IETF Logo Mail Archive

Re: [pkix] RFC 5280 Extended Key Usage - explanation

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 21 November 2023 06:28 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C0FC14CF1F for <pkix@ietfa.amsl.com>; Mon, 20 Nov 2023 22:28:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IF7eI-OZfGm6 for <pkix@ietfa.amsl.com>; Mon, 20 Nov 2023 22:28:16 -0800 (PST)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 073DFC14CF1A for <pkix@ietf.org>; Mon, 20 Nov 2023 22:28:15 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2168.outbound.protection.outlook.com [104.47.71.168]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-109-RSuOq112NWaY5hZ7KxumdA-1; Tue, 21 Nov 2023 17:28:10 +1100
X-MC-Unique: RSuOq112NWaY5hZ7KxumdA-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY6PR01MB8427.ausprd01.prod.outlook.com (2603:10c6:10:1db::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7002.28; Tue, 21 Nov 2023 06:28:08 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::a0c1:1be4:9da8:b452]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::a0c1:1be4:9da8:b452%4]) with mapi id 15.20.7002.028; Tue, 21 Nov 2023 06:28:08 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Peter Miškovič <Peter.Miskovic=40disig.sk@dmarc.ietf.org>
CC: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] RFC 5280 Extended Key Usage - explanation
Thread-Index: AdoWAnjikrxKXJ41SWu5qcXZSUV0eQF4Vn6AAAGS7bAAFmI1TA==
Date: Tue, 21 Nov 2023 06:28:08 +0000
Message-ID: <SY4PR01MB625106D0C70552A9C3BB5263EEBBA@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <1cc8b53823ff40d7bbfa126478461a43@disig.sk> <F0554924-EDED-4427-8596-279DEB3D3EFF@vigilsec.com> <SN7PR14MB649287B4A91560610D28EDCB83B4A@SN7PR14MB6492.namprd14.prod.outlook.com>
In-Reply-To: <SN7PR14MB649287B4A91560610D28EDCB83B4A@SN7PR14MB6492.namprd14.prod.outlook.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY4PR01MB6251:EE_|SY6PR01MB8427:EE_
x-ms-office365-filtering-correlation-id: 36eebc46-503f-4de7-7a60-08dbea5b073f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: 27KlrlalYc0rixEoRAe1657Vetzb+ecI3h9gtT3DKhYG+ZbENva+bJW66hw9j5U2l/ysHM5zb+/A+wDxqaLewckjdHD7RUxq/WwcInWLevkQWanlH4XSXEfvBZlDw0mktQYFYpLDNWxbGhSfQeG2fnePHROFArFLWsWHW/x2jg1d8FnLQdjCxUIKFAGXWXB2aQ8mi+QtmJehkT95n+GhFSP78dhDRiQREgZFbHYonPc/yw376Hy3MTL4A8jhiKG7KQT9SAcBmkibdpRHIWdZL+tbCiHMckWODJOs1O6tQ/5/YMySlEKoGOnCgqGyZ/8BGPVTqAO1dcRqvHX0U2ZOilzWdbRZ/UTpXeD5lpT7UOKjr0M0NWv+hzoMtMn11jr+pYZyywcZZ/1DwwCN0ceSB/wbIDL+JEwraaYYVXDvBTxA0Z78ccz2rRfibPv8hH0/aQPrQe2J5FPjKtoWV77SNCfglmu2mgqTeAXkhkgo6x/wLnVw8wZ01GtNWb8UoprrGjasq0zikGOaJeBHa6AHTm98kBLrZQ/jLQ9ES4eZrchrXGLguJu+ceQmGYGvG4bLea+x76LEqBWnELGcqlhsUAd/S3Gd8y1tQKu7DtLa1JAUP/wwkSqdhwMT+P5bDY7f
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(396003)(346002)(376002)(136003)(230922051799003)(64100799003)(451199024)(1800799012)(186009)(2906002)(33656002)(52536014)(4326008)(8676002)(8936002)(5660300002)(38100700002)(86362001)(38070700009)(41300700001)(9686003)(55016003)(26005)(71200400001)(6506007)(7696005)(83380400001)(66574015)(122000001)(478600001)(66556008)(66946007)(66476007)(64756008)(66446008)(76116006)(110136005)(786003)(316002); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: sBr69q/30pdKjRVSAaD4pN/nVMsUs1b03ZHAsDJR/HXq8JpbMlqkqyfpBEGfcSydttnATfD2rEBsSdoh4ouZ5UZaEWyhE0ISGpCSCbS0KBtG9FuEqjKmc2IBbYDv7lUYG1Yx1sOkyQsqMT4IV6mGirM58QYpF1f/aZ+ZzQBRXyBU70T9Zs7fLlsUtyftmmd08gPIUFht1bo4nL2GQtHQrHm3QZhXZVCDYZfwgE411de42psCw8kZb5IpXBD4RD/dxg9bx9AJP1CBDrvnLkdtdgpn92QNaFvI9IyaOJoSQO+CP+AuyT7UGlZ1XRlJ6tmM+adsSj5bNaioJVuKhdEAUGeDwM6BmQ16+teNe+RAYbpEOJSju+aIRrdf/Fqv9e5uihWqE7HoUAdUf+2k1eqshy3oEN7CuEg53CktpnX6euDm/pED5iCy7gBhVn2mMV/Uze0ldKxH3FDZt+lEwGe68ySaDAurH1WEoVtLIwA5cFy1rbcUBubYrzek26LuQOdlW5Sdarp4WPvfgUFx5XTkZnUZvHUPQTpPsyFQzRbWuRYLK8bkosnICfckV8jI6rYrTmW/cJgt0qM/aREB8zW/YfL2yDl5byDsrwDycvDCaWM1t1FFKIQFi2lEVS6b99RPAyeos4Eg2DCIMY2QtaaEj2t+7NR6DZKLdu+s3PoHQGpC1DCdgJrWWRI+jdxZmW4GJ7Vki6aFBbfS/tCOfSJu4Co4osA/oQ1Pjw466xJYsLys/VvDjN6qI2BXA6Dhc6QojEZKYSs1HXt/btAMQTd4etME1VNHxjx96R78i0OGZ/umBqwbI7RlIZXFKw/byuHGzAdfHLGsR0uapJRKrDhxahldxYt5BegiMQhRK27PNpVjGSFPj3mV5CGY5q5kY3IYgahKPXoQYFW3clx1dVBPgpPHfXALYp7rzivKNJjNru4kKuU64q1zZzNIa4ABGeqcFLuego2yECnVFQdCjpMxpKq+r4Yd6Xp3ZmaNEC5na3XOKasOf3PCIvCn3W/WKpzlS8VoLm9k0H0E2IHmaiw/MbZe4tuk/Jw7xkirs9HqW7IQV6Ro+BhE4nsQ7MFCTjm3dchvu4iBEO1MELQht+B2liYJGDFXNZyW+9CEOLIGqabT/5RfZQDPmp6ppV/TJNQr7JspHAOI79YQ6BvFSrw/SJXlAs8MSKT1AImJbrAkbxzPEsWKaW8J/gXhYwpnuR2L6VbkW9uaEcNdIClfVKfoihowH09frOZuvaeDqj1Sq6e7WDObNfNduyMWWuwPFRl0Dvy32MBOs7tu8EDrNmlBvbX46vqJ52Lo2Kf4Qq3i4T6M8ZjvS8aRIgz/Po+QLj/4IGITNl/UYrf/MSmgm0qGREpdOTqs1v+1XY/q+CqTjFNsq1X42+Q+fenTva+Z3E2CJj8PCIJujZ3bosQfufjFC5g1Y3Qk+O1n/T7ntmNfsPg90MRbVwAhhkwnWnAoG7NdLTv2jlQMCy1A0PA9GXcCTyycNNAi6ZIn7pdEuwDfhAXeb3wmJmt8Ftb36AzIfGmvQOdrKEOTsDmtrIhyJRjnuGZFBfflCqrv+knki6x7FiVBAGSogzF0dy8MhaYI8MxW
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 36eebc46-503f-4de7-7a60-08dbea5b073f
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2023 06:28:08.6987 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DM4QxfwEJ/4YwpF0BoV/XaiyxQxpOMIppu0gshFHvv9rtiMB1Fni09NAE8cj5uVVa7zxaLlk1UCwNn/2hdqDxjPBpLHTPVsrkre5y1TGskE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY6PR01MB8427
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="ISO-8859-2"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/L8rS5nUNfs9ybsCmiSiEvQ7wbXk>
Subject: Re: [pkix] RFC 5280 Extended Key Usage - explanation
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2023 06:28:20 -0000

Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org> writes:

>In theory, there should be separate EKUs for documents, client certs, and
>email certs.  In practice, reuse of either emailProtection or clientAuth for
>all three is embarrassingly common.

It's also because historically the eKU values have been hopelessly vague (and
they still are, at least up till 5280), so everyone made up their own
semantics.  For example an SMTPS server could have id-kp-emailProtection set,
an S/MIME app could have id-kp-emailProtection set, anti-malware software
could have id-kp-emailProtection set (say to sign incoming messages that had
been scanned), and there are probably several more applications all of which
implement some form of email protection that could legitimately set id-kp-
emailProtection for TLS, S/MIME, and digital signing.  I'd have to go through
a ton of old email to check all the unexpected but logical once explained ways
in which the eKUs can be applied.

Possibly a better option, given the hopeless cause of getting everyone to
change the way they use the existing eKUs, is to define a new extension with
well-defined, narrow semantics for each key usage/purpose/whatever.  For
example newEmailProtection would be for encrypting or signing email messages
and nothing else.

Peter.

v2.23.0 | Report a Bug | By Email