Re: [TLS] [certid] Why require EKU for certid?

"Henry B. Hotz" <hotz@jpl.nasa.gov> Thu, 23 September 2010 17:43 UTC

Return-Path: <hotz@jpl.nasa.gov>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DF5F43A6A5D; Thu, 23 Sep 2010 10:43:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Cqei4oHC7NX; Thu, 23 Sep 2010 10:43:32 -0700 (PDT)
Received: from mail.jpl.nasa.gov (smtp.jpl.nasa.gov [128.149.139.109]) by core3.amsl.com (Postfix) with ESMTP id 7AFC73A6964; Thu, 23 Sep 2010 10:43:32 -0700 (PDT)
Received: from [192.168.2.2] (netblock-72-25-120-25.dslextreme.com [72.25.120.25]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id o8NHhoiG016354 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Thu, 23 Sep 2010 10:43:51 -0700
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <p0624084ac8bfe10f5b72@[10.20.30.158]>
Date: Thu, 23 Sep 2010 10:43:50 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <76232140-6713-416F-8758-8042A82B8857@jpl.nasa.gov>
References: <C8B4E80F.EE82%stefan@aaa-sec.com> <4C9A2D12.3020409@stpeter.im> <p0624084ac8bfe10f5b72@[10.20.30.158]>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1081)
X-Source-IP: netblock-72-25-120-25.dslextreme.com [72.25.120.25]
X-Source-Sender: hotz@jpl.nasa.gov
X-Spamclassfication-Commtouch: not spam
X-SpamRefId: str=0001.0A090207.4C9B91DA.0098,ss=1,fgs=0
X-Mailman-Approved-At: Thu, 23 Sep 2010 11:37:10 -0700
Cc: IETF cert-based identity <certid@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [certid] Why require EKU for certid?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 17:43:34 -0000

On Sep 22, 2010, at 9:44 AM, Paul Hoffman wrote:

> At 10:21 AM -0600 9/22/10, Peter Saint-Andre wrote:
>> On 9/14/10 12:51 AM, Stefan Santesson wrote:
>>> General:
>>> I would consider stating that server certificates according to this profile
>>> either MUST or SHOULD have the serverAuth EKU set since it is allways
>>> related to the use of TSL and server authentication. At least it MUST be set
>>> when allowing checks of the CN-ID (see 2.3 below).
>> 
>> [..snip..]
> 

> What possible advantage is there to making certificates that do not have this flag set be excluded from the practices you are defining? That is, if a TLS client gets a certificate from a TLS server that the TLS server says is its authentication certificate, why should the client care whether or not that flag is set? That flag is an assertion from the CA, not from the server who is authenticating.


Does this point need discussion?  Without checking, I suspect that 5280 says you obey the EKU, period.  OTOH I think Paul raises a valid point.

OTOH (again) one could argue that the EKU provides a way to prevent a stolen cert/key issued to the machine for a different function from being repurposed to support a fake server.  (I'm not convinced this is significant, but it's something.)

Absent discussion and consensus, I vote for whatever 5280 says, which I suppose is what the current silence on the topic equates to.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu