IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

"Piyush Jain" <piyush@ditenity.com> Thu, 21 February 2013 15:41 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E0521F8EC1 for <pkix@ietfa.amsl.com>; Thu, 21 Feb 2013 07:41:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.203
X-Spam-Level:
X-Spam-Status: No, score=-1.203 tagged_above=-999 required=5 tests=[AWL=-1.799, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Llo4Mj9FmG-R for <pkix@ietfa.amsl.com>; Thu, 21 Feb 2013 07:41:24 -0800 (PST)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id EE97021F8EBC for <pkix@ietf.org>; Thu, 21 Feb 2013 07:41:23 -0800 (PST)
Received: by mail-yh0-f54.google.com with SMTP id 29so1649828yhr.41 for <pkix@ietf.org>; Thu, 21 Feb 2013 07:41:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language:x-gm-message-state; bh=GII+400rhwqY4/94QdNIbKBjZlJi1vkP9FO+ek6lu/E=; b=CJOEQ5888FFOLxkXmG98WeOOJ4gdnFYxbNaGpA5V25bbyOzcj/VI84QvBZ+uhj32XH 5/iDnWxXhbuRr8EjxjOOgBxEjGITjl8U5k0QMg98nDPZSGCVGMnfHIGX22YZzXK2Hcc4 B8eyR8A5GAQJ4pk3GYv427ldrLqF5Dkrxy15QHuIYS8o5z+Hg0GjkofcD3hRGew/o0c0 iiRcic7fsouaS9fsS7n/o2HVTej802MNoOqBJ2JltGs/E01HX1lOsI4kFFpX/eK0+JjF GyYGWh1IgXDQObcANz+MEhlg6TNomRY4fg5jLnvwvQmOlzAoBy0yiRGSThqkEjuXzQ6s JJQA==
X-Received: by 10.236.155.7 with SMTP id i7mr34745264yhk.16.1361461283359; Thu, 21 Feb 2013 07:41:23 -0800 (PST)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id v43sm142158252yhm.11.2013.02.21.07.41.21 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 21 Feb 2013 07:41:22 -0800 (PST)
From: Piyush Jain <piyush@ditenity.com>
To: 'Peter Sylvester' <peter.sylvester@edelweb.fr>, pkix@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C733340E7BB@uxcn10-2.UoA.auckland.ac.nz> <5124E2AB.5020400@bull.net> <51260A21.2080403@edelweb.fr>
In-Reply-To: <51260A21.2080403@edelweb.fr>
Date: Thu, 21 Feb 2013 07:41:23 -0800
Message-ID: <031e01ce1049$e7f408b0$b7dc1a10$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFU+PKJgpk+Of64p5F/KTAfGYydCwIq0DiUAoDWZGmZUT+ecA==
Content-Language: en-us
X-Gm-Message-State: ALoCoQkIV+zPBaoPX1AKCx9b6ejGdlBt+joqnT7b3ogQDYyRbF3cQ/SdLBR9A+quLJGR+CDJ40HJ
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2013 15:41:24 -0000

Where is the conflict with X.509? There is not eveb a problem with PKIX's
> definitions of concrete values IMO. In fact, PKIX has no semantics
defined,
> just a comment to the ASN.1 syntax.  As Peter Gutman mentioned 'email
> protection' means what?
> There is no conflict IMO with existing specs if one would say:
> 
> - email protection means xyz. If put into and end certficate, then the
cert can
> only
>    be used for that purpose, if put into a CA cert, than this extend the
path
> validation
>    algorithm, such a CA is only supposed to issue certs that have this EKU
in EE
> certs.
> 
The conflict is that some implementations have started deducing the extended
key usage of a certificate based on what EKU is present in other
certificates up in the chain.

Semantic of an extension with OID id-ce-extKeyUsage is clear. 5280 clearly
defines how this extension should be processed and that it applies only to
the certificate in which it is present.
What it does not defined is the meaning of objects contained within the EKU
extension because those meanings are application dependent - however this is
not the point that is being argued.

The way I see it, the purposeIDs that are defined in 5280 do not belong
there. Those definitions should have been part of application protocol
specification.

The fact that some of the purpose IDs are not being enforced by applications
has nothing to do with how applications deduce the purpose associated with a
cert.

v2.23.0 | Report a Bug | By Email