Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

Michael StJohns <mstjohns@comcast.net> Wed, 20 February 2013 18:09 UTC

Date: Wed, 20 Feb 2013 13:09:32 -0500
To: mrex@sap.com, Stefan Santesson <stefan@aaa-sec.com>
From: Michael StJohns <mstjohns@comcast.net>
In-Reply-To: <20130220174108.C7D301A5A7@ld9781.wdf.sap.corp>
References: <CD4AAC65.5B8D5%stefan@aaa-sec.com> <20130220174108.C7D301A5A7@ld9781.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <20130220180931.6F43021F8718@ietfa.amsl.com>
Cc: pkix <pkix@ietf.org>
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Precedence: list

At 12:41 PM 2/20/2013, Martin Rex wrote:
>   id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
>   -- TLS WWW client authentication
>   -- Key usage bits that may be consistent: digitalSignature
>   -- and/or keyAgreement

I've actually used this EK oid for client certificates for TLS.  The general code for accepting (and deriving user credentials from) client certificates is mostly useless.  

I've ended up getting the raw certificate (after path processing validates the basics) and pulling it apart to see if it has what I want.  This works well when you have a standard mapping from a cert/cert chain to a user credential, but you want to make sure that you aren't  - for example - accepting an email credential.

(You can't do this without writing additional processing code: I want to accept a cert that's no more than 1 CA below a known and specific root, and I want to take the UID field from the subject name of the cert as the handle for mapping the cert to the server user/role and I want this cert to be a TLS cert, any other cert that chains to one of my acceptable roots gets the guest credential and role)

Mike

[pkix] A non-compliant use of the EKU extension i… Denis Pinkas
Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
Re: [pkix] A non-compliant use of the EKU extensi… David A. Cooper
Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
Re: [pkix] A non-compliant use of the EKU extensi… Denis Pinkas
Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
Re: [pkix] A non-compliant use of the EKU extensi… Santosh Chokhani
Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
Re: [pkix] A non-compliant use of the EKU extensi… Dr Stephen Henson
Re: [pkix] A non-compliant use of the EKU extensi… Martin Rex
Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
Re: [pkix] A non-compliant use of the EKU extensi… Henry B. Hotz
Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
Re: [pkix] A non-compliant use of the EKU extensi… Yoav Nir
Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
Re: [pkix] A non-compliant use of the EKU extensi… Peter Sylvester
Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
[pkix] Agenda items for PKIX in Orlando Stefan Santesson
Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
[pkix] PKIX WG's (lack of) agility to adopt missi… Martin Rex