Re: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)

Santosh Chokhani <> Sat, 12 October 2013 01:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 654B811E80FE for <>; Fri, 11 Oct 2013 18:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Wli8REjON2CO for <>; Fri, 11 Oct 2013 18:16:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2DE4D11E80E2 for <>; Fri, 11 Oct 2013 18:16:00 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.93,479,1378872000"; d="scan'208";a="785630"
Received: from unknown (HELO ([]) by with ESMTP; 11 Oct 2013 21:15:58 -0400
Received: from ([fe80::d8df:b0bd:28be:ad62]) by ([fe80::d8df:b0bd:28be:ad62%15]) with mapi id 14.02.0247.003; Fri, 11 Oct 2013 21:15:58 -0400
From: Santosh Chokhani <>
To: Brian Smith <>, Peter Gutmann <>
Thread-Topic: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)
Thread-Index: Ac7G6JkxaJ8RpP5WSUe5BTrzM0zEDg==
Date: Sat, 12 Oct 2013 01:15:57 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<>" <>
Subject: Re: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 Oct 2013 01:16:04 -0000

DS bit for RSA based TLS server is not appropriate since the Server key is used by the client to encrypt and never used for digital signature verification.

I thought we set the DS bit in case the server acts as a client.

As to the EC, that should depend on the cipher suite used.  It could be ECDH or ECDSA certificate and that should translate to key agreement or DS bit respectively.

-----Original Message-----
From: [] On Behalf Of Brian Smith
Sent: Friday, October 11, 2013 8:51 PM
To: Peter Gutmann
Cc: <>
Subject: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)

On Thu, Oct 3, 2013 at 5:23 AM, Peter Gutmann <> wrote:
> My code, in its default configuration, strictly enforces keyUsage.  
> From this I've found that both applications and CAs can set these bits 
> more or less at random, including completely illogical settings like 
> keyAgreement for RSA keys.  I've also found, through trial-and-error, 
> that many applications completely ignore them and use the keys in 
> whatever way they feel appropriate (the situation for PKCS #12 files 
> in particular is so bad that after fighting it for awhile I had to 
> turn off checking of keyUsage entirely).  So this isn't a case of 
> copying an RSA template, it's broken software generating them and equally broken software ignoring them.

Software based on NSS's libssl has a pretty liberal interpretation of keyUsage, and this is something I'd like to correct in Firefox soon.
In particular, I want to encourage CAs to offer ECDSA SSL certificates only with the digitalSignature bit set, and to provide the option to their customers to request RSA certificates with only the digitalSignature bit set. This should provide defense-in-depth from server misconfiguration for websites that want to switch exclusively to ephemeral key exchange.

If you have any more specific information you could share regarding your experience with attempting strict(er) KU enforcement, it would be great if you could share it. (Not just Peter, but everybdoy.)

Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________
TLS mailing list