IETF Logo Mail Archive

RE: [TLS] Why require EKU for certid?

"Jim Schaad" <ietf@augustcellars.com> Thu, 23 September 2010 02:28 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0455D3A6A64; Wed, 22 Sep 2010 19:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBrepEOUvQ4B; Wed, 22 Sep 2010 19:28:37 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by core3.amsl.com (Postfix) with ESMTP id 019F33A6A2D; Wed, 22 Sep 2010 19:28:37 -0700 (PDT)
Received: from TITUS (unknown [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTP id 9EC3D6A423; Wed, 22 Sep 2010 19:29:04 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Paul Hoffman' <paul.hoffman@vpnc.org>, 'Peter Saint-Andre' <stpeter@stpeter.im>, 'Stefan Santesson' <stefan@aaa-sec.com>
References: <C8B4E80F.EE82%stefan@aaa-sec.com> <4C9A2D12.3020409@stpeter.im> <p0624084ac8bfe10f5b72@[10.20.30.158]>
In-Reply-To: <p0624084ac8bfe10f5b72@[10.20.30.158]>
Subject: RE: [TLS] Why require EKU for certid?
Date: Wed, 22 Sep 2010 19:36:20 -0700
Message-ID: <001301cb5ac8$1d01fe20$5705fa60$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQD4cSCKDZYsaq0DFZ4yur+K64x8SgEr1WV4AyGf4EKUokHOsA==
Content-Language: en-us
X-Mailman-Approved-At: Thu, 23 Sep 2010 10:32:52 -0700
Cc: 'IETF cert-based identity' <certid@ietf.org>, ietf@ietf.org, tls@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 02:28:38 -0000

> -----Original Message-----
> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Paul
> Hoffman
> Sent: Wednesday, September 22, 2010 9:44 AM
> To: Peter Saint-Andre; Stefan Santesson
> Cc: IETF cert-based identity; ietf@ietf.org; tls@ietf.org
> Subject: [TLS] Why require EKU for certid?
> 
> At 10:21 AM -0600 9/22/10, Peter Saint-Andre wrote:
> >On 9/14/10 12:51 AM, Stefan Santesson wrote:
> > > General:
> >> I would consider stating that server certificates according to this
> >> profile either MUST or SHOULD have the serverAuth EKU set since it is
> >> allways related to the use of TSL and server authentication. At least
> >> it MUST be set when allowing checks of the CN-ID (see 2.3 below).
> >
> >Jeff and I are still discussing this topic and do not yet have
> >editorial agreement about how to proceed.
> 
> This is not editorial, this is definitely technical. What possible
advantage is
> there to making certificates that do not have this flag set be excluded
from the
> practices you are defining? That is, if a TLS client gets a certificate
from a TLS
> server that the TLS server says is its authentication certificate, why
should the
> client care whether or not that flag is set? That flag is an assertion
from the CA,
> not from the server who is authenticating.
> 
> > > 2.3
> > > It would be good if we could restrict the use of CN-ID for storing a
> > > domain name to the case when the serverAuth EKU is set. Requiring
> > > the EKU reduce the probability that the CN-ID appears to be a domain
> > > name by accident or is a domain name in the wrong context.
> 
> That makes no sense from an operational standpoint. The inclusion of an
EKU
> has nothing to do with the decision-making for the domain name location.
> 
> > > In many deployments, this also affects the name constraints
> > > processing to
> >> perform domain name constraints also on the CN attribute.
> 
> True, and irrelevant.
> 
> > > There should at least be a rule stating that any client that accepts
> > > the CN
> >> attribute to carry the domain name MUST also perform name constraints
> >> on this attribute using the domain name logic if name constraints is
> >> applied to the path. Failing this requirement poses a security threat
> >> if the claimed domain name in CN-ID violated the name constraints set
for
> domain names.
> 
> Fully disagree.

I also agree that this is not something that I would ever like to see as a
required element.  Applying name constraint logic in places that it should
not be performed is something that is very hard on any certificate
evaluation logic.

I think it would be much more an issue of "asking" CAs not to issue
certificates that have this characteristic.

Jim

> 
> 
> --Paul Hoffman, Director
> --VPN Consortium
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email