Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Michael StJohns <mstjohns@comcast.net> Wed, 20 February 2013 17:57 UTC
Return-Path: <mstjohns@comcast.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DC9C21F8798 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 09:57:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.271
X-Spam-Level:
X-Spam-Status: No, score=-100.271 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvgDPs50ts8m for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 09:57:48 -0800 (PST)
Received: from qmta03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:32]) by ietfa.amsl.com (Postfix) with ESMTP id ACA9321F8759 for <pkix@ietf.org>; Wed, 20 Feb 2013 09:57:43 -0800 (PST)
Received: from omta18.westchester.pa.mail.comcast.net ([76.96.62.90]) by qmta03.westchester.pa.mail.comcast.net with comcast id 2dU41l0091wpRvQ53hxjih; Wed, 20 Feb 2013 17:57:43 +0000
Received: from Mike-T530.comcast.net ([68.83.212.126]) by omta18.westchester.pa.mail.comcast.net with comcast id 2hxi1l00h2kB7pQ3ehxj2o; Wed, 20 Feb 2013 17:57:43 +0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 20 Feb 2013 12:57:45 -0500
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>, pkix@ietf.org
From: Michael StJohns <mstjohns@comcast.net>
In-Reply-To: <5124FFCD.8010405@drh-consultancy.co.uk>
References: <5123E0C7.5020506@bbn.com> <CD4AAC65.5B8D5%stefan@aaa-sec.com> <CAP=4qKQ0FTSr0zHDERNjRXW19fn+g1iLWWXkZOWtxDfFYi9+rA@mail.gmail.com> <CA+i=0E5Ak1uSRD4mixVNhoi1_m=AVt2f+gEs+-PdAcjzHVna8g@mail.gmail.com> <5124FFCD.8010405@drh-consultancy.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1361383063; bh=uArOaca3b76y4BcDleY/qVIuaEIyQxfABvJHu8H/kio=; h=Received:Received:Date:To:From:Subject:Mime-Version:Content-Type; b=pehpA2Eq51nf9p6CVC+P6JtKwJNJF82KL8uRLRXxwNlsUW0gHjK86CMemsdOH6kpX dmTJ7tcl39LE8voHI5SBqdQIids+dHLqA2E6waFdlSPcv81QSLu3CpyEjdC5bs+vfa FOKAZ2FMuX8NLUgk+TYG5qFkW87Vzootd27EQw3A0L9tpWcLXT+nxeMu7nKIAjLtHA ZNXhMXBORovSPg9zGsrmq27g7A8NyxO7d7ES1PhXxA50hcX2Yx/XhXt8NxOCMjxOup 5IdUzfYiajdhNDDu7uNnn0d2vgW8fcGMddQyer4MHjcLW6klEJBOzh099Kl3XP/SZQ 8YhWfdg01uIDg==
Message-Id: <20130220175747.ACA9321F8759@ietfa.amsl.com>
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 17:57:49 -0000
At 11:54 AM 2/20/2013, Dr Stephen Henson wrote: >On 20/02/2013 16:26, Erwann Abalea wrote: >> >> They can define their own extension, like MS ApplicationPolicy, or NetscapeCertType. >> They can also rely on CertificatePolicies (which they do for EV certificates, >> and are starting to do for DV/OV). >> > >When this issue has come up before CertificatePolicies has often been mentioned >as an option but without many details. > >How would this work in practice? The simplest way would be to just use the EK usage OIDS (not the EKU cert extension OID) as "policies". You'd have to include each and every one in all of the CA's in the chain in the policy extension (or the anyPolicy policy), but that's probably easier than defining a whole new extension and modifying the path processing algorithms to add another path-binding extension. I'd probably also include the EK oid in the EKU of the end certificate to actually signal the cert can do what the EK oid says it can do, otherwise you get some issues where the intermediate CA has the usage bits set to sign code (for example). A different way might be to define a "BindingExtendedKeyUsage" policy and use that in conjunction with the EKU extension to signal that the set of OIDs in an EKU must be a subset of the parents EKU OID set (and for purposes of path walking will be reduced to a subset during evaluation). Unfortunately, the semantics of the policy extension are more in tune with turning on things (e.g. if policy A is present in the chain then you get treated better) than turning off things. In this case, you'd have to change the meaning of the policy to say that if its present in any parent then the path processing has to do the "binding key usage" processing to that parent, otherwise the last CA in the path can just decline to place the policy in the cert it issues. But I'd like to note that this treatment of EKs as a general class is pretty short sighted. There are few if any key usages that you really want to control from the root, and those are more properly handled as part of the path processing implementation based on the chain characteristics, rather than trying to do something like general path-like processing for the EKU based on the parent CA. E.g. if the attributes for the trust anchor for this chain says that the chain can't be used for signing code, then the presence of the appropriate code signing EK oid is ignored. >Steve. >-- >Dr Stephen N. Henson. >Core developer of the OpenSSL project: http://www.openssl.org/ >Freelance consultant see: http://www.drh-consultancy.co.uk/ >Email: shenson@drh-consultancy.co.uk, PGP key: via homepage. >_______________________________________________ >pkix mailing list >pkix@ietf.org >https://www.ietf.org/mailman/listinfo/pkix
- [pkix] A non-compliant use of the EKU extension i… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… David A. Cooper
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Santosh Chokhani
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Dr Stephen Henson
- Re: [pkix] A non-compliant use of the EKU extensi… Martin Rex
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Henry B. Hotz
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Yoav Nir
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Sylvester
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- [pkix] Agenda items for PKIX in Orlando Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- [pkix] PKIX WG's (lack of) agility to adopt missi… Martin Rex