IETF Logo Mail Archive

Re: [pkix] EKU for intermediate certificates

王文正 <wcwang@cht.com.tw> Sat, 06 February 2016 15:54 UTC

Return-Path: <wcwang@cht.com.tw>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A9F61A1AF0 for <pkix@ietfa.amsl.com>; Sat, 6 Feb 2016 07:54:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.134
X-Spam-Level: **
X-Spam-Status: No, score=2.134 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CHARSET_FARAWAY_HEADER=3.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfQe5ghm-RKj for <pkix@ietfa.amsl.com>; Sat, 6 Feb 2016 07:53:56 -0800 (PST)
Received: from scan13.cht.com.tw (scan13.cht.com.tw [202.39.160.143]) by ietfa.amsl.com (Postfix) with ESMTP id 92EF31A1AE3 for <pkix@ietf.org>; Sat, 6 Feb 2016 07:53:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1454774034; x=1457366034; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=rw1mYGWKm8UY6rhFlHDCM3tq3l12lgSfIZDnZUhlCog=; b=lFlRSfFIxSGKbUFEle+D6/fUGp875bD8SOmuRB+R2BfMydwxmbi0Rk1VYH+OtntU xvr6biv296iytHJLe6gDGxpvCNwQv8MdsCm3+LseS0cHx4tkWIpfp+UBzo+qieyT MwMRnr1x6D4gbEdo3fAp6iSBgYa3FwMQTeR3VtbteW0=;
X-AuditID: 0aa00767-f79516d000006f47-b3-56b61712f04f
Received: from scanrelay3.cht.com.tw ( [10.160.7.108]) by scan13.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 5C.31.28487.21716B65; Sat, 6 Feb 2016 23:53:54 +0800 (CST)
Received: from CAS4.app.corp.cht.com.tw (unknown [10.172.18.166]) by scanrelay3.cht.com.tw (Symantec Mail Security) with ESMTP id BC1BDC000088 for <pkix@ietf.org>; Sat, 6 Feb 2016 23:53:54 +0800 (CST)
Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS4.app.corp.cht.com.tw ([fe80::f179:c93d:e31a:eb23%12]) with mapi id 14.02.0342.003; Sat, 6 Feb 2016 23:53:54 +0800
From: 王文正 <wcwang@cht.com.tw>
To: "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] EKU for intermediate certificates
Thread-Index: AQHRX03rGrFdffLm8UmZ8SqviF14gJ8bhJQAgAAWbwCAAAwigIAA2n2AgAKsj7Y=
Date: Sat, 06 Feb 2016 15:53:54 +0000
Message-ID: <20825998BCB8D84C983674C159E25E75DB4B6C5B@mbs6.app.corp.cht.com.tw>
References: <D2D8B816.4B461%carl@redhoundsoftware.com> <033501d15f64$a8a9e590$f9fdb0b0$@gmail.com> <CAK6vND-mnioLesh-Y6+CP2XBndszVx5yxiBnv6TnrEowcpf8FA@mail.gmail.com> <D2D8FB5B.4B529%carl@redhoundsoftware.com>, <SG2PR03MB14211449F1F6A4EB8D91FC269DD20@SG2PR03MB1421.apcprd03.prod.outlook.com>
In-Reply-To: <SG2PR03MB14211449F1F6A4EB8D91FC269DD20@SG2PR03MB1421.apcprd03.prod.outlook.com>
Accept-Language: en-US, zh-TW
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [202.39.167.17]
Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E75DB4B6C5Bmbs6appcorpchtc_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGKsWRmVeSWpSXmKPExsXCtYA9R1dIfFuYwaWLJhYXDxY5MHosWfKT KYAxqoHRJjEvL78ksSRVISW1ONlWKTmjRDclszg5JzEzN7VINzUvXUkhM8VWyURJoSAnMTk1 NzWvxFYpsaAgNS9FyY5LAQPYAJVl5imk5iXnp2TmpdsqeQb761pYmFrqGirZBeSkJhanKiSl KiSmlGUWp6YoJGyQyTh+7x5jwaezjBXTZ55ibWB8s5uxi5GTQ0LAROLA9E4mCFtM4sK99Wxd jFwcQgLbGSXOT/vGDuGcZZS4NmcHVOYQo8ShbQ1gLWwCuhK7Dm9lB7FFBJQlPq/bD2YLC5hK LDg/kbmLkQMobibxr0cWosRPYu2LncwgNouAisSDRcvYQGxeAX+J2z17WSDmr2SSuPx0Ath5 nAKxEu9Of2EFsRkFZCUOvmwHm88sIC5x68l8qLMFJJbsOc8MYYtKvHz8jxVkr4SAokTfYjmI 8nyJjd//Q+0SlDg58wnLBEbRWUgmzUJSNgtJGURcQ+Jb50KoGkWJKd0P2SFsdYndTxqgbG2J ZQtfMy9gZF/FKFicnJhnaKwHjGe95PxcvZLyTYyQNJK+g3H3fMdDjAIcjEo8vAzHt4QJsSaW FVfmAgOVg1lJhFdCYFuYEG9KYmVValF+fFFpTmrxIUZTYGhNZJYSTc4Hpri8knhDY0tjC0Mj AzNjcwsLJXFe8bbMECGBdGACy05NLUgtgulj4uCUamA8vY57avZCnnCZ2w4MrW4nrd1rvfIP 7uZR+eUl9GJS5avVrpN3zir/MI3hDXf6lldtEQ8OmSyTcpqQ9OrxlIyIhGzDmwph3NNueF1c zvq52CFH6Iy/7PRX0cL5T3ctVzvTUbxG7CvvHKMq9eN+hlIMq+edrngTwJlq+/FFX9F18akn z7FrOD5TYinOSDTUYi4qTgQASjJlMjkDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/aYpt23Ea4Ey5nB4kR6QfyND4SPk>
Subject: Re: [pkix] EKU for intermediate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2016 15:54:03 -0000

The original definition of the EKU field in the X.509 standard is to indicates one or more purposes for which the certified public key may be used, in addition to or in place of
the basic purposes indicated in the key usage extension field. The EKU filed should be used in the same fashion as the Key Usage Extension was used.

Indeed, the EKU field will generally appear only in end entity certificates. That does not means this field can not appear in CA certificates. However, if this field appeared in a CA certificate, I think it should be interpreted as to indicates the purpose for which the CA key may be used (similar to the case where the crlSign key usage bit is specified in the Key Usage Extension) rather than as a 'constraint'.

For example, if some organization define a key purpose OID, say id-kp-doSomeThing and the key purpose OID appears in a CA certificate, it should mean that the CA key can be used to do some thing.

It was unfortunately that some implementations misinterpreted the meaning of an EKU extension in a CA certificate. In their fashion of using the EKU extension as a 'constraint', if id-kp-doSomeThing appears in a CA certificate, it means that the CA key can be used to sign certificates of which associated subject keys can be used to do some thing. This obviously twist the original definition of the EKU field.

The earliest implementation that treated an EKU extension in a CA certificate as a 'constraint' I had been aware of is Microsoft Crypto API (CAPI). As a result, certificate management software in Microsoft Windows Server and Microsoft IE all treated an EKU extension in a CA certificate as a 'constraint'. Unfortunately, some CA vendors believed that Microsoft's treating an EKU extension in a CA certificate as a 'constraint' is a correct interpretation or because they had no choice but to follow Micorsoft's interpretation because in that time Microsoft IE dominated the market and they want their certificates to be compatible with Microsoft IE. It was even unfortunately that other browser vendors also followed the wrong interpretation and treated an EKU extension in a CA certificate as a 'constraint'. In the end, that was why there were many browser vendors and CA vendors voted to add text such as "For a Subordinate CA Certificate to be considered Technically Constrained,  the certificate MUST include an Extended Key Usage (EKU) extension specifying all extended key usages that the Subordinate CA Certificate is authorized to issue certificates for" in the CA/Browser Forum Baseline Requirements.

I think it is a bad idea to twist the original definition of the EKU field. If the CA/Browser Forum want to use the EKU extension to specify a Subordinate CA is authorized to issue certificates for, the correct way is to define a new key purpose OID rather than adopt the existing PKIX  key purpose OIDs which are defined to be used in end-entity certificates. For example, it the CA/Browser Forum want to use the EKU extension to specify that a Subordinate CA is authorized to issue TLS/SSL certificates, the correct way is to define an CA/Browser key purse OID, say id-cabf-kp-signCertForServerAuth. It is not correct if we use the id-kp-serverAuth OID in a Subordinate CA certificate to specify that the Subordinate CA is authorized to issue TLS/SSL certificates. According to the the original definition of the EKU field in the X.509 standard, that actually means that the the Subordinate CA's key can be used for TLS/SSL server authentication.

Best Regards,
Wen-Cheng Wang

________________________________________
From: pkix [pkix-bounces@ietf.org] on behalf of Koichi Sugimoto [koichi.sugimoto@globalsign.com]
Sent: Friday, February 05, 2016 3:02 PM
To: Carl Wallace; Peter Bowen; Santosh Chokhani
Cc: <pkix@ietf.org>
Subject: Re: [pkix] EKU for intermediate certificates

Hello sirs,

I have been facing this interoperability problem for many years.
Around 10 years ago, I found BIG-IP had this kind of implementation, but the user support said this implementation was come from Microsoft library.
Then, now, all major browsers have this implementation.
Even OpenSSL has.
I think this implementation is almost de facto standard.
If so, why RFC does not change the specification?

As for intermediate CA certificates, RFC 5280 says:
"In general, this extension will appear only in end entity certificates."
Can we change this paragraph like:
"If this extension appears in intermediate certificates, ..."?
We should think about which is better for the future interoperability, I think.

Regards,
Koichi Sugimoto.


-----Original Message-----
From: Carl Wallace [mailto:carl@redhoundsoftware.com]
Sent: Friday, February 5, 2016 3:00 AM
To: Peter Bowen <pzbowen@gmail.com>; Santosh Chokhani <santosh.chokhani@gmail.com>
Cc: Koichi Sugimoto <koichi.sugimoto@globalsign.com>; <pkix@ietf.org> <pkix@ietf.org>
Subject: Re: [pkix] EKU for intermediate certificates


On 2/4/16, 12:17 PM, "Peter Bowen" <pzbowen@gmail.com> wrote:

>The CA/Browser Forum sets standards for Certification Authorities. It
>does not set requirements on implementers of path validation.

Does this mean there would be no issue with defining a flag to allow for EKU semantics to be selected, since we now have two? Else we will rely on folklore to know which implementations do what.

>
>That being said, many current web browsers and OS path validation
>libraries do enforce such constraints. This includes Microsoft and
>Mozilla libraries, which underpin Internet Explorer, Edge, Firefox, and
>Chrome/Opera on Windows.
>
>Thanks,
>Peter
>
>On Thu, Feb 4, 2016 at 7:56 AM, Santosh Chokhani
><santosh.chokhani@gmail.com> wrote:
>> According the authors of the CABF criteria (I hope they will speak
>>up), the intent of the language is not to make the enforcement of
>>constraint on the certification path mandatory.
>>
>>
>>
>> They simply want the issuer to indicate limitations it imposes on the
>>CA.
>>
>>
>>
>> I am generally sympathetic to enforcement of the constraint on the
>>path, however this is a significant change to the semantics of the
>>extension and path validation engine.
>>
>>
>>
>> From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Carl Wallace
>> Sent: Thursday, February 4, 2016 8:14 AM
>> To: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
>> Cc: pkix@ietf.org
>> Subject: Re: [pkix] EKU for intermediate certificates
>>
>>
>>
>> in the CAB Forum concept, if there any mechanism to indicate to a
>>compliant validation engine that 5280 EKU semantics ought be used?
>>Allowing a toggle probably beats simply changing the semantics of the
>>extension for all cases.
>>
>>
>>
>> From: pkix <pkix-bounces@ietf.org> on behalf of Koichi Sugimoto
>> <koichi.sugimoto@globalsign.com>
>> Date: Thursday, February 4, 2016 at 8:08 AM
>> To: "pkix@ietf.org" <pkix@ietf.org>
>> Subject: [pkix] EKU for intermediate certificates
>>
>>
>>
>> Hello.
>>
>>
>>
>> I hope the following definition should be changed.
>>
>>
>>
>>>4.2.1.12. Extended Key Usage
>>
>>>
>>
>>> This extension indicates one or more purposes for which the
>>> certified
>>
>>> public key may be used, in addition to or in place of the basic
>>
>>> purposes indicated in the key usage extension. In general, this
>>
>>> extension will appear only in end entity certificates.
>>
>>
>>
>>
>>
>> Now CABF (CA Browser Forum) specified Extended Key Usage as:
>>
>>
>>
>> P9:
>>
>> Technically Constrained Subordinate CA Certificate: A Subordinate CA
>> certificate which uses a
>>
>> combination of Extended Key Usage settings and Name Constraint
>>settings to limit the scope within which the
>>
>> Subordinate CA Certificate may issue Subscriber or additional
>>Subordinate CA Certificates.
>>
>>
>>
>> P34:
>>
>> ** Generally Extended Key Usage will only appear within end entity
>> certificates (as highlighted in RFC 5280
>>
>> (4.2.1.12)), however, Subordinate CAs MAY include the extension to
>>further protect relying parties until the
>>
>> use of the extension is consistent between Application Software
>>Suppliers whose software is used by a
>>
>> substantial portion of Relying Parties worldwide.
>>
>>
>>
>> P38-39:
>>
>> For a Subordinate CA Certificate to be considered Technically
>>Constrained, the certificate MUST include an
>>
>> Extended Key Usage (EKU) extension specifying all extended key usages
>>that the Subordinate CA Certificate is
>>
>> authorized to issue certificates for. The anyExtendedKeyUsage
>>KeyPurposeId MUST NOT appear within this
>>
>> extension.
>>
>>
>>
>> Major browsers already support this specification, therefore, the
>>next RFC should reflect this notation, I think.
>>
>> This notation is very important because we can restrict the range of
>> influence when end-entity certificates are
>>
>> unwillingly issued by attacks etc.
>>
>>
>>
>>
>>
>> Please see below:
>>
>> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.2.pdf
>>
>>
>>
>>
>>
>> Regards,
>>
>> Koichi Sugimoto.
>>
>> _______________________________________________ pkix mailing list
>> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
>>
>>
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix
>>


_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

v2.23.0 | Report a Bug | By Email