IETF Logo Mail Archive

Re: [pkix] EKU for intermediate certificates

Peter Bowen <pzbowen@gmail.com> Thu, 04 February 2016 17:17 UTC

Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD5251A0056 for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 09:17:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xky3snPSzI2 for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 09:17:04 -0800 (PST)
Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74BCF1A0019 for <pkix@ietf.org>; Thu, 4 Feb 2016 09:17:04 -0800 (PST)
Received: by mail-pf0-x22b.google.com with SMTP id n128so50759586pfn.3 for <pkix@ietf.org>; Thu, 04 Feb 2016 09:17:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tBh/7xwOx0LEx0shrU4XkNvHnLDMNMJckj6qZ8Xo0e8=; b=v7ckWJ4w7MqN71LQtNlIp66gqoi0q2QC2K1zMYWHM4bjTYqzRrWnIV+pk2i7+SlZ2d tBFO5RIcFfRQfV5H94xt6XKKFt68jt+JvJ66Nsq5AaGQaRYYkH0R1bqsTTPZjnRWcKp9 /GG9Hp3p5aCO4qaFLcyQrHyhZxKC9+usZY8kH5edUdUHgPa7lEyqbiFHABUS1SnnfQPF VltokQXve2woPIjmEvvKhPBpJn1P6WEcCvwiRFSC9wvfmqGNcW21WsKK7NtKstPUsMA3 /k0qb7kXgSdbz1dHTiWfxOMv0Lx95bBumwdf1dT3WwiMTADFX7xwhwCu5Jn34IaFzYox /9lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=tBh/7xwOx0LEx0shrU4XkNvHnLDMNMJckj6qZ8Xo0e8=; b=jT56ZbWrafnSf/KYokkmbm3U6Kfw/5Q/SNxP5AmfunfPCUQgMl3Zf2tNuV15I/v6Bg WhNGqKdJxD+y7G1GmfIMIn/B68mZ2PpVLtBf7OQv0nIBuCV/IkE08WgN/JskHEVpeAu0 1BEw9jntuA1HRWyJiyUCKEUOZ5ZShKWhj1pUJlgY/AxLkZZ7qsDGWMPVdHjdiltqsNG5 OgAf5mQ/Lu4KFnXrOi3uOBTD9FigOrV1rbBE95FR7UsWWWvdUEI/xp731K6Qmd23uUct 5Q3GtBwWJYcQ7EUhdWIyhYAdcy+3crbYQrrM0/YVVOQh1cCPaVUyKnDD9p6rAd/rIuoF E5ag==
X-Gm-Message-State: AG10YOSFdVDUKSFfVnrCl1S+8UeVgnZWJzztHjg9IiaM/ipLoUd5o42fUENaAaJwEOeXFZwfIFMNr1cpVl57+Q==
MIME-Version: 1.0
X-Received: by 10.98.13.68 with SMTP id v65mr3692814pfi.150.1454606224129; Thu, 04 Feb 2016 09:17:04 -0800 (PST)
Received: by 10.66.142.193 with HTTP; Thu, 4 Feb 2016 09:17:04 -0800 (PST)
In-Reply-To: <033501d15f64$a8a9e590$f9fdb0b0$@gmail.com>
References: <D2D8B816.4B461%carl@redhoundsoftware.com> <033501d15f64$a8a9e590$f9fdb0b0$@gmail.com>
Date: Thu, 04 Feb 2016 09:17:04 -0800
Message-ID: <CAK6vND-mnioLesh-Y6+CP2XBndszVx5yxiBnv6TnrEowcpf8FA@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Santosh Chokhani <santosh.chokhani@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/Dl_lme0pfswdkxUS3oAVzRiFSjE>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] EKU for intermediate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 17:17:07 -0000

The CA/Browser Forum sets standards for Certification Authorities.  It
does not set requirements on implementers of path validation.

That being said, many current web browsers and OS path validation
libraries do enforce such constraints.  This includes Microsoft and
Mozilla libraries, which underpin Internet Explorer, Edge, Firefox,
and Chrome/Opera on Windows.

Thanks,
Peter

On Thu, Feb 4, 2016 at 7:56 AM, Santosh Chokhani
<santosh.chokhani@gmail.com> wrote:
> According the authors of the CABF criteria (I hope they will speak up), the
> intent of the language is not to make the enforcement of constraint on the
> certification path mandatory.
>
>
>
> They simply want the issuer to indicate limitations it imposes on the CA.
>
>
>
> I am generally sympathetic to enforcement of the constraint on the path,
> however this is a significant change to the semantics of the extension and
> path validation engine.
>
>
>
> From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Carl Wallace
> Sent: Thursday, February 4, 2016 8:14 AM
> To: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
> Cc: pkix@ietf.org
> Subject: Re: [pkix] EKU for intermediate certificates
>
>
>
> in the CAB Forum concept, if there any mechanism to indicate to a compliant
> validation engine that 5280 EKU semantics ought be used? Allowing a toggle
> probably beats simply changing the semantics of the extension for all cases.
>
>
>
> From: pkix <pkix-bounces@ietf.org> on behalf of Koichi Sugimoto
> <koichi.sugimoto@globalsign.com>
> Date: Thursday, February 4, 2016 at 8:08 AM
> To: "pkix@ietf.org" <pkix@ietf.org>
> Subject: [pkix] EKU for intermediate certificates
>
>
>
> Hello.
>
>
>
> I hope the following definition should be changed.
>
>
>
>>4.2.1.12.  Extended Key Usage
>
>>
>
>>   This extension indicates one or more purposes for which the certified
>
>>   public key may be used, in addition to or in place of the basic
>
>>   purposes indicated in the key usage extension.  In general, this
>
>>   extension will appear only in end entity certificates.
>
>
>
>
>
> Now CABF (CA Browser Forum) specified Extended Key Usage as:
>
>
>
> P9:
>
> Technically Constrained Subordinate CA Certificate: A Subordinate CA
> certificate which uses a
>
> combination of Extended Key Usage settings and Name Constraint settings to
> limit the scope within which the
>
> Subordinate CA Certificate may issue Subscriber or additional Subordinate CA
> Certificates.
>
>
>
> P34:
>
> ** Generally Extended Key Usage will only appear within end entity
> certificates (as highlighted in RFC 5280
>
> (4.2.1.12)), however, Subordinate CAs MAY include the extension to further
> protect relying parties until the
>
> use of the extension is consistent between Application Software Suppliers
> whose software is used by a
>
> substantial portion of Relying Parties worldwide.
>
>
>
> P38-39:
>
> For a Subordinate CA Certificate to be considered Technically Constrained,
> the certificate MUST include an
>
> Extended Key Usage (EKU) extension specifying all extended key usages that
> the Subordinate CA Certificate is
>
> authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId
> MUST NOT appear within this
>
> extension.
>
>
>
> Major browsers already support this specification, therefore, the next RFC
> should reflect this notation, I think.
>
> This notation is very important because we can restrict the range of
> influence when end-entity certificates are
>
> unwillingly issued by attacks etc.
>
>
>
>
>
> Please see below:
>
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.2.pdf
>
>
>
>
>
> Regards,
>
> Koichi Sugimoto.
>
> _______________________________________________ pkix mailing list
> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>

v2.23.0 | Report a Bug | By Email