IETF Logo Mail Archive

Re: [certid] What DNS-ID if also using a DNS-SRV?

Shumon Huque <shuque@isc.upenn.edu> Thu, 01 July 2010 05:24 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF52B3A67FA for <certid@core3.amsl.com>; Wed, 30 Jun 2010 22:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.413
X-Spam-Level:
X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AYlj1bixat7P for <certid@core3.amsl.com>; Wed, 30 Jun 2010 22:24:11 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 4A6223A67CF for <certid@ietf.org>; Wed, 30 Jun 2010 22:24:09 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 0E25A3058; Thu, 1 Jul 2010 01:24:21 -0400 (EDT)
Date: Thu, 1 Jul 2010 01:24:20 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Martin Rex <mrex@sap.com>
Message-ID: <20100701052420.GA4920@isc.upenn.edu>
References: <4C2BBEA1.1090506@stpeter.im> <201006302329.o5UNTXLF012594@fs4113.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201006302329.o5UNTXLF012594@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: certid@ietf.org
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2010 05:24:16 -0000

On Thu, Jul 01, 2010 at 01:29:33AM +2600, Martin Rex wrote:
> Actually, _some_ of the PKIX-heavy APPS might want to restrict
> usability of server certificates by "extendedKeyUsage" in addition
> to what we define as server endpoint identification here.
> 
> The wording in rfc-5280 section 4.2.1.12 appears a self-contradictory
> to me, because it conditionalizes "MUST only" with "applications MAY do
> whatever they see fit", and application negligence is likely to be
> the norm.  And btw. how "applications MAY" is used it refers to
> individual implementations and such an interpretation aligns well
> with the more easily understandable text in rfc-2459.
> 
> 
>    If the extension is present, then the certificate MUST only be used
>    for one of the purposes indicated.  If multiple purposes are
>    indicated the application need not recognize all purposes indicated,
>    as long as the intended purpose is present.  Certificate using
>    applications MAY require that the extended key usage extension be
>    present and that a particular purpose be indicated in order for the
>    certificate to be acceptable to that application.
> 
> 
> -Martin

Yeah, I was actually waiting to see who brings this up first! :-)

A smaller group of us had discussions about this (via private e-mail
prior to the certid list being set up). I'm sure the others will chime
in with their thoughts. But our general impression is that KU/EKU
are very poorly understood. Some of my principal concerns with using
them for application restriction are that the current ones aren't 
defined precisely enough. Ideally you need a new EKU for every new 
application protocol for proper security compartmentalization. Also 
they depend on a more complicated set of things happening correctly 
on both the server and client side. The client has to perform an 
additional step in addition to matching the subject identity. And 
actually to ensure that the use of the cert is being constrained, the 
EKU extension has to be marked critical (which I think breaks some
modes of migration) - assuming of course that client software rejects 
the cert if they don't understand the EKU extension, which may not be
a true assumption for the deployed base of software.

--Shumon.

v2.8.7 | Report a Bug | By Email