Re: [pkix] EKU for intermediate certificates
Koichi Sugimoto <koichi.sugimoto@globalsign.com> Fri, 05 February 2016 07:02 UTC
Return-Path: <koichi.sugimoto@globalsign.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D750B1B36DB for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 23:02:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XyVK6WkdZfTY for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 23:02:35 -0800 (PST)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0112.outbound.protection.outlook.com [104.47.126.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5B41B36DA for <pkix@ietf.org>; Thu, 4 Feb 2016 23:02:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.onmicrosoft.com; s=selector1-globalsign-com; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=pbDpK5xKq5mOzloyQpuYqIX/cux497Paf8/vQ8ET38g=; b=sRibdAmDvWw/jOhEDEyvgFKEgdqksUqVHzAMNl46rwOy4zc6JW1gtRTJsnV6rLDJWfXuakB3YdSHksPkDrnqDvVR03FQZIWnv6+41jLcohnFRkjQKYsFzyIF8NYD9XWODVSnmf4dlnmFO9eH0j9HjYIIiuzLoPOr2oS4z1m55q0=
Received: from SG2PR03MB1421.apcprd03.prod.outlook.com (10.169.54.19) by SG2PR03MB1423.apcprd03.prod.outlook.com (10.169.54.21) with Microsoft SMTP Server (TLS) id 15.1.403.16; Fri, 5 Feb 2016 07:02:31 +0000
Received: from SG2PR03MB1421.apcprd03.prod.outlook.com ([10.169.54.19]) by SG2PR03MB1421.apcprd03.prod.outlook.com ([10.169.54.19]) with mapi id 15.01.0403.016; Fri, 5 Feb 2016 07:02:31 +0000
From: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Peter Bowen <pzbowen@gmail.com>, Santosh Chokhani <santosh.chokhani@gmail.com>
Thread-Topic: [pkix] EKU for intermediate certificates
Thread-Index: AQHRX03hkGNTNS3gmEGz8qoiiY6rHJ8cCrAAgAAWcACAAAwhgIAA0eZQ
Date: Fri, 05 Feb 2016 07:02:29 +0000
Message-ID: <SG2PR03MB14211449F1F6A4EB8D91FC269DD20@SG2PR03MB1421.apcprd03.prod.outlook.com>
References: <D2D8B816.4B461%carl@redhoundsoftware.com> <033501d15f64$a8a9e590$f9fdb0b0$@gmail.com> <CAK6vND-mnioLesh-Y6+CP2XBndszVx5yxiBnv6TnrEowcpf8FA@mail.gmail.com> <D2D8FB5B.4B529%carl@redhoundsoftware.com>
In-Reply-To: <D2D8FB5B.4B529%carl@redhoundsoftware.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: redhoundsoftware.com; dkim=none (message not signed) header.d=none;redhoundsoftware.com; dmarc=none action=none header.from=globalsign.com;
x-originating-ip: [27.121.42.217]
x-microsoft-exchange-diagnostics: 1; SG2PR03MB1423; 5:Qu1tTmBhKQAMPXVYUy18fLb9xzREtnvcBXMBYmn6vQBxZp5IbpC/yYSpMTApp/jX6NqIpT51uZVVKhdwjzrEP5oeHGa11P/pAGQc7DoKkxFpcTvIIL3Cj5wDXbDlokCBv9/QuTQpThWTM1rQ0muerA==; 24:U2dD9165iKritpfv2YC/A1adnD3nHyhRL/0kYmzWTX6QSddhnyW8DEmhTp+hqTEDmbslSrjrH/0uDvma0y2vIJ11D2H8GZ32e0in5G/WGQM=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SG2PR03MB1423;
x-ms-office365-filtering-correlation-id: 0f80e244-0c83-4f29-d7b1-08d32dfa50d8
x-microsoft-antispam-prvs: <SG2PR03MB1423D2D4A9F99616FAC9A5369DD20@SG2PR03MB1423.apcprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(239210235332932);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001); SRVR:SG2PR03MB1423; BCL:0; PCL:0; RULEID:; SRVR:SG2PR03MB1423;
x-forefront-prvs: 0843C17679
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(377454003)(164054003)(479174004)(24454002)(86362001)(106116001)(3280700002)(189998001)(3660700001)(19580405001)(19580395003)(15975445007)(122556002)(40100003)(2906002)(77096005)(76576001)(2950100001)(93886004)(2900100001)(5001770100001)(1220700001)(87936001)(1096002)(11100500001)(5008740100001)(74316001)(4326007)(3846002)(5002640100001)(6116002)(50986999)(102836003)(586003)(5004730100002)(5003600100002)(76176999)(66066001)(10400500002)(92566002)(54356999)(33656002)(5001960100002)(15398625002); DIR:OUT; SFP:1102; SCL:1; SRVR:SG2PR03MB1423; H:SG2PR03MB1421.apcprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: globalsign.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Feb 2016 07:02:29.4114 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8fff67c1-8281-4635-b62f-93106cb7a9a8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2PR03MB1423
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/kfRBuFL0h7SMj-X7oqdQQTUZka4>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] EKU for intermediate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 07:02:42 -0000
Hello sirs, I have been facing this interoperability problem for many years. Around 10 years ago, I found BIG-IP had this kind of implementation, but the user support said this implementation was come from Microsoft library. Then, now, all major browsers have this implementation. Even OpenSSL has. I think this implementation is almost de facto standard. If so, why RFC does not change the specification? As for intermediate CA certificates, RFC 5280 says: "In general, this extension will appear only in end entity certificates." Can we change this paragraph like: "If this extension appears in intermediate certificates, ..."? We should think about which is better for the future interoperability, I think. Regards, Koichi Sugimoto. -----Original Message----- From: Carl Wallace [mailto:carl@redhoundsoftware.com] Sent: Friday, February 5, 2016 3:00 AM To: Peter Bowen <pzbowen@gmail.com>; Santosh Chokhani <santosh.chokhani@gmail.com> Cc: Koichi Sugimoto <koichi.sugimoto@globalsign.com>; <pkix@ietf.org> <pkix@ietf.org> Subject: Re: [pkix] EKU for intermediate certificates On 2/4/16, 12:17 PM, "Peter Bowen" <pzbowen@gmail.com> wrote: >The CA/Browser Forum sets standards for Certification Authorities. It >does not set requirements on implementers of path validation. Does this mean there would be no issue with defining a flag to allow for EKU semantics to be selected, since we now have two? Else we will rely on folklore to know which implementations do what. > >That being said, many current web browsers and OS path validation >libraries do enforce such constraints. This includes Microsoft and >Mozilla libraries, which underpin Internet Explorer, Edge, Firefox, and >Chrome/Opera on Windows. > >Thanks, >Peter > >On Thu, Feb 4, 2016 at 7:56 AM, Santosh Chokhani ><santosh.chokhani@gmail.com> wrote: >> According the authors of the CABF criteria (I hope they will speak >>up), the intent of the language is not to make the enforcement of >>constraint on the certification path mandatory. >> >> >> >> They simply want the issuer to indicate limitations it imposes on the >>CA. >> >> >> >> I am generally sympathetic to enforcement of the constraint on the >>path, however this is a significant change to the semantics of the >>extension and path validation engine. >> >> >> >> From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Carl Wallace >> Sent: Thursday, February 4, 2016 8:14 AM >> To: Koichi Sugimoto <koichi.sugimoto@globalsign.com> >> Cc: pkix@ietf.org >> Subject: Re: [pkix] EKU for intermediate certificates >> >> >> >> in the CAB Forum concept, if there any mechanism to indicate to a >>compliant validation engine that 5280 EKU semantics ought be used? >>Allowing a toggle probably beats simply changing the semantics of the >>extension for all cases. >> >> >> >> From: pkix <pkix-bounces@ietf.org> on behalf of Koichi Sugimoto >> <koichi.sugimoto@globalsign.com> >> Date: Thursday, February 4, 2016 at 8:08 AM >> To: "pkix@ietf.org" <pkix@ietf.org> >> Subject: [pkix] EKU for intermediate certificates >> >> >> >> Hello. >> >> >> >> I hope the following definition should be changed. >> >> >> >>>4.2.1.12. Extended Key Usage >> >>> >> >>> This extension indicates one or more purposes for which the >>> certified >> >>> public key may be used, in addition to or in place of the basic >> >>> purposes indicated in the key usage extension. In general, this >> >>> extension will appear only in end entity certificates. >> >> >> >> >> >> Now CABF (CA Browser Forum) specified Extended Key Usage as: >> >> >> >> P9: >> >> Technically Constrained Subordinate CA Certificate: A Subordinate CA >> certificate which uses a >> >> combination of Extended Key Usage settings and Name Constraint >>settings to limit the scope within which the >> >> Subordinate CA Certificate may issue Subscriber or additional >>Subordinate CA Certificates. >> >> >> >> P34: >> >> ** Generally Extended Key Usage will only appear within end entity >> certificates (as highlighted in RFC 5280 >> >> (4.2.1.12)), however, Subordinate CAs MAY include the extension to >>further protect relying parties until the >> >> use of the extension is consistent between Application Software >>Suppliers whose software is used by a >> >> substantial portion of Relying Parties worldwide. >> >> >> >> P38-39: >> >> For a Subordinate CA Certificate to be considered Technically >>Constrained, the certificate MUST include an >> >> Extended Key Usage (EKU) extension specifying all extended key usages >>that the Subordinate CA Certificate is >> >> authorized to issue certificates for. The anyExtendedKeyUsage >>KeyPurposeId MUST NOT appear within this >> >> extension. >> >> >> >> Major browsers already support this specification, therefore, the >>next RFC should reflect this notation, I think. >> >> This notation is very important because we can restrict the range of >> influence when end-entity certificates are >> >> unwillingly issued by attacks etc. >> >> >> >> >> >> Please see below: >> >> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.2.pdf >> >> >> >> >> >> Regards, >> >> Koichi Sugimoto. >> >> _______________________________________________ pkix mailing list >> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix >> >> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org >> https://www.ietf.org/mailman/listinfo/pkix >>
- Re: [pkix] EKU for intermediate certificates 王文正
- Re: [pkix] EKU for intermediate certificates Russ Housley
- [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Carl Wallace
- Re: [pkix] EKU for intermediate certificates Santosh Chokhani
- Re: [pkix] EKU for intermediate certificates Peter Bowen
- Re: [pkix] EKU for intermediate certificates Carl Wallace
- Re: [pkix] EKU for intermediate certificates Peter Bowen
- Re: [pkix] EKU for intermediate certificates Carl Wallace
- Re: [pkix] EKU for intermediate certificates Peter Bowen
- Re: [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Stephen Farrell
- Re: [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Rob Stradling
- Re: [pkix] EKU for intermediate certificates Koichi Sugimoto
- Re: [pkix] EKU for intermediate certificates Rob Stradling
- Re: [pkix] EKU for intermediate certificates Carl Wallace
- Re: [pkix] EKU for intermediate certificates Erwann Abalea
- Re: [pkix] EKU for intermediate certificates Erwann Abalea
- Re: [pkix] EKU for intermediate certificates Peter Bowen
- Re: [pkix] EKU for intermediate certificates Peter Bowen