Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
"Piyush Jain" <piyush@ditenity.com> Thu, 21 February 2013 15:41 UTC
Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E0521F8EC1 for <pkix@ietfa.amsl.com>; Thu, 21 Feb 2013 07:41:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.203
X-Spam-Level:
X-Spam-Status: No, score=-1.203 tagged_above=-999 required=5 tests=[AWL=-1.799, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Llo4Mj9FmG-R for <pkix@ietfa.amsl.com>; Thu, 21 Feb 2013 07:41:24 -0800 (PST)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id EE97021F8EBC for <pkix@ietf.org>; Thu, 21 Feb 2013 07:41:23 -0800 (PST)
Received: by mail-yh0-f54.google.com with SMTP id 29so1649828yhr.41 for <pkix@ietf.org>; Thu, 21 Feb 2013 07:41:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language:x-gm-message-state; bh=GII+400rhwqY4/94QdNIbKBjZlJi1vkP9FO+ek6lu/E=; b=CJOEQ5888FFOLxkXmG98WeOOJ4gdnFYxbNaGpA5V25bbyOzcj/VI84QvBZ+uhj32XH 5/iDnWxXhbuRr8EjxjOOgBxEjGITjl8U5k0QMg98nDPZSGCVGMnfHIGX22YZzXK2Hcc4 B8eyR8A5GAQJ4pk3GYv427ldrLqF5Dkrxy15QHuIYS8o5z+Hg0GjkofcD3hRGew/o0c0 iiRcic7fsouaS9fsS7n/o2HVTej802MNoOqBJ2JltGs/E01HX1lOsI4kFFpX/eK0+JjF GyYGWh1IgXDQObcANz+MEhlg6TNomRY4fg5jLnvwvQmOlzAoBy0yiRGSThqkEjuXzQ6s JJQA==
X-Received: by 10.236.155.7 with SMTP id i7mr34745264yhk.16.1361461283359; Thu, 21 Feb 2013 07:41:23 -0800 (PST)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id v43sm142158252yhm.11.2013.02.21.07.41.21 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 21 Feb 2013 07:41:22 -0800 (PST)
From: Piyush Jain <piyush@ditenity.com>
To: 'Peter Sylvester' <peter.sylvester@edelweb.fr>, pkix@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C733340E7BB@uxcn10-2.UoA.auckland.ac.nz> <5124E2AB.5020400@bull.net> <51260A21.2080403@edelweb.fr>
In-Reply-To: <51260A21.2080403@edelweb.fr>
Date: Thu, 21 Feb 2013 07:41:23 -0800
Message-ID: <031e01ce1049$e7f408b0$b7dc1a10$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFU+PKJgpk+Of64p5F/KTAfGYydCwIq0DiUAoDWZGmZUT+ecA==
Content-Language: en-us
X-Gm-Message-State: ALoCoQkIV+zPBaoPX1AKCx9b6ejGdlBt+joqnT7b3ogQDYyRbF3cQ/SdLBR9A+quLJGR+CDJ40HJ
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2013 15:41:24 -0000
Where is the conflict with X.509? There is not eveb a problem with PKIX's > definitions of concrete values IMO. In fact, PKIX has no semantics defined, > just a comment to the ASN.1 syntax. As Peter Gutman mentioned 'email > protection' means what? > There is no conflict IMO with existing specs if one would say: > > - email protection means xyz. If put into and end certficate, then the cert can > only > be used for that purpose, if put into a CA cert, than this extend the path > validation > algorithm, such a CA is only supposed to issue certs that have this EKU in EE > certs. > The conflict is that some implementations have started deducing the extended key usage of a certificate based on what EKU is present in other certificates up in the chain. Semantic of an extension with OID id-ce-extKeyUsage is clear. 5280 clearly defines how this extension should be processed and that it applies only to the certificate in which it is present. What it does not defined is the meaning of objects contained within the EKU extension because those meanings are application dependent - however this is not the point that is being argued. The way I see it, the purposeIDs that are defined in 5280 do not belong there. Those definitions should have been part of application protocol specification. The fact that some of the purpose IDs are not being enforced by applications has nothing to do with how applications deduce the purpose associated with a cert.
- [pkix] A non-compliant use of the EKU extension i… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… David A. Cooper
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Santosh Chokhani
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Dr Stephen Henson
- Re: [pkix] A non-compliant use of the EKU extensi… Martin Rex
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Henry B. Hotz
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Yoav Nir
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Sylvester
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- [pkix] Agenda items for PKIX in Orlando Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- [pkix] PKIX WG's (lack of) agility to adopt missi… Martin Rex