IETF Logo Mail Archive

Re: [pkix] EKU for intermediate certificates

Koichi Sugimoto <koichi.sugimoto@globalsign.com> Fri, 05 February 2016 07:02 UTC

Return-Path: <koichi.sugimoto@globalsign.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D750B1B36DB for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 23:02:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XyVK6WkdZfTY for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 23:02:35 -0800 (PST)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0112.outbound.protection.outlook.com [104.47.126.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5B41B36DA for <pkix@ietf.org>; Thu, 4 Feb 2016 23:02:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.onmicrosoft.com; s=selector1-globalsign-com; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=pbDpK5xKq5mOzloyQpuYqIX/cux497Paf8/vQ8ET38g=; b=sRibdAmDvWw/jOhEDEyvgFKEgdqksUqVHzAMNl46rwOy4zc6JW1gtRTJsnV6rLDJWfXuakB3YdSHksPkDrnqDvVR03FQZIWnv6+41jLcohnFRkjQKYsFzyIF8NYD9XWODVSnmf4dlnmFO9eH0j9HjYIIiuzLoPOr2oS4z1m55q0=
Received: from SG2PR03MB1421.apcprd03.prod.outlook.com (10.169.54.19) by SG2PR03MB1423.apcprd03.prod.outlook.com (10.169.54.21) with Microsoft SMTP Server (TLS) id 15.1.403.16; Fri, 5 Feb 2016 07:02:31 +0000
Received: from SG2PR03MB1421.apcprd03.prod.outlook.com ([10.169.54.19]) by SG2PR03MB1421.apcprd03.prod.outlook.com ([10.169.54.19]) with mapi id 15.01.0403.016; Fri, 5 Feb 2016 07:02:31 +0000
From: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Peter Bowen <pzbowen@gmail.com>, Santosh Chokhani <santosh.chokhani@gmail.com>
Thread-Topic: [pkix] EKU for intermediate certificates
Thread-Index: AQHRX03hkGNTNS3gmEGz8qoiiY6rHJ8cCrAAgAAWcACAAAwhgIAA0eZQ
Date: Fri, 05 Feb 2016 07:02:29 +0000
Message-ID: <SG2PR03MB14211449F1F6A4EB8D91FC269DD20@SG2PR03MB1421.apcprd03.prod.outlook.com>
References: <D2D8B816.4B461%carl@redhoundsoftware.com> <033501d15f64$a8a9e590$f9fdb0b0$@gmail.com> <CAK6vND-mnioLesh-Y6+CP2XBndszVx5yxiBnv6TnrEowcpf8FA@mail.gmail.com> <D2D8FB5B.4B529%carl@redhoundsoftware.com>
In-Reply-To: <D2D8FB5B.4B529%carl@redhoundsoftware.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: redhoundsoftware.com; dkim=none (message not signed) header.d=none;redhoundsoftware.com; dmarc=none action=none header.from=globalsign.com;
x-originating-ip: [27.121.42.217]
x-microsoft-exchange-diagnostics: 1; SG2PR03MB1423; 5:Qu1tTmBhKQAMPXVYUy18fLb9xzREtnvcBXMBYmn6vQBxZp5IbpC/yYSpMTApp/jX6NqIpT51uZVVKhdwjzrEP5oeHGa11P/pAGQc7DoKkxFpcTvIIL3Cj5wDXbDlokCBv9/QuTQpThWTM1rQ0muerA==; 24:U2dD9165iKritpfv2YC/A1adnD3nHyhRL/0kYmzWTX6QSddhnyW8DEmhTp+hqTEDmbslSrjrH/0uDvma0y2vIJ11D2H8GZ32e0in5G/WGQM=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SG2PR03MB1423;
x-ms-office365-filtering-correlation-id: 0f80e244-0c83-4f29-d7b1-08d32dfa50d8
x-microsoft-antispam-prvs: <SG2PR03MB1423D2D4A9F99616FAC9A5369DD20@SG2PR03MB1423.apcprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(239210235332932);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001); SRVR:SG2PR03MB1423; BCL:0; PCL:0; RULEID:; SRVR:SG2PR03MB1423;
x-forefront-prvs: 0843C17679
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(377454003)(164054003)(479174004)(24454002)(86362001)(106116001)(3280700002)(189998001)(3660700001)(19580405001)(19580395003)(15975445007)(122556002)(40100003)(2906002)(77096005)(76576001)(2950100001)(93886004)(2900100001)(5001770100001)(1220700001)(87936001)(1096002)(11100500001)(5008740100001)(74316001)(4326007)(3846002)(5002640100001)(6116002)(50986999)(102836003)(586003)(5004730100002)(5003600100002)(76176999)(66066001)(10400500002)(92566002)(54356999)(33656002)(5001960100002)(15398625002); DIR:OUT; SFP:1102; SCL:1; SRVR:SG2PR03MB1423; H:SG2PR03MB1421.apcprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: globalsign.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Feb 2016 07:02:29.4114 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8fff67c1-8281-4635-b62f-93106cb7a9a8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2PR03MB1423
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/kfRBuFL0h7SMj-X7oqdQQTUZka4>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] EKU for intermediate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 07:02:42 -0000

Hello sirs,

I have been facing this interoperability problem for many years.
Around 10 years ago, I found BIG-IP had this kind of implementation, but the user support said this implementation was come from Microsoft library.
Then, now, all major browsers have this implementation.
Even OpenSSL has.
I think this implementation is almost de facto standard.
If so, why RFC does not change the specification?

As for intermediate CA certificates, RFC 5280 says:
"In general, this extension will appear only in end entity certificates."
Can we change this paragraph like:
"If this extension appears in intermediate certificates, ..."?
We should think about which is better for the future interoperability, I think.

Regards,
Koichi Sugimoto.


-----Original Message-----
From: Carl Wallace [mailto:carl@redhoundsoftware.com] 
Sent: Friday, February 5, 2016 3:00 AM
To: Peter Bowen <pzbowen@gmail.com>; Santosh Chokhani <santosh.chokhani@gmail.com>
Cc: Koichi Sugimoto <koichi.sugimoto@globalsign.com>; <pkix@ietf.org> <pkix@ietf.org>
Subject: Re: [pkix] EKU for intermediate certificates


On 2/4/16, 12:17 PM, "Peter Bowen" <pzbowen@gmail.com> wrote:

>The CA/Browser Forum sets standards for Certification Authorities.  It 
>does not set requirements on implementers of path validation.

Does this mean there would be no issue with defining a flag to allow for EKU semantics to be selected, since we now have two? Else we will rely on folklore to know which implementations do what.

>
>That being said, many current web browsers and OS path validation 
>libraries do enforce such constraints.  This includes Microsoft and 
>Mozilla libraries, which underpin Internet Explorer, Edge, Firefox, and 
>Chrome/Opera on Windows.
>
>Thanks,
>Peter
>
>On Thu, Feb 4, 2016 at 7:56 AM, Santosh Chokhani 
><santosh.chokhani@gmail.com> wrote:
>> According the authors of the CABF criteria (I hope they will speak 
>>up), the  intent of the language is not to make the enforcement of 
>>constraint on the  certification path mandatory.
>>
>>
>>
>> They simply want the issuer to indicate limitations it imposes on the 
>>CA.
>>
>>
>>
>> I am generally sympathetic to enforcement of the constraint on the 
>>path,  however this is a significant change to the semantics of the 
>>extension and  path validation engine.
>>
>>
>>
>> From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Carl Wallace
>> Sent: Thursday, February 4, 2016 8:14 AM
>> To: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
>> Cc: pkix@ietf.org
>> Subject: Re: [pkix] EKU for intermediate certificates
>>
>>
>>
>> in the CAB Forum concept, if there any mechanism to indicate to a 
>>compliant  validation engine that 5280 EKU semantics ought be used? 
>>Allowing a toggle  probably beats simply changing the semantics of the 
>>extension for all cases.
>>
>>
>>
>> From: pkix <pkix-bounces@ietf.org> on behalf of Koichi Sugimoto 
>> <koichi.sugimoto@globalsign.com>
>> Date: Thursday, February 4, 2016 at 8:08 AM
>> To: "pkix@ietf.org" <pkix@ietf.org>
>> Subject: [pkix] EKU for intermediate certificates
>>
>>
>>
>> Hello.
>>
>>
>>
>> I hope the following definition should be changed.
>>
>>
>>
>>>4.2.1.12.  Extended Key Usage
>>
>>>
>>
>>>   This extension indicates one or more purposes for which the 
>>> certified
>>
>>>   public key may be used, in addition to or in place of the basic
>>
>>>   purposes indicated in the key usage extension.  In general, this
>>
>>>   extension will appear only in end entity certificates.
>>
>>
>>
>>
>>
>> Now CABF (CA Browser Forum) specified Extended Key Usage as:
>>
>>
>>
>> P9:
>>
>> Technically Constrained Subordinate CA Certificate: A Subordinate CA 
>> certificate which uses a
>>
>> combination of Extended Key Usage settings and Name Constraint 
>>settings to  limit the scope within which the
>>
>> Subordinate CA Certificate may issue Subscriber or additional 
>>Subordinate CA  Certificates.
>>
>>
>>
>> P34:
>>
>> ** Generally Extended Key Usage will only appear within end entity 
>> certificates (as highlighted in RFC 5280
>>
>> (4.2.1.12)), however, Subordinate CAs MAY include the extension to 
>>further  protect relying parties until the
>>
>> use of the extension is consistent between Application Software 
>>Suppliers  whose software is used by a
>>
>> substantial portion of Relying Parties worldwide.
>>
>>
>>
>> P38-39:
>>
>> For a Subordinate CA Certificate to be considered Technically 
>>Constrained,  the certificate MUST include an
>>
>> Extended Key Usage (EKU) extension specifying all extended key usages 
>>that  the Subordinate CA Certificate is
>>
>> authorized to issue certificates for. The anyExtendedKeyUsage 
>>KeyPurposeId  MUST NOT appear within this
>>
>> extension.
>>
>>
>>
>> Major browsers already support this specification, therefore, the 
>>next RFC  should reflect this notation, I think.
>>
>> This notation is very important because we can restrict the range of 
>> influence when end-entity certificates are
>>
>> unwillingly issued by attacks etc.
>>
>>
>>
>>
>>
>> Please see below:
>>
>> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.2.pdf
>>
>>
>>
>>
>>
>> Regards,
>>
>> Koichi Sugimoto.
>>
>> _______________________________________________ pkix mailing list 
>> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
>>
>>
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix
>>

v2.23.0 | Report a Bug | By Email