Re: [lamps] WG Last call: draft-ietf-lamps-hash-of-root-key-cert-extn

Jim Schaad <> Tue, 06 November 2018 12:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9778112958B for <>; Tue, 6 Nov 2018 04:24:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n67wWF7sraOu for <>; Tue, 6 Nov 2018 04:24:12 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 35D2A12D4F1 for <>; Tue, 6 Nov 2018 04:24:12 -0800 (PST)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 6 Nov 2018 04:18:56 -0800
From: Jim Schaad <>
To: 'Russ Housley' <>
CC: 'SPASM' <>
References: <> <014401d47581$5fe919d0$1fbb4d70$> <> <016001d4758c$67daa2c0$378fe840$> <> <019601d475b9$578c9ea0$06a5dbe0$> <>
In-Reply-To: <>
Date: Tue, 6 Nov 2018 19:23:40 +0700
Message-ID: <01ba01d475cb$8ef10cc0$acd32640$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BB_01D47606.3B519270"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJLwZVoNyKH0k+Ca89z5ljDodd25QLXeOc8AOBEjwsBky5VHwI0uZGRAqb9qY4CXp3voKPv6dKw
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [lamps] WG Last call: draft-ietf-lamps-hash-of-root-key-cert-extn
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Nov 2018 12:24:16 -0000

Yes that satisfies my concern.


From: Russ Housley <> 
Sent: Tuesday, November 6, 2018 6:07 PM
To: Jim Schaad <>
Cc: SPASM <>
Subject: Re: [lamps] WG Last call:




* Section 2 - What operational considerations are there for when to
retire the old Root CA certificate when a new one has been
discovered and is to be used?

I'm not sure what you are requesting.  Install the new one, and
remove the old one?

When you install the new one, I don't believe that you are going to
remove the old one.  There are still going to be valid certificates
running around that will chain to the old root until you have done all
of the issuing of certificates to the new root.  This is going to take
time.  Additionally, if you are looking at something like the mail
case you want to keep the old root but mark it as being "expired" so
that you can validate the chain of certificates.

If one follows the old-with-new and new-with-old advice in RFC 2510, then
the replacement should not cause any disruption.  If you think it is useful,

operational consideration about this can be added.

This means that it might be some time before the old one is removed.

It should not need to linger...

Since it was not obvious to me, then yes the hint should be included.


Does this text address your concern:


5.  Operational Considerations


   Guidance on the transition from one trust anchor to another is

   available in [RFC2510].  In particular, the oldWithNew and newWithOld

   advice ensures that relying parties are able to validate certificates

   issued under the current Root CA certificate and the next generation

   Root CA certificate throughout the transition. Further, this

   technique ovoids the need for all relying parties to make the

   transition at the same time.