Re: [pkix] RFC 5280 Extended Key Usage - explanation
Russ Housley <housley@vigilsec.com> Mon, 20 November 2023 19:00 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1962C14CF13 for <pkix@ietfa.amsl.com>; Mon, 20 Nov 2023 11:00:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWpxuV5Jopwu for <pkix@ietfa.amsl.com>; Mon, 20 Nov 2023 11:00:39 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 011F3C15153E for <pkix@ietf.org>; Mon, 20 Nov 2023 11:00:39 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 089D711906B; Mon, 20 Nov 2023 14:00:38 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id E7B12119612; Mon, 20 Nov 2023 14:00:37 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <F0554924-EDED-4427-8596-279DEB3D3EFF@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_03B15D32-36CC-449E-B424-23B15947B803"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Mon, 20 Nov 2023 14:00:27 -0500
In-Reply-To: <1cc8b53823ff40d7bbfa126478461a43@disig.sk>
Cc: IETF PKIX <pkix@ietf.org>
To: Peter Miškovič <Peter.Miskovic=40disig.sk@dmarc.ietf.org>
References: <1cc8b53823ff40d7bbfa126478461a43@disig.sk>
X-Mailer: Apple Mail (2.3731.700.6)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/q-Q40r-TbZMg5rHYCWVZOmCj4Dk>
Subject: Re: [pkix] RFC 5280 Extended Key Usage - explanation
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2023 19:00:43 -0000
There is a document-signing extended key usage defined in RFC 9336 to resolve this ambiguity. Russ > On Nov 13, 2023, at 2:27 AM, Peter Miškovič <Peter.Miskovic=40disig.sk@dmarc.ietf.org> wrote: > > Hello > > I want to ask you for an explanation of this part of RFC5280: > > 4.2.1.12. Extended use of the key > > "If a certificate contains both a key usage extension and an extended key usage extension, then both extensions MUST be processed independently and the certificate MUST only be used for a purpose consistent with both extensions." > > Means this that if I have the "digitalSignature" extension in the Key Usage certificate and the "id-kp-clientAuth" extension in the Extended Key Usage extension, I can use such certificate for TLS WWW client authentication only and not for digitally signing documents, for example PDF? > > Or it can be understood that I can use such certificate only for digitally signing or TLS WWW client authentication, but not for anything else, e.g. Email protection, code signing? > > What does "then both extensions MUST be processed independently" mean, if I should take into account their common connection as a result? > > Thank you in advance. > > Regards > Peter Miskovic > --------------------------------- > Peter Miskovic > CA Chief Operating Officer > > Disig, a.s. > Zahradnicka 151, 821 08 Bratislava 2, Slovakia > > phone +421 2 208 50 150 > cell phone +421 905 960 345 > peter.miskovic@disig.sk <mailto:peter.miskovic@disig.sk> > www.disig.sk <http://www.disig.sk/>_______________________________________________ > pkix mailing list > pkix@ietf.org <mailto:pkix@ietf.org> > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] RFC 5280 Extended Key Usage - explanation Peter Miškovič
- Re: [pkix] RFC 5280 Extended Key Usage - explanat… Russ Housley
- Re: [pkix] RFC 5280 Extended Key Usage - explanat… Tim Hollebeek
- Re: [pkix] RFC 5280 Extended Key Usage - explanat… Peter Gutmann
- Re: [pkix] RFC 5280 Extended Key Usage - explanat… Tim Hollebeek