IETF Logo Mail Archive

Re: [pkix] EKU for intermediate certificates

"Santosh Chokhani" <santosh.chokhani@gmail.com> Thu, 04 February 2016 15:56 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 139241B31EB for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 07:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKf4wfiykCFx for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 07:56:49 -0800 (PST)
Received: from mail-pf0-x22f.google.com (mail-pf0-x22f.google.com [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA6101B3088 for <pkix@ietf.org>; Thu, 4 Feb 2016 07:56:49 -0800 (PST)
Received: by mail-pf0-x22f.google.com with SMTP id w123so49173695pfb.0 for <pkix@ietf.org>; Thu, 04 Feb 2016 07:56:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:thread-index:content-language; bh=xcZ5LsocpXW/xojuYktMZd+HENUvf40zXwnWTq643bE=; b=YMuNnXE9bFpIIc1DpE5BUS8I8f1xOSqRKyyAL4so/yFCedipUrau3Mg43Qir8lx1JG zXWTzYOZZb88yqprk5ISwu2Fk62q04orRFzo5FlOPUjjtu1WWoqAJ4ki0HFoUikZIxYw 07BxPJQNgZIuql4ZlbbW4rVHnZ0dZifo8Yy9Dnbok/LO2Z4dTNzzlILyVn2C0uwU0nwn ak8J9XWa1rGY1H2CI/a2zqU2yPh+9sJonw9XnaKulXEoSrUiptXTFmqpWQofi6vJovym ymQadXMy0tzA+Ttjd6yHvHdw68mqJXlsEniMrgSuxdtOev+eGGgi8ODUC6/RJYisMOvB 8jng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:thread-index:content-language; bh=xcZ5LsocpXW/xojuYktMZd+HENUvf40zXwnWTq643bE=; b=AF9BeTeyeCzjYZWthfmhS8osYkdQPxEUa+wKUfk0CZK6eKWlN8HI8GEgE9T9PSlzgf xm7PzBlEznPIa+yRq0GG4RcB2R4hCzaFf36gUIWbYasF1/IYPEQNd8HSrdavbpCJcFOa SUkfnSlpCu+MJBSqKuKkP3+sg2wBPXZMBFME3Dm5b1LycYjfW2r/4qdgu42DizZ8oNDH UKLFttOMv2pA7Yf6u7uy0wrj6U3V6grayidAgPROzGW4MDi/pfEgGLH/oSLV/XORD0d1 hdY+tRvLLQjRuZENyWYNBQUKJXbZrAPCxmSQSB+3Z2j4MFUppczIOL/4EcSyxF/HYeuB b6Wg==
X-Gm-Message-State: AG10YOTXXmr4nsnmj++ehBWhPpwWCLWASTng1nA4iUKb9XeIHLJ626RvbfS5W9J7/B7u2w==
X-Received: by 10.98.10.65 with SMTP id s62mr11998169pfi.119.1454601409322; Thu, 04 Feb 2016 07:56:49 -0800 (PST)
Received: from SantoshBrain ([27.5.106.227]) by smtp.gmail.com with ESMTPSA id 74sm18154374pfs.33.2016.02.04.07.56.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Feb 2016 07:56:48 -0800 (PST)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'Carl Wallace' <carl@redhoundsoftware.com>, 'Koichi Sugimoto' <koichi.sugimoto@globalsign.com>
References: <D2D8B816.4B461%carl@redhoundsoftware.com>
In-Reply-To: <D2D8B816.4B461%carl@redhoundsoftware.com>
Date: Thu, 04 Feb 2016 10:56:46 -0500
Message-ID: <033501d15f64$a8a9e590$f9fdb0b0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0336_01D15F3A.BFD84A60"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJ5YaSIwnsd1g4ynMcxci6hTwbxeJ3MA2Hw
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/iBaWESd4QzhnDUIcc5MdStLG_Dk>
Cc: pkix@ietf.org
Subject: Re: [pkix] EKU for intermediate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 15:56:52 -0000

According the authors of the CABF criteria (I hope they will speak up), the intent of the language is not to make the enforcement of constraint on the certification path mandatory.

 

They simply want the issuer to indicate limitations it imposes on the CA.

 

I am generally sympathetic to enforcement of the constraint on the path, however this is a significant change to the semantics of the extension and path validation engine. 

 

From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Carl Wallace
Sent: Thursday, February 4, 2016 8:14 AM
To: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
Cc: pkix@ietf.org
Subject: Re: [pkix] EKU for intermediate certificates

 

in the CAB Forum concept, if there any mechanism to indicate to a compliant validation engine that 5280 EKU semantics ought be used? Allowing a toggle probably beats simply changing the semantics of the extension for all cases. 

 

From: pkix <pkix-bounces@ietf.org <mailto:pkix-bounces@ietf.org> > on behalf of Koichi Sugimoto <koichi.sugimoto@globalsign.com <mailto:koichi.sugimoto@globalsign.com> >
Date: Thursday, February 4, 2016 at 8:08 AM
To: "pkix@ietf.org <mailto:pkix@ietf.org> " <pkix@ietf.org <mailto:pkix@ietf.org> >
Subject: [pkix] EKU for intermediate certificates

 

Hello.

 

I hope the following definition should be changed.

 

>4.2.1.12.  Extended Key Usage

> 

>   This extension indicates one or more purposes for which the certified

>   public key may be used, in addition to or in place of the basic

>   purposes indicated in the key usage extension.  In general, this

>   extension will appear only in end entity certificates.

 

 

Now CABF (CA Browser Forum) specified Extended Key Usage as:

 

P9:

Technically Constrained Subordinate CA Certificate: A Subordinate CA certificate which uses a

combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which the

Subordinate CA Certificate may issue Subscriber or additional Subordinate CA Certificates.

 

P34:

** Generally Extended Key Usage will only appear within end entity certificates (as highlighted in RFC 5280

(4.2.1.12)), however, Subordinate CAs MAY include the extension to further protect relying parties until the

use of the extension is consistent between Application Software Suppliers whose software is used by a

substantial portion of Relying Parties worldwide.

 

P38-39:

For a Subordinate CA Certificate to be considered Technically Constrained, the certificate MUST include an

Extended Key Usage (EKU) extension specifying all extended key usages that the Subordinate CA Certificate is

authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this

extension.

 

Major browsers already support this specification, therefore, the next RFC should reflect this notation, I think.

This notation is very important because we can restrict the range of influence when end-entity certificates are

unwillingly issued by attacks etc.

 

 

Please see below:

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.2.pdf

 

 

Regards,

Koichi Sugimoto.

_______________________________________________ pkix mailing list pkix@ietf.org <mailto:pkix@ietf.org>  https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email