IETF Logo Mail Archive

Re: [pkix] EKU for intermediate certificates

Peter Bowen <pzbowen@gmail.com> Thu, 04 February 2016 19:01 UTC

Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF121ACD8A for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 11:01:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GfYEB7iXc3yO for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 11:01:56 -0800 (PST)
Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D84E1ACD84 for <pkix@ietf.org>; Thu, 4 Feb 2016 11:01:56 -0800 (PST)
Received: by mail-pf0-x22b.google.com with SMTP id w123so54083962pfb.0 for <pkix@ietf.org>; Thu, 04 Feb 2016 11:01:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=esArdr3Z7az9UqtOoCWNug4Sy9g+tSDRz7F1ogH/BkA=; b=TRC9ufA9ZBrlI6YQGt5WbI5Z73JlpI+TfTzCfNtOQcZyyMUisQbc4e/t0p9WUQFXLc fTuxm1rHGJCLNrLX8PZum56V8CTqmId4L9Pst4zmHj0i0NgAG3SuoRKbXPse7yo3q2Iz ZmdZ4Ee+DmoBOPYxLQ5+9iYxqGduE0b+XptzlIZ2J8ueLWC+CUNkkH2n/RgQWikSKaKd Tg2GCeiBo+uU8CXuje75WgFPsFWyfd9PszYa1K2X9u5hHcvn79eTR2o1M65wkAMXtWYL h27dEN1kLUemRst3XP+QwK6o6Q4c1hx9n1TXTgCXv7rx08wQsA5JGDMU1kU+41O2sCDM FdNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=esArdr3Z7az9UqtOoCWNug4Sy9g+tSDRz7F1ogH/BkA=; b=gPzmdKnMBSn4gUaHKmHXwHU1fhfz8Bx/Ykw/wDoDCejryokmdTv/C4gOZaDVPaeU+k ydcQVSvMUOvk4eGiWH2l+99BTcF04mUmDP68UkPwVAYBNCVgTju+tff4AaVkE9jx57A9 YlPzmkKg2wA5LGp0E/FaXkT8eG81FazDCM+9AVWBOXL3OecZJvoRsW7/xNOP8jHaQx8J JJbDBm0bNXdEf6XeScpx9j+XZEL98aPkxd4LL4ToMEEmn6thDJNktMaLCa0fc+E8iKe6 Z+fVM7q4EKkyplIw/Y7UpPB/thXdcQn0hGAagE8fVD2Scim/5yxe2iduc/cHnFZb9gsm VFkA==
X-Gm-Message-State: AG10YOS+P2gtAIhVR3RBsoxYWs+ekLq7lL3J2ii8/m9/BacYzB8hc0tm/4jdk+9TctjAeC0RpnrhZUlU0N7AiQ==
MIME-Version: 1.0
X-Received: by 10.98.9.129 with SMTP id 1mr13405894pfj.163.1454612516186; Thu, 04 Feb 2016 11:01:56 -0800 (PST)
Received: by 10.66.142.193 with HTTP; Thu, 4 Feb 2016 11:01:56 -0800 (PST)
In-Reply-To: <D2D90066.4B539%carl@redhoundsoftware.com>
References: <D2D8B816.4B461%carl@redhoundsoftware.com> <033501d15f64$a8a9e590$f9fdb0b0$@gmail.com> <CAK6vND-mnioLesh-Y6+CP2XBndszVx5yxiBnv6TnrEowcpf8FA@mail.gmail.com> <D2D8FB5B.4B529%carl@redhoundsoftware.com> <CAK6vND--xEoYyJrGx_TBCHRygWUDWCo8AzXjMW+uNFVw_VqO=A@mail.gmail.com> <D2D90066.4B539%carl@redhoundsoftware.com>
Date: Thu, 04 Feb 2016 11:01:56 -0800
Message-ID: <CAK6vND92jR1H9S+27R7hDgcYLg8pEpf77VxBG0yuAEvWXPNJTA@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/oRk1pNZ4b_rAk942n98BeUmggzw>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] EKU for intermediate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 19:01:58 -0000

I'm not sure what other kind of flag would work.  I guess you could
have something like the version field with:

flag EkuFlag DEFAULT unspecified

EkuFlag ::=  INTEGER  {  unspecified(0), direct(1), indirect(2)  }

Where direct means the EKU applies to use of the public key in the CA
certificate and indirect applies to use of the public keys down the
chain.

On Thu, Feb 4, 2016 at 10:19 AM, Carl Wallace <carl@redhoundsoftware.com> wrote:
> That rather misses the point, no? But you know that.
>
> On 2/4/16, 1:11 PM, "Peter Bowen" <pzbowen@gmail.com> wrote:
>
>>On Thu, Feb 4, 2016 at 10:00 AM, Carl Wallace <carl@redhoundsoftware.com>
>>wrote:
>>>
>>> On 2/4/16, 12:17 PM, "Peter Bowen" <pzbowen@gmail.com> wrote:
>>>
>>>>The CA/Browser Forum sets standards for Certification Authorities.  It
>>>>does not set requirements on implementers of path validation.
>>>
>>> Does this mean there would be no issue with defining a flag to allow for
>>> EKU semantics to be selected, since we now have two? Else we will rely
>>>on
>>> folklore to know which implementations do what.
>>
>>If you are writing your own path validation code, I don't see why not.
>>You are welcome to code however you want.
>>
>>Thanks,
>>Peter
>
>

v2.23.0 | Report a Bug | By Email