IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

mrex@sap.com (Martin Rex) Wed, 20 February 2013 17:42 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F1AA21F8886 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 09:42:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.234
X-Spam-Level:
X-Spam-Status: No, score=-10.234 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S6v-PjoPuOFj for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 09:42:47 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 27E1F21F8887 for <pkix@ietf.org>; Wed, 20 Feb 2013 09:42:46 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r1KHf8wL005709 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 20 Feb 2013 18:41:09 +0100 (MET)
In-Reply-To: <CD4AAC65.5B8D5%stefan@aaa-sec.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Date: Wed, 20 Feb 2013 18:41:08 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130220174108.C7D301A5A7@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: pkix <pkix@ietf.org>
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 17:42:48 -0000

Stefan Santesson wrote:
>
> The present case is as far as I can see a complete deadlock.
> Nor ITU/ISO nor PKIX can change the meaning of EKU, neither can
> implementers do what they feel they need to do without breaking/stretching
> the standard.

I'm seeing flawed assumptions about the protocol feature EKU
in several places: some large companies, PKIX(IETF) and ITU/ISO.

First of all, the stuff that is defined to be processed along the
certification path (i.e. within the certficate path validation function)
are name constraints, the path length constraint of BasicConstraints,
certificate policies and certificate policy constraints.

With few exceptions EKU is a mostly useless attribute, for which the
interpretation is left _entirely_ up to the calling application --
and calling applications often ignore it (or need to do so, per spec).

rfc5280 section 6.1 does not specify processing of EKUs anywhere
-- 6.1.4 (n) is limited to processding the KeyUsage certSign,
and 6.3.3 (f) is limited to processing the KeyUsage crlSign,
and 6.1 explicitly RECOMMENDs against performing conformance
checks for stuff described in Section 4 & 5 of rfc5280.

The path validation function also does not have an input of the type
"intended key usage", so there is really nothing that the path validation
function could do about application usage.


Although there exist a few EKU definitions in rfc5280:
http://tools.ietf.org/html/rfc5280#page-45

not all of them are actually used.  id-kp-timeStamping is required
by rfc3151-Timestamps, id-kp-OCSPSigning might be used in some
places for dedicated OCSP signers (that differ from the cert issuer),
and id-kp-emailProtection might be used by some S/Mime implementations.


Two fairly useless EKUs seem to be:

   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   -- TLS WWW server authentication
   -- Key usage bits that may be consistent: digitalSignature,
   -- keyEncipherment or keyAgreement

   id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
   -- TLS WWW client authentication
   -- Key usage bits that may be consistent: digitalSignature
   -- and/or keyAgreement

Above two EKUs are unknown to all versions of TLS (rfc2246-rfc5246)
**AND** unknown to the HTTP-over-TLS spec rfc2818.  Unlike the PKIX
definition of these two EKUs, usage of TLS isn't limited to
HTTP-over-TLS anyway, so these two EKUs are pretty useless with the
existing specs.


Properly defined EKU usage in app protocols seem to exist only for

id-kp-OCSPSigning      http://tools.ietf.org/html/rfc2560#section-4.2.2.2
id-kp-timeStamping     http://tools.ietf.org/html/rfc3161#section-2.3
id-kp-emailProtection  http://tools.ietf.org/html/rfc3850#section-4.4.4
                       http://tools.ietf.org/html/rfc5750#section-4.4.4

(however, it was undefined in S/Mime 2 and S/Mime 3.0, so it must be
 ignored when backwards interop is desired).


-Martin

v2.23.0 | Report a Bug | By Email