Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: RFC Editor <email@example.com>, pkix mailing list <firstname.lastname@example.org>, pkix chair <email@example.com> Subject: Protocol Action: 'Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile' to Proposed Standard (draft-ietf-pkix-rfc5280-clarifications-11.txt) The IESG has approved the following document: - 'Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile' (draft-ietf-pkix-rfc5280-clarifications-11.txt) as Proposed Standard This document is the product of the Public-Key Infrastructure (X.509) Working Group. The IESG contact persons are Sean Turner and Stephen Farrell. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc5280-clarifications/
Technical Summary Since the publication of RFC 5280 in May of 2008, several areas have been identified where the document was not clear, thus motivating a “clarifications” update. Experience with CA use of the Certificate Policies extension motivated a change to allow (MAY) use of BMPString. The DANE WG requested that PKIX clarify make an explicit (positive) statement about self-signed certificates that are not marked as CA certificates. PKIX published an informational RFC (5937) and a standards track RFC (5914) related to trust anchor formats and constraints processing by a relying party. This document updates 5280 to point to these documents. Experience with IDNs motivated a minor update to align the details of how such names are processed. The Secruity Considerations section was updated to reflect experience with attacks against CAs. This document addresses all of these issues. Working Group Summary Most of the clarifications in this document were not contentious, except for the self-signed certificate text. Numerous revisions were required to develop text that was acceptable to the WG. The original document editor was replaced as part of this process. He elected to no longer be listed as an author, but he is thanked in the Acknowledgements section. Document Quality This is a very small document and is well written. Most of the clarifications are motivated by experience with existing implementations of CA or RP software. There is no need for a MIB doctor review, there are no Media Types, etc. Personnel Steve Kent is the Document Shepherd, and Sean Turner the Responsible Area Director.