Re: [sidr] [Technical Errata Reported] RFC6487 (6854)

Geoff Huston <gih@apnic.net> Wed, 16 February 2022 22:23 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BE473A0A38 for <sidr@ietfa.amsl.com>; Wed, 16 Feb 2022 14:23:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9uUxdQssVzq for <sidr@ietfa.amsl.com>; Wed, 16 Feb 2022 14:22:55 -0800 (PST)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on20612.outbound.protection.outlook.com [IPv6:2a01:111:f403:7004::612]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51DF03A172A for <sidr@ietf.org>; Wed, 16 Feb 2022 14:22:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g2v8zTpuRBhCVQ31IIv61yxL3rGTPMNmLPDztL14qQ4HNQwGGPdONWcOndBOlVJNKzaYF9VAlrxrOgYUEcARKjL3HsTscLY1M7H79nEsFmRkK/qh8kn5yldyJeX7VpFJpKiIhSBwSB3Mw6+XkFCapH1FdEVFXhyMtVbIID0+SLO/jLqmxK9KqhopJmZ2CvTa0A2W6mIHib99O4BYoWeTMT6OqHh3hTWwNhWPbUpmL/SDh2Xnfe2Nlc77P2mc/LXsJVYR8ypxA+uchFb0nQCq+Q6acxzOhVftGAgx9opEYKINwdxTXDbm9mu0knngKoi13hsUl8IQBdFYKy1qhyG1mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eiX4hgJwfbmaxTUB3lvUmomqs4EM5gOouGXPpizxwfY=; b=n+Im2purz7S29PjkPieZEV5JV0NTwc8b+rGtVbYPm8aTdsBLUwwIzKOPol/otFsFvghH40r1ZaWUOvIxqikiydi1rX1FI/keKvWVQQvOLyMZoVvIzjHJzAe1Ctl3+G4jTdTGZWYOSwHUZOgjRwMtlD/JWr0C43u+76aMpN6q57sCF88ZEHWUedwJ6diK26xkXtnypAzNjbNTHqIwNqi6G2hvY+lKDkKRyhnRdJ5EiXzwlisoJ9k4LFG2e8O9cvU3xMI5NyTz+iPVfTdcofwO7xYy+6XHEXNdXOIWCxJMPxJIRDd9GZGKTcB56waIaHBI0vN+hOmQCQlY6fSAukRJAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eiX4hgJwfbmaxTUB3lvUmomqs4EM5gOouGXPpizxwfY=; b=lfM+sGeaFK1m69+6qiqqdbgnTB6jgtVxno4ODqrHFJRnXgsbWJLKRfM/Y9mVKwRm7FMn39PJJLKBmbpNV+8KIOQZgRlUjRV5e1youLuHsqqcyynzuVQ10beiXCLrbTa7AlmgyXeNxcxpKjoMn7J0zRa3lrvYIb7BvoyFMhl+LAI=
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:176::18) by MEYP282MB4202.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:166::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4995.16; Wed, 16 Feb 2022 22:22:47 +0000
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::284f:9d50:8620:fc0d]) by SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::284f:9d50:8620:fc0d%5]) with mapi id 15.20.4995.016; Wed, 16 Feb 2022 22:22:47 +0000
From: Geoff Huston <gih@apnic.net>
To: RFC Errata System <rfc-editor@rfc-editor.org>
CC: George Michaelson <ggm@apnic.net>, "robertl@apnic.net" <robertl@apnic.net>, "aretana.ietf@gmail.com" <aretana.ietf@gmail.com>, "jgs@juniper.net" <jgs@juniper.net>, "martin.vigoureux@nokia.com" <martin.vigoureux@nokia.com>, Chris Morrow <morrowc@ops-netman.net>, "sandy@tislabs.com" <sandy@tislabs.com>, "corey.bonnell@digicert.com" <corey.bonnell@digicert.com>, "sidr@ietf.org" <sidr@ietf.org>
Thread-Topic: [Technical Errata Reported] RFC6487 (6854)
Thread-Index: AQHYI102+og1r4TwMUyLmW82c7ZhTayWwLiA
Date: Wed, 16 Feb 2022 22:22:47 +0000
Message-ID: <E88BA6FA-9871-42FB-8B56-08ABBF375AA0@apnic.net>
References: <20220216174658.65B404C1CE@rfc-editor.org>
In-Reply-To: <20220216174658.65B404C1CE@rfc-editor.org>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3693.60.0.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ad225be5-b565-4237-5e65-08d9f19adc8f
x-ms-traffictypediagnostic: MEYP282MB4202:EE_
x-microsoft-antispam-prvs: <MEYP282MB4202BD6417E4119322BF0A18B8359@MEYP282MB4202.AUSP282.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: paUxPPmp6xCPU9VJImQNP77S5hzV/nh1ywTB6pcOBcWPfRcyWJEhzDNuknoLGgIooMdnneQgcnq6EjERMq4l1Ik656+VXGSw4hSPh6EIFvVuPfEhn++1PPwp/XRBNbXvXgtXnFReHQTDz9pCtk1slonoqrGAnQaL0Rk69/Hwjatgp72vwXUz5vUilLCOAKGV0v3kUPqlUuKtMz7i1/04YYv/Z+8WgL13fVchup5gGHKDVSXmonGzpIL6GK6YpepyZszOeMVgiE11DVJkEOtqg5cNnImKlZk/kHOHAm0hG+KWmZ0hUNzqXl55bZA6inQZvhxzqTk46oieQiHW7+Ryd0xYiQBTJcNBXCt8K6tBUdsG/Da4uhbKbqGJtKHiyHjuxcXa/yejA2EC4UGY+/nvwCKDsflCnCf4oCyymR7YIOkSKym5GGGKrgOEPcCnHgGhyLA3WLFNF+ukAWo/lsBDQn7NgaziBa52mLiliL4Lf9MaTpxvegaywBZlNiNfLFGzNcu32S4mYR2/wK8ULz67HJiyrn7vjoWtdHfgeZvYCPKpIZuiqA3az3FS1NKYc7beNOO87ON6hrsT01p7LC6BiBdDjJs7/wjsX1wplbjeHBAUvynu9+HODHpQ89FS+56nZsGC+oVoTEdA7GR1wPQgG5DoyFK853Vw/DdhtLjs6ZYY6f4gPuxypRXx++hmsnHak2Q0TJvIpwswK8JJuVyaedtgs1GmZcyuvSw+px+RPn1+ucDvTPekSDuIGmrYrgfxgvMEhX4plXkfZeV2wWqSB4BKQlsKl/y/HtannroyZPwASUGo7u02o2+/TVRc2hck
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(39840400004)(376002)(136003)(346002)(366004)(396003)(508600001)(6512007)(6506007)(71200400001)(53546011)(36756003)(8936002)(86362001)(5660300002)(6916009)(2906002)(54906003)(316002)(33656002)(966005)(8676002)(66556008)(66476007)(64756008)(66446008)(6486002)(76116006)(66946007)(38100700002)(122000001)(4326008)(38070700005)(186003)(2616005)(83380400001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?aDBjQ0Q2S3BKNE9iUnZhQ2xqMzY0Zk5TTXh5VGxaQWd2SWZBVktxbWhzMk8v?= =?utf-8?B?cDJTUUdMTzVUR204eC9GdWw4TjBPKzU2dCtiM3hMNWlHa1c5T3lEblZVTzNn?= =?utf-8?B?c0FOeHdIU0J4K3dud01FQjhKMlNOdDd0a0QrWU93dlkzNkY3b00xYkk1SFRX?= =?utf-8?B?YWlKQjZBaFUyd1RjQjJLMExNN0h3U3ZtaUEweXlXMWwydXF4NzBjSG9zdG1t?= =?utf-8?B?b1Y5c1A2MkZSK2E4alJhQmR5RXlxMU5iL3ZhNW9nQ0lLSms2REJGWStHNWgy?= =?utf-8?B?K3BIOXZnbXpKcWIzWE1hd2V5eHdmQTZOMktYR3ZPVW9qMjJtWWNPNHRpdkNx?= =?utf-8?B?Ti83UmdlRXZUUlBuTE5qOFh0WW5KclNHKytIL28ya1VDdDZNT0pncEFQcjR4?= =?utf-8?B?NWx1NDgrcFZHTDZMS0lWcXJYNGhDTkJ6dk5EbTlRWDFrRTE3WWZ1c1dsaVND?= =?utf-8?B?UU1EV2k1ejF4M0NlbDczbEZ1eXlLTDZQYXpKTkxGd3VRSytkS1RNRnNaYnBB?= =?utf-8?B?SEZmd2dpVEJuNUppaHVETUIxVUJCdUIwcTdQNld1eHJHdlRsbGh2ek05UzVE?= =?utf-8?B?MFMxZjkxNlVvcHNCdzVGYm15UjFuY3NmQU02MlR0Qkx6SU43cXRDM2lZZW5h?= =?utf-8?B?dHAwODFoSHk4eVRVZUp0U3JraVJlVEZWd1hIZTlQYUd4NjBqcG5ZaHRlMFFY?= =?utf-8?B?ZmFrVmpCTFZEK2ZCRzE5TURVNDVJOFh3MVRNcTkxYnlubkVKYTdWYkpFV3pU?= =?utf-8?B?ZzBDVWFSWWJWZEVqSTBlcVVUMzVXNnZYYXdmTjBlc0huNGZOTC95MWtHWTll?= =?utf-8?B?a3YvcEFoRjViNElXVXpDRUUwL0duSk1ac2NnUHR2M0tIRG84M3pETFdNWGpK?= =?utf-8?B?NkZIZE93bjNhN1htckFEZC9vQmZ1bXhBSzhKaUZ6VmxESUVXWHpDTG94dzdV?= =?utf-8?B?S3VENk42VnF4WU45b0N6U1BoYmdwd09raXNvcFd5dThzUzRNaDJUL3NZcDJO?= =?utf-8?B?TytvTGt4Tm9aaFJmZXZtUWVaeHJ3a0xDUHFWSFB0ZmpYVFdPNWF2dmtZM3Br?= =?utf-8?B?RWtZU25Dd0J3US9rY2FRRHpiQUpkTlVTZXNHZ2NTTHVsOW5xbStDK0F1R0s0?= =?utf-8?B?Vll5bDVPMmFiR2Qxbi9CbWEwV0ZnV1E5bkxNY2dDVTVtL3g5OGZYdWdaRml1?= =?utf-8?B?VnkrVE5yY0pEeDhmS045TXhsMUdMTWwrbEtVa2dPTlhWL2gwdjVoNWFJTU1F?= =?utf-8?B?dTI4U2dwTTdTUUs5akM1Q1NpZnMvSzZ3TVhZVVBSMlNwOXZ3bUgvNzYwcFZn?= =?utf-8?B?SkJITW9NdXVwNTR4MWdLcGQyMnIwQTF0bEVwbUthL2ZXN2Nya0NRMVdscEU4?= =?utf-8?B?Y3o3UFJncnRoaTNtT3doTEs3c3phY2drVWdMREtNUVZkOEx1ZUVVMjZSUHdw?= =?utf-8?B?NGZyS1FQSHlKNTFQeDlCQ3NSdVRyYisxK29Lb3BNMkN6OEd4bzJIR2R5RE81?= =?utf-8?B?aVViYkUxS1ZCWnpLUVBmVGZ0a3Y4MWJoWHlDR0tmUk9LeEpMakVuNHFnNVMr?= =?utf-8?B?K29TMjh0Wno2azNVMURSV05IcCszR1VEZW9XZXBWejREZWpBT2Z2bzlSamJu?= =?utf-8?B?UExjMEt3R0lzZXAvTks2K3NieVJtb0R5U241dXcya2xwemhrZ2xiMHdia01q?= =?utf-8?B?Vy9GbTFMdWR3cjdqTjBFRUFxdmx0MWYvQlVzNEV2aFVYc2w5THdaZTFPN29P?= =?utf-8?B?SWZxbFBuYTZRZ2VZVUh0Vk82V0d5dWg4S2lLTEFkbWZYelR3WEh4anExaUI3?= =?utf-8?B?N0txMTZGcThJYWthOG5VbGlBV1VIU0JUa29ISDduOTlKcGZ6N2RZUkY2bXdR?= =?utf-8?B?WVVlV1A2cWZMTTNZeDZZYnE5a0ZMM29LajJ5RklqUmhLQXJQOVgyWm1QSy9Z?= =?utf-8?B?cTJ5Nnh5T2NSVkllYisyWXlVaGFZQ0JWeXFNa0lGcy9EK0xFL2lYbHk2ZUVS?= =?utf-8?B?Mmt2U3lWd0czLzZ2SkF1NEdpRXdhbWN5ekErT3NlR28waWxCd0JUL3UyMjhI?= =?utf-8?B?eGRBMmNYSUllMHhtUzljL2Z6RDBKYU5XaW5yNkx3eHFoVFNTeDJ6VGtld0Vv?= =?utf-8?B?NzVZa0RtMjREbGtpbDBnUXVpelRleXk3OHNVWW9tamNBNkFsN0VXK3hkZmQ5?= =?utf-8?Q?/9HV6MXwxfLO9P9Cpd8Q7MhEKZ4Yg9CQAeihzYRKTgXO?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <D0803080424B574FB1347DF804B976B4@AUSP282.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ad225be5-b565-4237-5e65-08d9f19adc8f
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Feb 2022 22:22:47.6808 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CJTXkZ/6xwj9YkDpfpkW7YxOnZeTR3KJT96T2tp3LySaKiz81YWiwwkMV60ZrOJ8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEYP282MB4202
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/yHfBgU_TfjniH1NIAX6aU7VsmYM>
Subject: Re: [sidr] [Technical Errata Reported] RFC6487 (6854)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2022 22:23:01 -0000

Frankly I am having some trouble in understanding what is going on here. 

The original says “You can issue anything you want. IF you want to issue a CA cert then you MUST use Basic Constraints and set the CA buit. If you want to issue a EE cert then you MUST omit Basic Constraints.”

What the document does not say is “And thats the range of choices available to you” Implicitly thats what this report is trying to add, and I’m not sure that the original RFC went that far to limit the issuer’s options in this manner.

I would argue that this is not an error in the original RFC. The reporter is trying to add to the original RFC, but doing so via an errata report seems to me to be inappropriate.

Therefore I tend toward rejecting this on the basis that the report is not a report of an error in the RFC.

Geoff




> On 17 Feb 2022, at 4:46 am, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
> The following errata report has been submitted for RFC6487,
> "A Profile for X.509 PKIX Resource Certificates".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid6854
> 
> --------------------------------------
> Type: Technical
> Reported by: Corey Bonnell <corey.bonnell@digicert.com>
> 
> Section: 4.8.1
> 
> Original Text
> -------------
>   The Basic Constraints extension field is a critical extension in the
>   resource certificate profile, and MUST be present when the subject is
>   a CA, and MUST NOT be present otherwise.
> 
>   The issuer determines whether the "cA" boolean is set.
> 
> Corrected Text
> --------------
>   The Basic Constraints extension field is a critical extension in the
>   resource certificate profile, and MUST be present when the subject is
>   a CA, and MUST NOT be present otherwise.
> 
>   If this extension is present, then the "cA" field MUST be true.
> 
> Notes
> -----
> The original text is contradictory. If the basicConstraints extension is prohibited in end-entity certificates, then it follows that whenever the extension is present in a certificate, that certificate is a CA certificate. If the certificate is a CA certificate, then the "cA" boolean MUST be true in all cases. It is nonsensical to allow a "cA" field value of false.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC6487 (draft-ietf-sidr-res-certs-22)
> --------------------------------------
> Title               : A Profile for X.509 PKIX Resource Certificates
> Publication Date    : February 2012
> Author(s)           : G. Huston, G. Michaelson, R. Loomans
> Category            : PROPOSED STANDARD
> Source              : Secure Inter-Domain Routing
> Area                : Routing
> Stream              : IETF
> Verifying Party     : IESG