IETF Logo Mail Archive

Re: [pkix] RFC 5280 Extended Key Usage - explanation

Tim Hollebeek <tim.hollebeek@digicert.com> Wed, 22 November 2023 17:18 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D88BC151081 for <pkix@ietfa.amsl.com>; Wed, 22 Nov 2023 09:18:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U6AlsvRVBXJN for <pkix@ietfa.amsl.com>; Wed, 22 Nov 2023 09:18:13 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2100.outbound.protection.outlook.com [40.107.236.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2E3C151093 for <pkix@ietf.org>; Wed, 22 Nov 2023 09:18:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AxoyZySQwnP/o2TBjJyCv3MvZAkvwiVRDjEQebN1t1IUo0Q5zjplceXYtRtBIhrsssD6Bl0Sm9j8z7P0xv1M2VN0wqOJmJMeJq6wZzD5RUB++XwJQv+fFIwr2kQCosLs4b0a9Vjk0wzH3JtiJUj3L1G/uxK60ZS2zTz0iwMjatfyZEg57DuuIKUiP2uvE+atjaH0hu6Z85alGyvJ4W2c9Wfcc5ELiGvptvFEmfYslDx00lz4urUsZQh4JsEzvnOyn0kEEQVZmMr4Y3LlpJrzSUFFQJs5THSQO12mbmNktr52UyP5bB2ia82GIk3R6MJZLzui9n8DbZQWrQoj6YONpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zc6O7+/iPvmbKloySeSVpTWFE8YZZGAZnUQ2nUDkerY=; b=hIi0+6bFil6xAtZTwB7SN4fd0pn9cGOE/HIN6rGzavTYICzwLOLxFA0AXiuCjAdvvyLFwV96z3PyKDN/tJcbA7bp0h50/MaWT+Y42oglkaNtTbjg7AMeyHtWvwx2tq4VhkimyrZkZOFDI/2VZxJbe7/TW/wFCwZ+aKA5HGx1FlYEM4MmsxNi2/JfkLTkazXWeTMTLU1RrQE7koGO9hL+gSK3Vs7o57dnxPtPM2pFOdVUsTPI42V2VEIZ9jzxk/aNOKB3GVWZaXhqroKFELO6N+5WJeyRcSmvUnK0jjF5UVw68GlXU1xk3PvZAe4nz2EBebfIzrLb0isC3h/RWmpGkw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zc6O7+/iPvmbKloySeSVpTWFE8YZZGAZnUQ2nUDkerY=; b=BDn+nA9jGqZqAQyb5pt9tvUIpkLr5girErVWXou9AaC34SvTzMab0pe3Ugk/bUtoEMnQSQQ55AsLzsNIxBQoQSDfGVR+Hg6C3F1wcpQYQ6h/EJCoCRMdxKdIQea12htO8AOYvHAyctMA3K8uE5g4XUe87KVZ2WQxqAO/UZR5Dd/MFugKiB7pvD2aiud7eNCp/EpO5e9XlrFoAk9DihMKyAiaVgtCieTl2FrEwXurE1tGXYJ77j5G9TEPRba7wGkjd4J2EKlXnCLdrd3bCbK7mugmANusXinBvUZa51D2QdnCtaBggSZv/4gy1aLgaDcR1t9HJNgUarV1Nx+qRWsZBA==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by SA1PR14MB5427.namprd14.prod.outlook.com (2603:10b6:806:23b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7002.28; Wed, 22 Nov 2023 17:18:09 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::2a37:c081:fe77:e889]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::2a37:c081:fe77:e889%4]) with mapi id 15.20.7025.017; Wed, 22 Nov 2023 17:18:09 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Peter Miškovič <Peter.Miskovic=40disig.sk@dmarc.ietf.org>
CC: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] RFC 5280 Extended Key Usage - explanation
Thread-Index: AdoWAnjikrxKXJ41SWu5qcXZSUV0eQF4Vn6AAAGS7bAAFmI1TABIvUtg
Date: Wed, 22 Nov 2023 17:18:09 +0000
Message-ID: <SN7PR14MB6492DAAC6A4F09BC6FAD7E3783BAA@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <1cc8b53823ff40d7bbfa126478461a43@disig.sk> <F0554924-EDED-4427-8596-279DEB3D3EFF@vigilsec.com> <SN7PR14MB649287B4A91560610D28EDCB83B4A@SN7PR14MB6492.namprd14.prod.outlook.com> <SY4PR01MB625106D0C70552A9C3BB5263EEBBA@SY4PR01MB6251.ausprd01.prod.outlook.com>
In-Reply-To: <SY4PR01MB625106D0C70552A9C3BB5263EEBBA@SY4PR01MB6251.ausprd01.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|SA1PR14MB5427:EE_
x-ms-office365-filtering-correlation-id: a62eda92-1c3c-402e-0d19-08dbeb7effef
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6KKZ3naCxEnM6dnig8i0BENBaocMVxSShfUHZSM12lSvw3JIi7Mw8nAVbB419cOzNa7ygIc7OpmQIpZ+eRI6bw6rryiEtSPz84qKZ+UIOFx08cULhg16rzE1cl0vBphbEHxFsPjcmJV7pGbG3mQV+Agaj+cSBtLyJeNb64Wjo0WxWcxdrCAdpr0hOSdw92XmeMZmAmkvdrTnCV1pmtfnU7wt99jhKcdSEG6FltdLZPelHs6nCa8URneJ7rMiqaq3RhIp6ZD3w7SeJBuiRRDiYTD90tvgHIDGiuXbORdYnHpj/xN83UQchVXTHE1GtV30tCbPcFYV7JALyaPVEafkjsRpvY0birSrUneJfGMsfMP875XZQBBbEpoDGNEWYGLe/K2AoHBx6ZMxX85pob/tgZ+6TlqOsRcxGt4sbvUZOie9MHQ+9QBdP1NmRGmN4h8+FWan94tFPr0d7nQ7aQxr+OfcWd27qRkXo/vraZBDVWl8gnVEdJ9okGG9hJnuTCSI589S3+a4omeZKKctgP6jwiY9Kv5qXuc9f2/uyb+HSEfoG6xFXB9niskJLStrg0JBeBUSwF8qJp/shxKUxzLF3c15BNj8DEssdd9s+LvZAXo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(136003)(346002)(376002)(39850400004)(396003)(230922051799003)(451199024)(64100799003)(1800799012)(186009)(38070700009)(55016003)(86362001)(71200400001)(66476007)(110136005)(316002)(966005)(7696005)(6506007)(64756008)(76116006)(66446008)(66556008)(122000001)(33656002)(99936003)(66946007)(44832011)(5660300002)(9686003)(38100700002)(53546011)(83380400001)(66574015)(26005)(52536014)(478600001)(2906002)(41300700001)(4326008)(8676002)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lOU3qQgYwRnf0bpOkbga8OxE7/R7JLJN5YhUWGszYIcE9F1bn4uOOGX+0JIm930djW696oqO3JH2I2VVY8MRF+5PxIEqEc5Yq84K0IA4j53YAYPd2D/BP9yC7ZG1EQU0L5b2Gy31OJ0a+BcjdoPdnHLnEOGDVyNzT80gVAAEL5u8xr3HAyxUtchfxGnpsOH+hH2jMwDmoOErM0vS9t6jlXR4Dc9fPxmAk88tLBIxr34k31HDDnxaES6jvhjY60Mklg9aSeg736saHueLbhnyV9Et+O8P6cGxqbywIl1u3RPINiwySLXL9o6g2NAABgWH/Ey7RujQ2+YQ9BghqV2t8Bewuo5KORliwMpBh/UEvC/v3mvwSvptymvc+nSC4jfKCOGpuc4cN/ASKsaakbLzAVYYFWx8iwDUG4Zaj9eDp33yYoKB6N30g0+bOSaVYNrFv0g/NusWJfXDtAehzXtz6dCOZ1zavxbs0y5mC67Iauy1sM8I9P75gnxbqJXOOpnBhWFjhLNig0JsdKCR07lg4WayewRWB/XCl7WE5nPb7Xw369f6LfIKt1+gzt3AsYhi0HFUzLKVO7vxp5KSCMB7lfXQ4xoamA0DAqJgrSD/LJ7NLPYa7m8Gu+iOkPvglaiVhE7ZFz2Xdvf2hbyp+/715/yOpeRkOHEWhj1DyKZYT1YSt2KlZQJz3CXdHL3KUschiiIKhaGKgaHql/zJIA+mMvGDFsYbS9A7vBfpwGdleniokhGPcG/3URpBGR5Y4+DxLmOWaMnOWS784W0vZiW21EvhtnYrvuquqjAA0Dcq8GrQ/BnzaLtMdeFwrFp+5yq3aMUinK4K/KYYPVfPgSIwCEJnEpLsijULVMnajyj9MtawUIGRJyesfmKhjHsit1Z3e573jXCXGj7XfZelJdz9rtDpF81U8uA8vZ6A0AfnWR3t4WBq5zEw4+slIrupzF7bl03QJuL0o4LCB6tTF55pz/N+RooA11Fj6x5o2l6aZLm4qyFQBZwCzR9rI7yLcKccLv2frkR0q3F97/ETCAVwI61/WKGbn+qQYrU8/dmauFqUxD0LgvBd671R+NIzPLxtzscPAzDDEE0eRiWtwuP03I0GQ0SbkSbUD36QX2mhFhOlt0++w5eGSIxzwjkep2L0btQZ68ZqUZQD77/Jo7fv4Kgl4d1XgbJ0CFNDiT5kfijIdO8Cr7ojS+1Sg7465D9VwManeX9a59i6YSfsf6yKNdK1nB0lv5ZpDzk/3Wh/oWkpp6y5u7ipVirWRRdO5CxCZ3JVd1te/UQKq1ZamLowlVE8uRERt6rAtRJFS4dn6SBoTt6BQaMDh7yWCWTg9Gze4PbgAsc3BVydsbGHrqNA74HQEZ8FZTZxOp7CeGtplIdaNBnFgYriQd85vqRO15ZVxMdN0S5+6qCgcicDXxKkRkpLBvLEf1mwhc/zuVAkrpV8hq1QfQJ/Tl3VfUhb7sGSfXgwRmCcuozcFztbDQHKgqeimN1udaejWNqMUZQcKZEVBDINU8nxlJZ627rGqyTBKcXdP5Wrt1eMvCuaio1IFI2fnnSayLnWQ+uJP9IclgYr5ZCRipOVHsvOgnfgv0OKsXvV98ErlEnbWg2DCTfg0g==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_037C_01DA1D3D.F2D029F0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a62eda92-1c3c-402e-0d19-08dbeb7effef
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2023 17:18:09.5003 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uyepbjKneJa5nlFY0hlOYEy7EKk37+G4tlCFW47sizv3EzGFD4g7XUn3F4UgePRC+DH98oEiRSShIXIn7Yw/nAj1sRCZJZRoOZcoD75xdgs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR14MB5427
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/5q_L7uv2-0nIYa9E-oAhiEYPAnA>
Subject: Re: [pkix] RFC 5280 Extended Key Usage - explanation
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2023 17:18:16 -0000

Yep, you're exactly right.  The vague definitions didn't help, and there was
also
quite a bit of drift and confusion about what exactly the scope of each EKU
was.

I don't know that starting over is feasible, though.  I think the best we
can do is
provide some of the missing EKUs, provide clear scopes and definitions for
them,
and encourage their use.  Like we are trying to do with kpDocumentSigning.
The 5G
NF EKUs that were newly allocated, instead of re-using and abusing existing
EKUs
is another great example of the right path forward, IMO.

If this means the older, less well-specified EKUs eventually go extinct, I
won't 
mourn their passing.

-Tim

> -----Original Message-----
> From: pkix <pkix-bounces@ietf.org> On Behalf Of Peter Gutmann
> Sent: Tuesday, November 21, 2023 1:28 AM
> To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>; Russ
> Housley <housley@vigilsec.com>; Peter Miškovič
> <Peter.Miskovic=40disig.sk@dmarc.ietf.org>
> Cc: IETF PKIX <pkix@ietf.org>
> Subject: Re: [pkix] RFC 5280 Extended Key Usage - explanation
> 
> Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org> writes:
> 
> >In theory, there should be separate EKUs for documents, client certs,
> >and email certs.  In practice, reuse of either emailProtection or
> >clientAuth for all three is embarrassingly common.
> 
> It's also because historically the eKU values have been hopelessly vague
(and
> they still are, at least up till 5280), so everyone made up their own
semantics.
> For example an SMTPS server could have id-kp-emailProtection set, an
> S/MIME app could have id-kp-emailProtection set, anti-malware software
> could have id-kp-emailProtection set (say to sign incoming messages that
had
> been scanned), and there are probably several more applications all of
which
> implement some form of email protection that could legitimately set id-kp-
> emailProtection for TLS, S/MIME, and digital signing.  I'd have to go
through a
> ton of old email to check all the unexpected but logical once explained
ways in
> which the eKUs can be applied.
> 
> Possibly a better option, given the hopeless cause of getting everyone to
> change the way they use the existing eKUs, is to define a new extension
with
> well-defined, narrow semantics for each key usage/purpose/whatever.  For
> example newEmailProtection would be for encrypting or signing email
> messages and nothing else.
> 
> Peter.
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email