEyoSsP1FCb7MxlUgoiWBN30v9oEaufkJdTGIsjo9SZA0If6vNBamRe6bSTN5/vnFPHLi+f8VbCkWMvcwjPpe3NndfwFryE6SgSY+tu9olbM+Y39sqJdLy7qhumK7AKNXeig0dalS1gZwanBxUwjRgafWYsaBHC+sUUoItom6khq+qpUFig==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38070700005)(6506007)(86362001)(53546011)(71200400001)(508600001)(966005)(6486002)(38100700002)(83380400001)(122000001)(8936002)(2616005)(186003)(26005)(6512007)(33656002)(36756003)(5660300002)(7416002)(110136005)(316002)(54906003)(2906002)(76116006)(4326008)(66946007)(8676002)(66556008)(64756008)(66446008)(66476007)(91956017)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tsjvl8A1qBQaNO9vcq4rG9SvZToUpvOqn00c8MlA6qcoox+2c3Wlu/0KMZl+9JJQOTpykaL7AltLOxVHfKK8upUKmuKKDKq0IBZxv91T+fFdgVBAhIvohzvGuwl/Cq7hw6xfTiHR6xXJK8gOMQJJsVbvzhUlOxriBXtC/rXKCXrEBQNHzTDQnIyPDDyWBRLDZDYb0GLlTv56xacPhTJShTwkc4H4UIkKF9y0p22KKkYYiAeM964Oa7G0YIOGOEn5ZLyW4bSan2O0qLVcz+CkL9EbpVuMb+LAPIT1kI5+8mcjGGkElla6QGFa0tlFce2IK6lW/Fs35uOoP1TWakM/yyLK9KoF1HONJYZKSV4FuvFpo9M5vsNVBs47aTp+vNg7LBZ1CG1L6k4aVX84Mih2GLyeP1/U9Zz2PFArYSpv1PEBkoHkmaXtxZsski/qzUkDCc6NfHr0oB92x3hEgsJHf071oGCIk+1XVJQCOxKkFJ2Ru7aMdkcip+xsRBy8tkrRWeUcOg6cuzFZIWxyXz1FBTmIglgL21PIxTaQll4YOD2b2Z9GVqaPtw245MX9HTgP0scyL7fSfqMEiGozuDXSbATHDyVqoevRPpcMeBqE9Rrg16bNdOZc51zOcYXYYuaPAVWL2NtKY1wqJ2MD+dDrOVHzPZyRPyW8ymm7dj41PSyX902vNmYywwBtClT1LiCr45XBzINUcuK8EiCbPIz4bl2ZTbhSVAPUYscR8Bykykl4eS+11488yWVZ0lKfMm8crIOz+5IjrO3qyEnlIDaNQqHuD+1V72bZAT9vIfCRpfoBYpJgDf9RLueiy8C5Egci9YSn8c37gkYrPi/iaorabm+kvXDwdGrEz0cxERMVB63KGNWWy6ElaAGrl9DfZpr/3ldjqXiD0vE4zysbWJCBAn4fHwRnEnbPYuLQKpg6TcPJ7MkPsxa6rztiSBd3yuoT8qBoHnwY0X7ZDpoNxYrCxCPEwkG6upodx+goZykJg67hKpYycXE01SaP0BlprZ5C8UXBYQ1WH1fo0LRriQGCoo5xg12OVBj0z2PEPcCdOdVTlnSUsyr66tEMX5h128QlhARsRJi0eUOPesyqAalV/M5JY++UAuEwBnlvx10zr3tnbYR3N0brq3EaIY7ciJ9yFTxZvvp2a3HMxRKHoc/7zXTcT+uDemf4It26vnffO1D3rrhDnDsbSMVsPflBgdZaCAGfLFt8JCoX+udvvgZcBbdqCbcGWQOTYuKdAhCPtfNWmg6NYuZ4mDB7Njd/gMT5PxjL4CoOmzZSCgmz7BXvIn59mzfFB4ovhbmVKjswq3hS1x2B9POm5QdbtH6fowdm86U3ZuhSFHg0jk/+lJS3QqH/r9O88Xc9JJHhn3ssoIRXWcj9x+XAY9kw16S1GcCtpelzMXN2TsvAxIyv7uCDtftno1dZ+CqvKe1uwGA80N/TNqT0rlirvmIt/slczm5q002ZrVwZajTq+tv/PyOsfEZwDGkcpYP8d8GLW78bGXRchkJxWrrpO20AflXOAF/NHvXtueJshr3lZ7MGjImnAODP2H0SiRx3sDvui9GaO4LQbi8hnfjLSi2xaE54gHeyJVtT2Wvpf/D74uXVX2IkvUC7EFVThtwAM1iHGtHz2lJAwScWkSouMhG9OrrvIekEuPG542eRvdjsB849VKd2ajSdyv0EnBaT6qxRUweGKxj26p/Fkby+75qVwM5VYxnEKFhsrpXZ0GewvPavagfWTQ==
Content-Type: text/plain; charset="utf-8"
Content-ID: <04DA6855C8F8064BBC53F5AD42C78B03@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c832ec6-58b3-4a01-377b-08da32016cfb
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2022 21:18:13.0636 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WNvbtA2/Wr4yX2VK9RJflrxSoGD5HC4UdEGWxxuSxMGvuCDjke1zbokPjwd+qa6E
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR05MB8369
X-Proofpoint-GUID: Qx0PE2N2nHidPpB3iMRuX_6p_unx-tA0
X-Proofpoint-ORIG-GUID: Qx0PE2N2nHidPpB3iMRuX_6p_unx-tA0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-09_05,2022-05-09_02,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 impostorscore=0 lowpriorityscore=0 spamscore=0 bulkscore=0 adultscore=0 malwarescore=0 mlxscore=0 priorityscore=1501 clxscore=1011 phishscore=0 mlxlogscore=892 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205090107
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/4PvbPbVRf2KwFvHPNeIImSJQdSs>
Subject: Re: [sidr] [Technical Errata Reported] RFC6487 (6854)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2022 21:18:29 -0000

+sidrops
-rfc-editor

Taking on faith that Corey’s description here is right, it does sound as though there’s an error in RFC 6487. I also don’t understand Geoff’s earlier comment that the erratum is implicitly adding “And thats the range of choices available to you”. Assuming Corey is right, it would be appropriate to verify the erratum

However before taking action I’d appreciate it if someone else with expertise in PKIX (i.e., not me) were to confirm. Don’t all speak up at once. ;-)

Thanks,

—John

> On Feb 16, 2022, at 5:41 PM, Corey Bonnell <Corey.Bonnell@digicert.com> wrote:
> 
> Geoff,
> If the Basic Constraints extension is omitted then it is not possible to set the "cA" field to any value, as it is a field within the Basic Constraints extension.
> 
> The original language says, "The issuer determines whether the "cA" boolean is set.". We know from the current text that the Basic Constraints extension is prohibited in end-entity certificates. Therefore, the "cA" field does not exist in an end-entity certificate. As a result, the only possible value for "cA" in all cases where the field is present is "true", as that field may only exist in CA certificates. It is an RFC 5280 profile violation if a CA certificate contains a Basic Constraints extension with a "cA" field value of false.
> 
> Thanks,
> Corey
> 
> -----Original Message-----
> From: Geoff Huston <gih@apnic.net> 
> Sent: Wednesday, February 16, 2022 5:23 PM
> To: RFC Errata System <rfc-editor@rfc-editor.org>
> Cc: George Michaelson <ggm@apnic.net>; robertl@apnic.net; aretana.ietf@gmail.com; jgs@juniper.net; martin.vigoureux@nokia.com; Chris Morrow <morrowc@ops-netman.net>; sandy@tislabs.com; Corey Bonnell <Corey.Bonnell@digicert.com>; sidr@ietf.org
> Subject: Re: [Technical Errata Reported] RFC6487 (6854)
> 
> Frankly I am having some trouble in understanding what is going on here. 
> 
> The original says “You can issue anything you want. IF you want to issue a CA cert then you MUST use Basic Constraints and set the CA buit. If you want to issue a EE cert then you MUST omit Basic Constraints.”
> 
> What the document does not say is “And thats the range of choices available to you” Implicitly thats what this report is trying to add, and I’m not sure that the original RFC went that far to limit the issuer’s options in this manner.
> 
> I would argue that this is not an error in the original RFC. The reporter is trying to add to the original RFC, but doing so via an errata report seems to me to be inappropriate.
> 
> Therefore I tend toward rejecting this on the basis that the report is not a report of an error in the RFC.
> 
> Geoff
> 
> 
> 
> 
>> On 17 Feb 2022, at 4:46 am, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>> 
>> The following errata report has been submitted for RFC6487, "A Profile 
>> for X.509 PKIX Resource Certificates".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid6854
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Corey Bonnell <corey.bonnell@digicert.com>
>> 
>> Section: 4.8.1
>> 
>> Original Text
>> -------------
>>  The Basic Constraints extension field is a critical extension in the
>>  resource certificate profile, and MUST be present when the subject is
>>  a CA, and MUST NOT be present otherwise.
>> 
>>  The issuer determines whether the "cA" boolean is set.
>> 
>> Corrected Text
>> --------------
>>  The Basic Constraints extension field is a critical extension in the
>>  resource certificate profile, and MUST be present when the subject is
>>  a CA, and MUST NOT be present otherwise.
>> 
>>  If this extension is present, then the "cA" field MUST be true.
>> 
>> Notes
>> -----
>> The original text is contradictory. If the basicConstraints extension is prohibited in end-entity certificates, then it follows that whenever the extension is present in a certificate, that certificate is a CA certificate. If the certificate is a CA certificate, then the "cA" boolean MUST be true in all cases. It is nonsensical to allow a "cA" field value of false.
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please 
>> use "Reply All" to discuss whether it should be verified or rejected. 
>> When a decision is reached, the verifying party can log in to change 
>> the status and edit the report, if necessary.
>> 
>> --------------------------------------
>> RFC6487 (draft-ietf-sidr-res-certs-22)
>> --------------------------------------
>> Title               : A Profile for X.509 PKIX Resource Certificates
>> Publication Date    : February 2012
>> Author(s)           : G. Huston, G. Michaelson, R. Loomans
>> Category            : PROPOSED STANDARD
>> Source              : Secure Inter-Domain Routing
>> Area                : Routing
>> Stream              : IETF
>> Verifying Party     : IESG
>

v2.23.0 | Report a Bug | By Email