Re: [pkix] EKU for intermediate certificates
Carl Wallace <carl@redhoundsoftware.com> Thu, 04 February 2016 13:13 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE3611B2ED7 for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 05:13:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YS7klLlGwyQG for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 05:13:44 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4D61B2EC9 for <pkix@ietf.org>; Thu, 4 Feb 2016 05:13:44 -0800 (PST)
Received: by mail-qg0-x22d.google.com with SMTP id o11so40560923qge.2 for <pkix@ietf.org>; Thu, 04 Feb 2016 05:13:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware-com.20150623.gappssmtp.com; s=20150623; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :mime-version:content-type; bh=tv00E2dcyx2OvVGw4vL16wfh6rezBgxj72IS5q2qN3M=; b=JyTRhA4nOoeL43GUlj9puFy9h+Kn8YK2sANvAC40792AueIlBVKegRvxyVznauwfuR U6342J9L4gZcM1YUMFIEJ3uQkQjfcxP5OBSglLORcA4RUbNP9hqUOPhT1uXTdyvzVnbL 1Qp2MU6yEPMsH75hmk4d6ryiZjck9qR+u+OPuxHC2i3stSR52O3fd7811LPxjrWv1UC1 GpUTtpu8vuEex+0mu4ecIFjPp4GNbQ9ZSeDmXdui+66zuBjUyCuvT0yMTxxHWdiZF1N8 3Jl7l+UaaW7aNEjQ24HF0t+6kcbkgW0zz1Bw2TnfcJUWkU+E2FgtJQTcMiDDXxMhLwC4 3uWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:mime-version:content-type; bh=tv00E2dcyx2OvVGw4vL16wfh6rezBgxj72IS5q2qN3M=; b=bOziDgCg3K83a6/O64dV0gobjFSdHY4jwQZpWjj2MdMsJa2/Tu/Gx6FtvHjp3OLWef hF/gB3bLa1kk17Gb3r+1Y6zuWxtucx1sXyQW/77hFVOJv2x8OminPW906v98+A1dW2da IvywRTS1SSmZ6wQXTAtz0OJg6LZrMtLYoQe6xOt/uLVr0nrIEKqWEiQC/ERBp0wwc6Wh unohqeS+tiJLrtzuvP8ComPGRe6pAJTstPrXh3ZlPn/g4RmdYsurbWu6ljhkQxx0F8aR 2zCoDovPuqx/3KK9ns5QLdjkq4p/imIqVQbqE5v0ZMFfCFGZj2iPhkpqin26kk9UOKzu VPjA==
X-Gm-Message-State: AG10YOQ6p6UsKV2LAPzxUa8Jq3ueRdv2e3YdzpJiiqYrK2tWdflOM/m3YHtC5G4Qxkaz7w==
X-Received: by 10.140.97.202 with SMTP id m68mr8685353qge.102.1454591623634; Thu, 04 Feb 2016 05:13:43 -0800 (PST)
Received: from [192.168.2.246] (pool-96-255-23-4.washdc.fios.verizon.net. [96.255.23.4]) by smtp.gmail.com with ESMTPSA id f5sm5020967qkb.30.2016.02.04.05.13.42 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 04 Feb 2016 05:13:43 -0800 (PST)
User-Agent: Microsoft-MacOutlook/14.5.8.151023
Date: Thu, 04 Feb 2016 08:13:37 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
Message-ID: <D2D8B816.4B461%carl@redhoundsoftware.com>
Thread-Topic: [pkix] EKU for intermediate certificates
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3537418422_8826228"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/OzAqCVx_FuYhQ7LfQBiXzcIRM4A>
Cc: pkix@ietf.org
Subject: Re: [pkix] EKU for intermediate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 13:13:50 -0000
in the CAB Forum concept, if there any mechanism to indicate to a compliant validation engine that 5280 EKU semantics ought be used? Allowing a toggle probably beats simply changing the semantics of the extension for all cases. From: pkix <pkix-bounces@ietf.org> on behalf of Koichi Sugimoto <koichi.sugimoto@globalsign.com> Date: Thursday, February 4, 2016 at 8:08 AM To: "pkix@ietf.org" <pkix@ietf.org> Subject: [pkix] EKU for intermediate certificates > Hello. > > I hope the following definition should be changed. > >> >4.2.1.12. Extended Key Usage >> > >> > This extension indicates one or more purposes for which the certified >> > public key may be used, in addition to or in place of the basic >> > purposes indicated in the key usage extension. In general, this >> > extension will appear only in end entity certificates. > > > Now CABF (CA Browser Forum) specified Extended Key Usage as: > > P9: > Technically Constrained Subordinate CA Certificate: A Subordinate CA > certificate which uses a > combination of Extended Key Usage settings and Name Constraint settings to > limit the scope within which the > Subordinate CA Certificate may issue Subscriber or additional Subordinate CA > Certificates. > > P34: > ** Generally Extended Key Usage will only appear within end entity > certificates (as highlighted in RFC 5280 > (4.2.1.12)), however, Subordinate CAs MAY include the extension to further > protect relying parties until the > use of the extension is consistent between Application Software Suppliers > whose software is used by a > substantial portion of Relying Parties worldwide. > > P38-39: > For a Subordinate CA Certificate to be considered Technically Constrained, the > certificate MUST include an > Extended Key Usage (EKU) extension specifying all extended key usages that the > Subordinate CA Certificate is > authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId > MUST NOT appear within this > extension. > > Major browsers already support this specification, therefore, the next RFC > should reflect this notation, I think. > This notation is very important because we can restrict the range of influence > when end-entity certificates are > unwillingly issued by attacks etc. > > > Please see below: > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.2.pdf > > > Regards, > Koichi Sugimoto. > _______________________________________________ pkix mailing list > pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- Re: [pkix] EKU for intermediate certificates 王文正
- Re: [pkix] EKU for intermediate certificates Russ Housley
- [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Carl Wallace
- Re: [pkix] EKU for intermediate certificates Santosh Chokhani
- Re: [pkix] EKU for intermediate certificates Peter Bowen
- Re: [pkix] EKU for intermediate certificates Carl Wallace
- Re: [pkix] EKU for intermediate certificates Peter Bowen
- Re: [pkix] EKU for intermediate certificates Carl Wallace
- Re: [pkix] EKU for intermediate certificates Peter Bowen
- Re: [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Stephen Farrell
- Re: [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Rob Stradling
- Re: [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Rob Stradling
- Re: [pkix] EKU for intermediate certificates Carl Wallace
- Re: [pkix] EKU for intermediate certificates Erwann Abalea
- Re: [pkix] EKU for intermediate certificates Erwann Abalea
- Re: [pkix] EKU for intermediate certificates Peter Bowen
- Re: [pkix] EKU for intermediate certificates Peter Bowen